Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[justinlee999]

I was in the middle of a Steam forum discussion with someone until this happened...

Also my Steam forum and game accounts are the same...

[Knight of Fools]

I wouldn't worry about it. I'm unclear on the specifics, but it's all but impossible for (Most) good services to have the users' passwords stolen, even if the server is hacked and all of the information is found, because, like someone mentioned, everything's encrypted. The reason that hackers can't get your password is the same reason that a forum doesn't tell you what your password is - Because it can't.

When you put a password in, the server jumbles it up into an unrecognizable mass of nonsense. It's clever to the point where it can't be reversed without a lot of effort, and that's only if you found the program used to make the jumble in the first place. If it's done poorly, like with the gaff Sony pulled a while back, then you have something to worry about, but most of the time breaches like this are usually exceptions rather than the rule. I honestly wouldn't be surprised if it were the moderator's own fault, but it's just as likely that it wasn't.

So, long story short: Don't worry about it too much, for now. If the Steam forums had a major breach like the one Sony had, then we'd have a lot more to talk about than one moderator getting hacked.

[justinlee999]

So unless I have a big reason to be hacked, the hackers just wouldn't bother unencrypting mine?

[Metalax]

So unless I have a big reason to be hacked, the hackers just wouldn't bother unencrypting mine?

Essentially, yes. In general you have a far higher chance of your password being stolen by a keylogger that has gotten onto your system than by a hacker managing to unscramble properly stored passwords from a site.

[cerapa]

This sounds less like "the servers got haxxored" and more like an admin just got keylogged.

Which means the admin picked up a keylogger from somewhere. And the keylogger in question apparently gives information to the site that was given by the "hackers". I wonder what site the keylogger might have come from?

[Metalax]

yeah, apparently they have been going around in the comments replies on many of the gaming news sites claiming that "it wasn't us, honest. It was our unnamed rivals in providing malware."

[Sergius]

You can't just "unencrypt" a password, because they're usually encoded one-way as hashes, with a certain random key (called the salt) that is also stored. So while the password "GOOMBA" might get hashed into "YAS%%1y66hY2hXDs2366", you can't get the word GOOMBA out of it (data has gotten lost/ignored in the process). You just encode GOOMBA again with the same algorithm and then match the result again.

You could in theory end up with a possible different word that gives the same result, but the odds of it being alphanumeric (and able to be typed) are really small. Even programs that guessed your password in ZIP files merely gave you a random string that "worked", not your original password.

It's different from when you want encrypted data to actually be readable later. You just need your data to give out the same output each time.

At least that is how it happens in well designed security libraries. Some don't bother and store your password in plaintext and hope nobody has root access to the file. I'm pretty sure most open-source forum software use the first method though.

[Metalax]

Update on it. Looks like they did actually manage to partially break into steam itself.

10 November 2011
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

[PsyberianHusky]

I am glad Gabe manned up to ASAP.
I respect that man.

[EuchreJack]

Can somebody tell me how to go about changing my password?

While I might like the Steam service, their interface is terrible.

Edit: Nevermind, I found it.

You have to select "settings" from Steam on the start menu.  Or something like that.

[SHAD0Wdump]

The steam forums have returned.

[klingon13524]

I am glad Gabe manned up to ASAP.
I respect that man.

Valve is awesome, what else is there to say?

[Felius]

It's quite the contrast when you compare with how Sony dealt with it.

[nenjin]

When you compare to how most major companies deal with it.

[Felius]

Indeed.

I'm also a bit impressed that it was big enough news to hit BBC: http://www.bbc.co.uk/news/technology-15690187