Steam Hacked

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Steam Hacked

Post by Wonko the Sane on Thu Nov 10, 2011 11:47 pm

Heads up, folks, looks like Steam has been hacked. They're still trying to figure out what was stolen, but at this point:

This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.

We should know soon exactly what was taken and how bad the breach was. Thankfully they encrypt at least some of the information (credit cards), unlike some other companies, but if they're using weak encryption then it's only a matter of time before the hackers crack it.

Change your passwords and keep a close eye on your credit cards for the next six months or so.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Trey on Fri Nov 11, 2011 12:17 am

Someone really wanted early access to skyrim, it seems.

Trey
Pie Academy Member

Number of posts : 108

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Fri Nov 11, 2011 12:21 am

Update:

So far, according to at least one security company, if you were using a strong password and Steam's encryption was up to spec, then you'd be fine. The odds of them being able to crack it would be minimal. But, like I said before, if Steam was using weak encryption then everyone is screwed. I'd still change your password and change it on any other site you use it for. A strong password is long (at least 10 characters), and uses capitals, numbers, and symbols, not just all lowercase letters.

I'd like to take this opportunity to stress the importance of using different passwords for each and every site you log into, unless it's inconsequential like a site you never use that has no personal information whatsoever, or a spam email account.

To keep track of all this, I use a program called 1Password which encrypts a database of passwords using government level encryption, and stores it on my dropbox account so I can access it on all of my computers and my iPhone and iPad. So I always have my passwords easily accessible, which is every important if you use different passwords for everything 'cause you're never going to remember them.

Before 1Password, when I only needed to access my passwords on my one desktop, I used a free program called Oubliette. As long as you use the blowfish encryption algorithm when setting it up, it's also an extremely secure way of storing your passwords. And did I mention it's free? Windows only, unfortunately: http://www.tranglos.com/free/oubliette.html

I strongly recommend one of these programs to help you switch over to using different passwords for every site. They'll even auto-generate an incredibly strong random password for you if you want.


Edit: This is only another example of how insecure these kinds of sites really are. If these hackers really wanted to, they can go after the banks just as easily as they've hacked Sony and Steam. We're going to be seeing more and more of this, so using separate passwords will help contain the damage when you get hacked.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Loki on Fri Nov 11, 2011 1:06 am

All the passwords they have stored are apparently well encrypted and salted so a strong password is so so unlikely to be cracked. Kinda sucks that this happened but it just shows that:

1, people really have no life and get off on ruining everyone elses.
2, the internet has a whole needs one hell of an upgrade.

Additionally, they're only forcing a password change on their forums at this time so I have a feeling that steam accounts are fine (unless people are stupid enough to use the same password for the forum.) I'm hearing a lot of flames directed at Valve for being insecure but these are the same people that complained about Steam Guard, the fools.
avatar
Loki
Court Jester

Number of posts : 1279
Age : 26
Location : Wraeclast

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Fri Nov 11, 2011 5:14 am

Personally, I'd feel better knowing exactly what encryption algorithm and key length they use to secure the credit card info. Otherwise I just have their word for it that it's safe. But one person's "safe" is another person's "that encryption algorithm was breached 20 years ago, how the f@#$%! can you call that safe?!"

Example: Up until very recently, both Windows and Macs used the Triple DES algorithm to encrypt home folders. The DES algorithm was published in 1977, used by the US government, and breached in the late 80's rendering it completely ineffective. So what does everybody do? Well let's just encrypt data three times using the same faulty algorithm, that'll solve the problem, right? Thus, Triple DES was born. Idiots. If it takes no time at all to crack DES using a modern computer, surely three times no time at all will provide the ultimate security!!

Why you should care: Every time you swipe your credit card or write a check, that data is encrypted and sent off using the Triple DES algorithm. Yes, they're still using it over two decades after the algorithm was proven ineffective.

Just because they say it's encrypted doesn't mean it's secure.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by blivvy on Fri Nov 11, 2011 6:00 am

That sucks. At least I don't have any cc info stored on my steam account. But since psn got hacked a few month's back, I've changed all my passwords and made sure to use a dif pass for each site/app.

ducking piece of feces pile, which is what I am, hackers lol.

