Steam forums down after possible hacker attack

[kugs]

http://www.pcgamer.com/2011/11/07/steam-forums-down-after-possible-hacker-attack/

“The Steam Forums are temporarily offline for maintenance. Your patience is appreciated.” That’s the message you’ll get if you’re trying to log into the Steam forums at the moment. They’ve been taken down due to an apparent hack that briefly saw front page text changed to advertise a game hacks site. Eurogamer say that some Steam users have had their email addresses spammed with messages from this site

A screenshot of the Steam forums before the hack shows that the official notices section at the top of the page had been altered to promote a site called Fkn0wned. The hack is a worrying breach of Steam’s usually watertight security, and is especially concerning for users whose Steam login details are the same as their Steam account username and password. Valve haven’t commented on the breach yet.

According to a (unconfirmed) post on Facepunch passwords may have been comprimised. If you use the same login details elsewhere is advisable you change it.

[GTFO. Gash]

hmm what was my password... :/

[GTFO. Luckyg]

hmm what was my password... :/

i believe it was "xXxL33tIrIshK1dxXx"

[GTFO. kk20]

I dont think I ever had a steam forum login.

[Getsuga Tensho]

Wasn't just the forums apparently. Valve released a message saying that Steam itself was compromised.

Here's a link to the message: http://forums.steampowered.com/forums/

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

[Russian Guyovich]

http://i.imgur.com/IMeWI.png

[GTFO. Loser]

Interesting Russian lol

[Bleed]

Logged into my steam forums account, didn't find any way to change my password. So the being forced to change password thing doesn't apply yet...

Logged into steam itself via browser, but can't find any way to change my password here either. Need the steam application for that?

[kugs]

Logged into my steam forums account, didn't find any way to change my password. So the being forced to change password thing doesn't apply yet...

Doesn't look like you can do anything until the forums are unlocked.

Kinda annoyed it took them 5 days to even acknowledge there was a hack, and so far they've only released this info on the forums. The people most at risk are the ones who use the same name/password for every account, and they're unlikely to check the forums or gaming websites. A mass email/im/accouncement on steam would be a better choice.

Email addresses and passwords being leaked are a bit worrying. The post didn't mention if they had any access to the salt used for the passwords. Your email address is the key to your online life, so make sure to revisit your security practices if you use that password anywhere else.

That's the negatives though. On the positive side the encryption used for credit cards is the same one used by the US Government, and though there have been attempts made to attack the encryption method, it's still pretty secure so not worried there.

[GTFO. KARR]

Logged into my steam forums account, didn't find any way to change my password. So the being forced to change password thing doesn't apply yet...

Kinda annoyed it took them 5 days to even acknowledge there was a hack, and so far they've only released this info on the forums. The people most at risk are the ones who use the same name/password for every account, and they're unlikely to check the forums or gaming websites. A mass email/im/accouncement on steam would be a better choice.

Logged two accounts in this morning to the Steam client , both had a full page popup with the same message that is/was on the forums stating the issues.

[kugs]

Oh. Disregard that bit then .

[r3loaded]

As an aside, if you're using Gmail and have an Android/iOS device, now would be a good time to enable two-factor authentication. The security is worth having to whip out your phone each time you log in imo.

[-NanoCorp- CyberPower]

[Crazyman]

Yeah the Gabe mail is a fake

Do wonder what sort of encryption they use on CC data tho.

[GTFO. Loser]

I hope we never find out what encryption they use. Makes it harder for the idiots to crack it!

[r3loaded]

If they're using SHA and AES with a decent word size, we don't have much to worry about

[GTFO. kk20]

means nothing if you have the IV and key. Probably stored it in plain PHP for the taking...

[GTFO. al]

not a single fuck given about the forum account...don't care about it.

changed my steam password anyway. not that it would matter much...it'll ask you to put in a code if you use it from a new computer anyway with that steam guard thing. and my email password isn't the same as steam...not a rookie.