Steam user database compromised

2»

Comments

  • edited November 2011
    My password is a long random string of characters, unique to the Steam service. An attacker wouldn't be able to brute force it even if they were using MD5 with no salts. And even if they did, all they'd get access to is my Steam account, not any other accounts.

    I also gave Steam a unique email address, which I've never used anywhere else, so if I start to get spam on it, I can just drop it and use a new one.

    More people really should start using these basic precautions.
  • PirateNinjaPirateNinja Icrontian
    edited November 2011
    I've NEVER had this problem with Origin.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited November 2011
    trollolol?
  • ChoochChooch K-Pop authority™, Pho King Madison Heights, MI Icrontian
    edited November 2011
    I heard GLaDOS did it.
  • LincLinc Owner Detroit Icrontian
    edited November 2011
    I wonder if they're ready to switch to Vanilla.

    Too soon? :D
  • edited November 2011
    "While there is no evidence that passwords and credit card information have been compromised, with the state of encryption cracking, it should only be a matter of time (and horsepower)."

    What a terribly uninformed statement. Assuming they did the obvious thing and encrypted the information in AES-256, it's not a matter of time or horsepower, it's a matter of ridiculous improbability with respect to the availability of energy. Any viable attacks on AES will not lower it's complexity anywhere close to enough. http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html
  • ThraxThrax 🐌 Austin, TX Icrontian
    edited November 2011
    martin wrote:
    Assuming they did the obvious thing

    It's almost like you haven't read any of the news the last two years where companies did the exact opposite with millions of credit card numbers. Let's start with Sony PSN and work our way backwards, shall we?
  • CantiCanti =/= smalltime http://www.youtube.com/watch?v=y9K18CGEeiI&feature=related Icrontian
    edited November 2011
    Reading all this makes me feel like the hacker has gained a billion keys to try on one lock and Valve has suggested changing the lock on the very off chance they use the right key. Because of this many of you are discrediting the suggestion simply because of how unlikely it is they find the right key.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited November 2011
    I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.
  • Cliff_ForsterCliff_Forster Icrontian
    edited November 2011
    I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.

    ^^^This^^^
  • ardichokeardichoke Icrontian
    edited November 2011
    I stand by my statement: A determined enough hacker (or group, or organized crime organization) can, given enough time, crack encryption. Change your passwords.

    The real problem with this statement, however, is that the two things are unrelated. The encryption most other people are talking about cracking is the encryption used on the credit card numbers. Changing your password won't help that.

    Yes, you should change your password because passwords can be brute forced, though it is more difficult as Valve was hashing and salting the passwords (as they should be).

    No, a determined enough hacker (or group or organized crime organization) does not have the ability to crack passable modern encryption, provided that Valve was using such methods (as they have claimed). Still, you should keep an eye on your credit card account just in case, but then again you should be doing that anyway.

    The two things are completely unrelated though.
  • Cliff_ForsterCliff_Forster Icrontian
    edited November 2011
    Two suggestions for online shopping.

    I'd recomend to use a major credit card if you can vs. your check card. By time it's due, you sign an affidavit if something stinks, and it never impacts you.

    Also, register that card to paypal and use paypal for everything you pay for online. It gets your card onto a single server vs. every vendor you use to minimize risk.
  • NiGHTSNiGHTS San Diego Icrontian
    edited November 2011
    Larger banks like Bank of America offer safeshop alternatives to create credit card numbers with spending limits on them that stay active for a period of time you are able to set.

    For instance, you could theoretically set up a Steam credit card with a $100 limit, an Amazon card with a $200 limit, and a third card with a $50 limit.

    It's a pretty neat way of keeping your daily credit cards safe without exposure to the world wide wibbles.
  • edited November 2011
    primesuspect, you are again conflating the issues here. Given enough time, a person can probably crack a hash. This means your password may be exposed. Cryptographic hashes are NOT what is meant by "encryption", so pleased stop applying the term that way -- encryption is only applicable to reversible methods (i.e., something that can be decrypted if you have the keys).

    They cannot crack standard encryption standards via brute force. They could not do it if they had all the commodity computers in the world. It takes specially-designed chipsets that are extremely expensive to crack this kind of encryption. The government probably has some, but these are not foolproof; they can only crack keys of insufficient length and they can only do this if they decide you're a "national security" level interest.

    The only way the hackers will get that credit card data is if they also got the secret keys, which is not impossible considering that Steam reversed the encryption automatically when you wanted to buy something. But they cannot brute force it given any amount of computing power if it was encrypted properly.
  • PirateNinjaPirateNinja Icrontian
    edited November 2011
    Oh please Jeff guest, nobody is arguing the Von Neumann-Landauer limit. Prime didn't say they could get at it with brute force.
    He is only offering sound advice based on the ONLY fact that we know, which is that nobody here knows exactly what happened or exactly how Valve's systems were setup. Sometimes you don't need to hack encryption to get around it.

    Changing your password is a good idea, arguing on the Internet isn't. I did both today, so I guess I'm not credible.

    And yes Kwitko, trololol.
  • edited November 2011
    Oh god not again. All of my accounts have been getting this kind of thing happening to them (Combat arms, xbox, youtube and more). Thanks for posting this though Prime!
  • edited November 2011
    and this happened 5 days before i joined steam (guess why =P) so i consider myself lucky XD
  • JokkeJokke Bergen, Norway Icrontian
    edited November 2011
    Well, somehow my bank knows about this, and has blocked my card as a precaution. Too bad the waiting time for a new one is two weeks, meaning two weeks without any access to any of my accounts. Time to whip out the emergency card.
Sign In or Register to comment.