_________________

avatar
blivvy
Marshmallow Academy Member

Number of posts : 2634
Age : 31
Location : Drangleic

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Fri Nov 11, 2011 4:08 pm

So far, I'm not seeing any information whatsoever about what kind of encryption Steam uses for storing credit card info. This makes me a bit worried, because if it was something modern and strong there'd be no reason for them not to tell us how safe our data is.

As far as passwords go, they aren't releasing any information on what hash they use either. The general consensus on the web seems to be that it's either MD5 or SHA1 combined with a salt, and this means that your passwords will eventually be cracked. A simple hash does not encryption make. It will make it more difficult for a hacker to crack the hash, but it's not impossible. It's a bit like a bike lock. All they need is the proper tools to cut the cable and they can still have your bike in a reasonable amount of time. Modern computers have enough horsepower that hashes like that can typically be cracked in days or sometimes hours. Throw in the power of distributed computing into the mix and you're better off just changing your password.

The most likely reason why they're only making people change forum passwords is because their forum probably doesn't even hash passwords, meaning the hackers don't even have to do any work to get into your account.

Far as the real encryption for credit cards goes... we won't know how easily that can be broken until we find out which algorithm they're using. Something like 3DES is horribly insecure. Hopefully they're using something more modern like AES.

Basically, what's going to happen from this point is the hackers who stole the database aren't going to do anything with it for a few months. They'll sit on the data and decrypt as much as possible, then auction off the resulting usernames/passwords/credit cards to the highest bidder. Whoever buys that data will then use it for whatever plan they have to steal your money. That's typically how these things go down.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Theicecreaman on Fri Nov 11, 2011 4:26 pm

IS it safe to keep password info on a MS excel document and store it on a flashdrive? I haven't done this yet, but it's what people tell me is the safest thing to do.


_________________
Click here.
avatar
Theicecreaman
Time Lord
Time Lord

Number of posts : 3991
Location : Look for the fireworks and semi-functional trampolines

View user profile http://schoolofcake.forumotion.com

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Sat Nov 12, 2011 12:31 am

Listen to your own advice for a change and ignore everything those idiots are telling you to do. By your own admission, they're never right, so just forget about it.

Storing passwords in plain text anywhere is NEVER a good idea. Ever. Doubly so if you're storing passwords that connect to any personal or financial data. Flash drives are too easily lost or stolen, and then whoever obtains it has complete access to your online data and money. Do you chain that flash drive to yourself every time you finish using it? Then is it really worth the risk of losing that data?

You can, however, install Oubliette or 1Password on that flash drive and keep your passwords encrypted within one of those programs. That would be fine. As long as the passwords are encrypted in some way using a secure encryption algorithm, then you're fine. Doesn't matter if you lose it or it gets stolen, they aren't getting into your encrypted stuff.

If you don't want to spend the dollar or whatever it is for 1Password on your iPod Touch then just download Oubliette as a zip file, extract it to the flash drive and set it up to use a file stored in the same folder. Choose the Blowfish encryption algorithm and you're all set.

If you have other data you want to encrypt besides passwords, I use Truecrypt. It's been mentioned here before and is a fantastic free program. You'd create an encrypted file container on the flash drive then drop whatever you want into it. It mounts that file as if it were a separate flash drive so you can just drag and drop into it. Just leave the Truecrypt portable exe file on the flash drive somewhere and you'd have access to your stuff from any computer.

Key point: Encrypt your stuff. Never store passwords in plain text.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Theicecreaman on Sat Nov 12, 2011 2:22 pm

Nah, I meant an Excel document with a password.

'Cause it's either that or I just write it down somewhere and hope I don't lose it. I'm probably just going to use Truecrypt in addition to a password-protected Excel document. That should be good enough.

_________________
Click here.
avatar
Theicecreaman
Time Lord
Time Lord

Number of posts : 3991
Location : Look for the fireworks and semi-functional trampolines

View user profile http://schoolofcake.forumotion.com

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Sat Nov 12, 2011 4:51 pm

No, the passwords on Excel are not secure in any way. Excel uses crypographic ciphers that date back to the late 80's or even older, in some cases. The default cipher it uses can be broken in less than 10 seconds using a tool you can find with a quick search on google. You can select a more secure option, but its implementation uses the RC4 cipher which, even if you don't know anything about crypto, pull up its page on Wikipedia and the first paragraph will tell you in plain english that it is easily cracked, so I wouldn't risk it.

