Gabe Newell Says Steam Hack Is Worse Than Expected

[Rhys95]

Password Changed, Steam Guard Online, Lvl3 Turret Deployed, Sniper in undisclosed location. I think I'm safe....

 

[mireko]

This sucks. The people responsible should have their hands and eyes replaced with rubber bands and flies. I'm glad I switched to PayPal/being extremely paranoid after the Sony hack. Remember to never re-use passwords, people.

Does this affect Paypal users as well?

Probably not. Aside from the fact that you have to enter your PayPal details every time you purchase, Steam (and most other companies) also have to redirect you to PayPal's site in order to log in and pay. I don't think any of the info actually goes through Steam.

Granted, I don't actually know how these systems work. Hopefully Valve will come forward with some more info about who will be affected.

 

[McMullen]

Funny. When this happens to Sony, everyone on here says Sony is such shit and they'll never use a Sony product again.

When it happens to Steam, you make TF2 jokes and pretend like its different. Bottom line is both companies had an obligation to protect user info and failed miserably at it.

Just saying.

Except Valve didn't store passwords in plaintext. Sony did. Valve didn't spend weeks lying to us. Sony did. Those two things alone make a HUGE difference.

P.S. Thanks

I seem to miss when Sony lied. I know they withheld all the details so that they could assess the damage properly, and not have the internet community freaking out.

Also, information was stolen both times. That's the important fact.

No, it's not. Saying information was stolen both times, and that's the important fact, is like saying during WWII the US killed hundreds of thousands of people, and that's the important fact. It's missing a huge amount of context and completely distorts the message.

We can assume that any place that hackers want to break into will get hacked at some point. What differentiates the responsible corporations from the irresponsible is what they do to prepare for this. Sony stored sensitive information in unencrypted plaintext databases. Valve stored passwords and credit card numbers in an encrypted form. This is roughly equivalent to having two banks, one of which (the Sony bank) stores money in cardboard boxes in an unlocked walk-in closet with a big sign on the door saying "MONEY". The Valve bank, on the other hand, stores it's money in a locked vault. If these were actual banks, the Sony Bank would clearly be neglectful.

Context. It makes a lot of difference.

And I suppose the money from the vault will magically go back to the vault? Because last I checked, money stolen from a piggy bank and money you steal from a James Bond villian's super secret lair are worth the exact same.

And I think the analogy you were looking for is "Matt is a jerk, Bill is a nice guy. Matt shot an old lady in the face. Bill shot an old lady in the face. BOTTOM LINE: Both times an old lady got shot in the face!"

Stealing encrypted data doesn't guarantee you'll be able to read it. Hacking into a site is like breaking into the bank. If the bank is using a vault like it should, you're not done yet. With Sony, all the hackers needed to do was break in. Depending on the strength of Valve's data encryption, it might be a while before the hackers are able to read the data, and in that time people will be able to take appropriate steps to mitigate the damage.

Why are you still on about this? Sony didn't encrypt sensitive data. Valve (and any other responsible company) did. Sony was negligent. That's all there is to it. Doesn't matter what analogies are used to describe it. It's okay to be wrong. We don't hate you for it. This is an opportunity to realize that you spoke before understanding the situation, and to remember to not make that mistake in the future. This is how we grow, and we're on a more or less anonymous forum so this is the best place to do it. No humiliation, no strange looks, no one laughing at you. There's just the annoyance of me telling you that you're making a fool of yourself here, but you really have no reason to care what I think of you, so you're fine.

 

[Yopaz]

Does this affect Paypal users as well?

No, if I remember correctly PayPal requires you to input the password every time and Steam doesn't save PayPal passwords. Although I would change the password if it's the same as your steam password.

OT: I was just heading over to the Steam forums to change my password when I realized I have never had a steam forum account. Man what a relief. I still changed my email password and Steamguard will cover it if anyone tries to hack my actual account. I also removed my credit card so I feel safe.

 

[Sofus]

Someone is bound to go bragging at some point.

I have previously been against most DRM and surveillance attempts, but perhaps it is about time we start searching for ways to reinvent the internet so that it is nearly impossible to be anonymous.

 

[The Virgo]

Well, fortunatley, I didn't save my credit card info, so I should be okay, right? But now I don't remember my password, so I can't get in to change it. <:-O

Also, for a while I was a part of the Steam Users' Forums, but I'm no longer a member. Am I in the clear?

 

[RA92]

Because I got non-stop crap from my friends, and internet at large, over the PSN fiasco. I like my PS3, it's never let me down.

That's all. Dumb reason I know. Plus, like most people browsing the web, I'm bored and decided to argue about PSN vs. Steam. No other reason.

So basically you're being a fanboy.

At any rate, this no where as bad as the PSN fiasco. Besides hashing the passwords, they've also salted their database, which means the hackers are unable to use rainbow tables (which is just a huge lookup table which matches inputs to every possible hash output) and has to decrypt them one-by-one, making the process incredibly slow.

And with Steam Guard on top that, whose IPT generates a new numerical password every 30 seconds, smart users with strong passwords are pretty safe.

 

[SmilingWorlock]

I like Steam and I buy a lot of games on there. I don't feel let down by steam. I mean, they told us as fast as they found out, didn't they? I buy all my games via PayPal, so I still feel safe.

 

[TacticalAssassin1]

"I got hacked and all I got was this lousy T-shirt" misc tf2 item, no doubt shall be what we get for this one.

Yes. Please, Valve. Do this!

 

[TheComfyChair]

Summary of the thread: Steam users are happy. Ps3 users trying to have a go at steam because they don't understand the security

 

[superbatranger]

Well I deleted the card on my account, but now I can't seem to be able to change my password. At the same time, I don't recall having an account on the forums.

 

[bificommander]

Damn. And the annoying thing is, I have never been able to turn the option for Steam to remember your credit-card info off. I turned it on once, and ever since then Steam remembers it. If I uncheck the 'remember' box I need to fill the info in again but he keeps remembering the state of the last time he remembered it.

Well, better keep an eye on my card I guess.

 

[TheComfyChair]

Well I deleted the card on my account, but now I can't seem to be able to change my password. At the same time, I don't recall having an account on the forums.

Don't worry about it then. The actual steam username/passwords haven't been compromised in any form.

 

[superbatranger]

Well I deleted the card on my account, but now I can't seem to be able to change my password. At the same time, I don't recall having an account on the forums.

Don't worry about it then. The actual steam username/passwords haven't been compromised in any form.

I guess I'm lucky that the card on file was an old debit card I used while I was in Costa Rica. I wanted to change my password though, to be on the safe side, but as another user mentioned, Steam couldn't process the request.

 

[Ickorus]

I think I might be doubling up the length of my password, glad we were told early.

I still love you Valve, here, have an internet hug.

Spoiler

 

[RikuoAmero]

Hey, am I the only one having problems with changing passwords? I'm logged in, and I'm stuck at the message from Gabe Newell. I click on User CP, my profile name, other links, and I keep getting sent back to the message...

 

[ERROR989]

Up until now, I've used Prepaid Mastercards, but I changed my password anyway.