If you use truecrypt, you don't need to password protect the document. Truecrypt by itself uses extremely secure encryption algorithms that have never been breached. Use a strong password longer than 10 characters and even the government won't get in there. Just so you know, the US government uses AES 256bit to encrypt its "top secret" level material. You know, spy stuff. Truecrypt lets you select algorithms even more secure than that, or do multi-level encryption. The sun will go supernova before someone invents a processor powerful enough to crack that kind of encryption.

But if all you're securing are passwords, a program like Oubliette is just as secure and is far simpler and quicker than using Truecrypt every time you need to get at your passwords. Truecrypt involves mounting the flash drive then mounting the file inside the flash drive every single time you need to get in there. Oubliette is a self-contained program that you just launch and unlock. Or 1Password is a whole dollar or something.

Stop trying to make things complicated Razz

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by blivvy on Sat Nov 12, 2011 5:01 pm

Well 1st of all tl;dr but I had a quick glance and seen words like "crypographic" and "algorithms" so I was like yea no thx, this sh*t's too complamacated lol.

And remember...


_________________

avatar
blivvy
Marshmallow Academy Member

Number of posts : 2634
Age : 31
Location : Drangleic

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Sat Nov 12, 2011 6:12 pm

It's not complicated. Ice, who joins self-help AOL chat rooms for GTA lovers anonymous is just making it more complicated than it needs to be. The only post you need to read if you want to know how to encrypt your passwords is my second post.

I'll even make it easier for you, if you don't even want to read it, just click that link I pasted in there and use that (free) program to store your passwords and be merry. Here it is again: http://www.tranglos.com/free/oubliette.html

If you're totally apathetic and lazy and don't care if hackers get access to your bank accounts, max out your credit cards, and steal your identity, then don't bother posting a tl;dr, 'cause this is a thread for smart people who know better than that. Razz

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by blivvy on Sat Nov 12, 2011 7:04 pm

tl;dr


























Razz

_________________

avatar
blivvy
Marshmallow Academy Member

Number of posts : 2634
Age : 31
Location : Drangleic

View user profile

Back to top Go down

Re: Steam Hacked

Post by Shinja on Sat Nov 12, 2011 7:19 pm

Guys if you wanna store your passwords in a secure location just use ms paint to draw the letters onto your desktop background. Hackers will never look there for the passwords so it basically makes you invincible, and even if the hackers see it they can't get at it because it's an image file so they can't copy and paste the text from it.


_________________

avatar
Shinja
Cookie Academy Member

Number of posts : 127
Location : The Realm of Miðgarðr!

View user profile

Back to top Go down

Re: Steam Hacked

Post by blivvy on Sun Nov 13, 2011 4:44 am

lol shinj

_________________

avatar
blivvy
Marshmallow Academy Member

Number of posts : 2634
Age : 31
Location : Drangleic

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Sun Nov 13, 2011 8:17 am

rofl

As usual, Shinji's brilliance makes us all look like pre-schoolers. One day I hope I'll be as smart as you Very Happy
King

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Theicecreaman on Sun Nov 13, 2011 12:11 pm

Haha alright alright I'll use Truecrypt. I'll start thinking about thinking about considering doing this in a few weeks.

Haha I hope I don't bump my head and get amnesia or something because as of now, all my passwords are in my noggin. It's freaking annoying lol I always have to try like 1000 times to get the right one.

_________________
Click here.
avatar
Theicecreaman
Time Lord
Time Lord

Number of posts : 3991
Location : Look for the fireworks and semi-functional trampolines

View user profile http://schoolofcake.forumotion.com

Back to top Go down

Re: Steam Hacked

Post by Da Llama on Sun Nov 13, 2011 12:59 pm

good thing i didn't sign up. Very Happy

_________________
avatar
Da Llama
Recovering Spammer (Stage 42)
Recovering Spammer (Stage 42)

Number of posts : 1807
Age : 19
Location : videogamedunkey

View user profile http://donutdojo.forumotion.co.uk/

Back to top Go down

Re: Steam Hacked

Post by blivvy on Sun Nov 13, 2011 2:32 pm

Theicecreaman wrote:Haha alright alright I'll use Truecrypt. I'll start thinking about thinking about considering doing this in a few weeks.

Haha I hope I don't bump my head and get amnesia or something because as of now, all my passwords are in my noggin. It's freaking annoying lol I always have to try like 1000 times to get the right one.

That's a good idea... until the hackers capture you and hack your brain. The you are quite fooked xD

_________________

avatar
blivvy
Marshmallow Academy Member

Number of posts : 2634
Age : 31
Location : Drangleic

View user profile

Back to top Go down

Re: Steam Hacked

Post by Trey on Thu Nov 17, 2011 10:18 pm

The sun will go supernova before someone invents a processor powerful enough to crack that kind of encryption.

It'll only take a few hours to beat the password out of you though.



Wink

I use mostly the same passwords for most things, because most things I need passwords for are unimportant. For my real e-mail and bank and college, I have real separate passwords, but thats only three to remember, so its not that bad. Definitely going to change my steam password though. I have several hundred dollars worth of games on there now.

Trey
Pie Academy Member

Number of posts : 108

View user profile

Back to top Go down

Re: Steam Hacked

Post by Trey on Sat Nov 19, 2011 3:50 am


Trey
Pie Academy Member

Number of posts : 108

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Sat Nov 19, 2011 4:07 pm

Yep, that looks like another good option besides the two I already posted. It's open source and free, and it uses the AES and Twofish algorithms, both of which are extremely secure.

Same as with Oubliette, it looks like a self-contained program so you can stick it on a flash drive and take your passwords with you nice and safe-like. Or stick it on your Dropbox.

I still recommend 1Password because it's available for smartphones and such and syncs up between devices, but it's not free.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Trey on Sun Nov 20, 2011 2:41 am

This thread motivated me to go ahead and start using a program like that, and I prefer that one I linked. I checked out the two you suggested, and rather didn't like the UI.

Also, KeePass lets you use not only a master password, but a key file for even more security. Cryptographically, I don't know if that adds or detracts from its security, but from a practical standpoint(ie, people trying to acquire your master password to break into your password database that way), I believe it adds security.

Trey
Pie Academy Member

Number of posts : 108

View user profile

Back to top Go down

Re: Steam Hacked

Post by Wonko the Sane on Tue Nov 22, 2011 10:14 pm

The tl;dr version: Nothing beats strong passwords. Man up and read the damn post, you whiner.


The thing about a key file is you have to always have it with you to unlock the program. From a portability standpoint, this is not ideal because if you have that program on a flash drive, where are you going to keep the key file so that nobody can get it? You wouldn't want to keep it on the same flash drive 'cause that totally defeats the purpose.

Same goes with your computer at home. Do you store your key file on the computer itself? What happens if someone breaks into your home and steals your computer? Now they have both the program and your key file and access to all of your accounts. They scored big time. Not that this is a likely scenario, but it's very possible.

Unless you take extra precautions with your key file, it's kind of like leaving the keys to your home under the welcome mat.

A strong password that is easy for you to remember but difficult for anyone else to guess is far better. I just wrote a security blog about this for a tech company, but basically it comes down to the method that hackers use to try to crack or guess your password. They always start with dictionary attacks. They have a massive list of every word in the dictionary in a bunch of the most common languages, then they add to that list every possible combination of two or three or more words, and then they add to that the most common passwords which you can find by doing a simple google search. A list like that using a modern computer can be processed in a few hours if they have offline access to whatever they're trying to break into.

So the trick is to get your password off of that list. Stick some symbols between words or a phrase that you can remember, and suddenly there's no way a hacker can have that phrase on his list.

Example: Instead of using the password "FlubberIsAwesome", use "=Flubber=Is=Awesome". Tadaaa! But we can't all use "=" like that or else hackers will catch on and add that to their list. So mix it up, make it your own, and use capitals and numbers if possible, as this adds to the pool of possible characters they have to try.

Once your password is something that's not on that list, all a hacker can do is brute force your password. This means, guess it by trying every possible combination of every possible character. So... "a" "ab" "abc" "abcd" etc. According to this page, that password I made up above would take 14.67 trillion centuries to crack using a theoretical offline attack using one hundred trillion guesses per second, which will be possible soon enough given the power of distributed computer and so forth. So, yeah, basically that's totally secure.

_________________
avatar
Wonko the Sane
Certifiably Sane
Certifiably Sane

Number of posts : 4092
Location : The outside of the asylum

View user profile http://schoolofcake.forumotion.com/

Back to top Go down

Re: Steam Hacked

Post by Sponsored content


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum