
Steam loses user database - taylorbuley
http://gaming.icrontic.com/news/steam-user-database-compromised/
======
danilocampos
I admire the absolute hell out of Valve and have for a long time. Gabe Newell
is, for my money, the biggest mensch in tech. Let's take a moment and look at
how this was handled:

The message communicates exactly what happened in clear terms that don't try
to cover anyone's ass. They explain which data was compromised and the
potential implications. No double-talk. This could be an email you got from a
friend or colleague.

The message conveys Valve's hope that the credit cards are secure but makes
clear that users should be nonetheless vigilant about watching for suspicious
activity. Just in case.

The message is signed by _the head honcho_ of the company. Not some
communications or PR weasel. It's in your inbox, not on some obscure blog.

Finally, it closes with:

"I am truly sorry this happened, and I apologize for the inconvenience."

Accepting responsibility, _acknowledging that it's a fuckup_ , and showing
some empathy for the fact that this completely sucks for their customers.

Sony, Adobe and their ilk could learn _a lot_ from this company.

~~~
sdkmvx
You are absolutely right, and I really appreciate this from Valve. There is
only one thing that would have made it better: even more info. He says
passwords were "hashed and salted." This could be anything from the naïve
MD5(pass+salt) to the more secure bcrypt or PBKDF2. Now, I have every reason
to believe that Valve is smart enough to not use methods like the first, but
information is always welcome in a scenario like this. There should be no
reason to hide your cryptography method provided that it is secure.

> Sony, Adobe and their ilk could learn a lot from this company.

And unfortunately they won’t listen…

~~~
lawnchair_larry
The Use bcrypt rant comes up on HN a lot, but I've actually never seen a
website that uses bcrypt or PBKDF2 in the real world. Hell, I rarely encounter
developers or admins who even know what it is. I doubt it was more than
md5+salt, but maybe.

Edit: I should clarify - there certainly are examples of bcrypt being used,
and I know there are tools available. But pick several random websites that
have forums or user accounts and the number actually using it will be very
small. That has been my experience once exposed to the code/infrastructure
anyway.

~~~
po
PBKDF2 will be in Django 1.4:

<https://code.djangoproject.com/ticket/15367>

 _edit_ Let me also add... this is for auth/password hashing, not data
encryption. To any people reading this: if you don't understand the
difference, and you are responsible for writing web applications, then please
read up on it.

The data that Valve was storing (CC info) needs to be encrypted and I'm
assuming that data then needs to be unencryptable. They have to store the key
because they have to be able to recover the plain text. With password hashing,
you will never need to be able to recover the password.

~~~
ubernostrum
Also, if you're using Django, consider Playdoh:

<https://github.com/mozilla/playdoh>

It's what we use at Mozilla as the basis for most of our Django-based stuff,
and gets you bcrypt password hashing -- even on older Django releases -- for
free, along with some other niceties that probably need to find their way
upstream soon :)

~~~
Semiapies
Very interesting stuff - thanks!

------
callmevlad
The title seems to be very misleading. There is a big difference between
losing a user database (all user info gone, no backups, can't log in, etc) and
database information being compromised (information leaked, fraudulent
activity, etc).

~~~
skeletonjelly
Agreed. Assumed this was going to be a story of data loss, and how they have
good backups and managed to restore with no problems. This is unfortunately
much graver.

------
theDoug
I'm a Steam user, Steam forums user, and Valve customer and have received no
email or notification. This story may not be as all-encompassing as it
appears.

~~~
Natsu
Fortunately, I have my account registered with a spamtrap email address, a
username/password that I have never used elsewhere, and a very low limit
credit card. Yeah, I'm glad I know better than to use a debit card.

I'll be watching to see if anyone starts spamming me, because that spamtrap
email is unique to my Steam account and has not been published elsewhere.

Guess it pays to be paranoid.

~~~
bh42222
_Fortunately, I have my account registered with a spamtrap email address, a
username/password that I have never used elsewhere, and a very low limit
credit card._

Same here. But I am a bit sad that my paranoia has been confirmed yet again.

~~~
MichaelApproved
Doesn't it stop being _paranoia_ if you are correct?

~~~
Natsu
It's a matter of perspective. To most others, this still appears are paranoia.
But I wouldn't be doing it if my experience didn't say that such problems
occur far too often.

------
onosendai
For the last 7 years or so of making payments online I've had an iron clad
rule which I have yet to break: only use one time credit card numbers with a
low spending limit which are provided on demand by my bank. It's a service
tailored specifically for working around the problem of having your CC details
stored indefinitely on poorly secured databases of every two-bit company out
there.

And with each major (and minor) data breach I'm more happy I use it.

~~~
dholowiski
Have you ever investigated in depth how much security one-time credit card
numbers give you? I ask because my Paypal account was compromised last month.
I cancelled my credit card, but Paypal was still able to refund money to my
card even though the number was no longer valid. Also, I had pre-ordered but
not paid for an iPod touch. When the touch shipped, my credit card was billed
even though the old number had been cancelled, and the new one had not been
activated yet.

~~~
X-Istence
I have used the one time numbers that my Bank of America card creates and have
had to retire a few due to breaches and after they were retired I got a call
asking me if I had authorised another charge to that now defunct account
number, and I said no, so they didn't let the charge through.

I know for example that credit cards with expiration dates can still be
charged for a couple of months after the expiration so that users who have not
had the chance to update recurring services have more time to do so. Also, it
is entirely possible that Apple had placed a hold on your account for the
money and when it finally shipped it went from a hold to actual transaction
and that is why it was still allowed through.

~~~
uptown
I had an amex that was compromised, cancelled, and beyond its original
expiration date, and AMEX continued to charge Netflix charges to the old
expired cancelled/compromised number ... flowing the charges through to my new
account number. To their credit, they removed all of the charges once I caught
it, but just helps to know that a cancelled number isn't always a cancelled
number even when you've already reported the number compromised.

~~~
snikch
It's a cancelled number, but what happens (this happened to me on xbox live)
is that they continue to charge it because they've got an active pre-
authorisation. So when they're charging you, they're actually charging that
pre-authorisation. If a different merchant were to try the card, it would
fail.

Microsoft charged me for two years after the card's expiration date until I
noticed.

------
Margh
Am I the only one who thinks that "Steam loses user database" isn't quite the
same as "Steam database of salted data compromised"?

For a moment there I thought all my Steam purchases were, you know, lost.

------
cheald
> "While there is no evidence that passwords and credit card information have
> been compromised, with the state of encryption cracking, it should only be a
> matter of time (and horsepower)."

Um. What? Assuming that a PCI-compliant level of encryption was used, "matter
of time" is "heat death of the universe" if you don't have the encryption
keys.

~~~
redthrowaway
PCI-compliance really isn't a standard _anyone_ should be shooting for. Use
_good_ security measures, not compliant ones. PCI is for enterprise and
government agencies who keep wondering why they get compromised by 14 year-
olds running metasploit. Yes, you have to be compliant. No, you should not
think 'compliant' is in any way synonymous with 'secure'.

~~~
zecho
Exactly. When we last went through our PCI compliance rigamarole, they told us
if anyone ever told us their CC number over the phone we were to open a text
editor on our machines, type it without saving and then close it without
saving when done. Apparently our writing on a physical notepad and destroying
the piece of paper when done with it was not secure enough, so we had to
introduce the possibility of keyloggers to our process.

~~~
cookiecaper
Don't you have to type in the number anyway? It sounds like a keylogger would
just get it a little later if you wrote it down on paper first.

One potential reason it's preferable to use an innocuous, generic text editor
is the potential supposition by an attacker that they only need to infect
and/or monitor the card processing application. If someone spreads a malicious
update that has a built-in keylogger only for that application, for instance,
copy+paste from the non-infected program would stop it from recording the
data.

Though I think that's stretching it a bit. Maybe your auditors encountered
something similar previously?

~~~
zecho
We had a front desk that would take calls and pass info along to the
appropriate staff (on a different, largely segregated network). We don't want
people emailing CC numbers or any customer data, really, internally, so it
would be passed along via a note. But these cases rarely ever came up. We work
with transaction numbers and 99% of staff has zero reason to know any credit
card information.

It was something the auditors just brought up on their own, so yeah, I'm
assuming they'd run into it before.

------
Hrundi
How could they get to the [salted|hashed|whatever] payment data from hacking
the forum? Why is the payment data even remotely linked to the forum software?

Ok, the forum may need data from the account for validation, display name or
else. You can still implement it securely. This is a big human oversight over
what seems to be an insecure implementation. I just can't believe this.

I would have guessed they learned the lesson from when Gabe was hacked through
an Outlook vulnerability (with the HL2 code leak afterwards). It should have
made a paranoid out of him.

I think having chosen Paypal as a payment method was perhaps helpful for me.

PS: I do own a lot of games and I very much like the platform. I definitely
don't have anything against them. They presented a good notice, their high
level of responsibility over this incident is irrefutable. Also, props for
them for having an encryption for their preloaded games that wasn't broken so
far.

edit: formatting

~~~
daxelrod
Forum accounts are not linked to Steam accounts at all. The fact that the
first sign of the intrusion was in the forum software doesn't necessarily mean
it originated there. It's certainly possible that their entry point was the
forum software, but simply compromising a forum account wouldn't be enough to
compromise a Steam account.

------
jcapote
Confirmed by Gabe here: <http://au.pc.ign.com/articles/121/1212201p1.html>

All passwords are salted and hashed (hope they are using bcrypt), and all CC's
are encrypted.

EDIT: updated comment to clarify what I meant with the bcrypt

~~~
verroq
Whatever encryption for CCs, I think its going to have to be reversible or
there wont be any point of storing them.

~~~
rapind
One technique is to store another string (a pepper) outside of the database
(assuming the salt is stored with the records) which is used along with the
salt to encrypt each password. This way, if only the database is compromised,
and not the config file or env variable holding the pepper you're in better
shape.

~~~
jaequery
if they got to the database!, what makes you think they didn't get to the app
server?

~~~
awj
This could be the result of sql injection or some other application-level
attack.

~~~
stickfigure
Or possibly just a lost backup tape.

~~~
mguillemot
If some backup tapes _might_ go out of the building, they'd better be
encrypted...

~~~
pferde
I certainly DO hope that some backup tapes go out of the building. Offsite
backups are a good thing.

------
tjoff
I get the _impression_ that credit card information is stored in the same
database as login information etc.

Why?

My first thought is that it should be stored on, and _never_ leave, a
completely separate system where you have a very limited number of
interactions available (reducing the attack vector and making it much easier
to spot suspicious activity).

I.e. Charge customer x with y for game z. Refund customer for purchase i (only
valid within the refund-period). Add(overwrite)/delete customer data. Where
all interactions must be signed.

And nothing more.

Anything less than that and I'm skeptical as to whether you could be
considered careful of you customers data. Storing credit card information in
the same database as all other user data for a service like steam should be a
crime and if it's closely coupled with the forum it's even worse (not that I
know if that's the case).

Disclaimer: I don't know any details about this incident more than that Valve
seems to be open about it taking place (great!).

~~~
jmelloy
Our architecture has a front-end database and a billing database. The credit
card number is stored in the billing database, and the details such as the
billing address, expiration, etc are stored in the front-end database, since
they need to be readable/updatable by the website. I imagine they're similar.

------
defen
Just yesterday I received a notification from Facebook that my account had
been accessed from a suspicious location and was locked as a security
precaution. I had no idea how this could have happened, but I _did_ have the
same email address + password for Steam and Facebook. Hardly proof, but
certainly a plausible theory.

~~~
mburns
<http://keepass.info/> \- It is easy to have unique, complex passwords for
each and every service. And with Dropbox (or kin) you can sync to iPhone,
Android, Mac, Linux or Windows. Plus plugins for browsers to make easier.

~~~
timerickson
Is there a Mac equivalent?

~~~
AdamGibbins
KeePassX works on OSX. <https://www.keepassx.org/downloads>

There's also others like 1Password that are popular on OSX.

~~~
shaggyfrog
I use 1Password in conjunction with Dropbox to keep my passwords secure and
synced between OS X, Windows (XP and 7) and iOS. It's a fantastic product.

------
dvdhsu
I've spent the last half hour trying to find my billing information on the
Steam site. I just can't find it.

It's great that Steam is letting me know that their database has been hacked.
It's not so great when I can't even see if my billing information or credit
card number (I obviously only want the last four digits) that Steam currently
has on file for me. If I knew which credit card I had used with Steam, I could
probably watch out for fraudulent charges. As it stands, there is no way for
me to figure out what information I've given to Steam in the past.

Arg.

~~~
Lurkin
Go to steampowered.com and log in. Click the drop-down (Usernames' account) in
the upper right corner and then Account details. The last four digits of your
CC should be listed under "Your Steam Account" on the right.

------
starnix17
At least they're honest about it, compare this to the PS3 compromise.

------
jccodez
You are loosely using the term lose. I lose things when I can no longer find
them.

------
tuacker
It's worth noting that as far as I know Steam Guard is active for any user who
didn't disable it. Meaning, if someone tries to log in to your Steam account
on a device that isn't yours (both via the client and on the website) he'll
get a prompt to enter a 4 char long code which is sent to your authorized
email address.

So your Steam account is save. Your email address probably isn't a secret
anyway. The password is changed in a second.

Which leaves your payment (encrypted) and billing info. Personally I use
Click&Buy which requires a separate authorization from me and I'm actually not
sure if I have any billing address associated with Steam. So for me this whole
thing is just a minor annoyance in changing my password.

Obviously I might treat the obtained user data different from other people.

------
shocks
I am a Steam user, I did not receive an email.

If you are a Steam user I would recommend using the two-step verification
process they have. It uses a password sent to your email to verify you when
logging in using a new computer. Hopefully you're Steam and associated email
passwords are not the same.

This is, of course, no replacement to changing your password - you should
definitely do that - but allows us to relax a bit in case something similar
happens again.

------
estel
I'd find it reassuring in times like this if company's could post details of
how securely they hash and salt user passwords. It'd be good to know...

------
elliottcarlson
"While we only know of a few forum accounts that have been compromised, all
forum users will be required to change their passwords the next time they
login."

I am assuming here that this means certain passwords were cracked at that
point - does this mean that the nonce/salt in their password storage was
discovered? And how long until they have a cracked user/password file?

------
jamesgeck0
One nice thing about the Steam client software (and store website) is that it
uses two factor authentication. The first time you log in on an unfamiliar
machine, you have to input a code which is emailed to you.

Even if your Steam client and forum passwords were the same, your client
account still secure as long as your email password is different.

------
giulivo
It wouldn't have been a big issue, but they should have never ever save the
credit card informations on a db. I don't know what makes people so confident
they can save others credit card on a db.

I would rather prefer to repost the needed details for every purchase.

------
brunnsbe
It wluld be interesting to find out how they noticed that someone had stole
the data. I guess there must be lot of aggacks that don't get caught.

------
orblivion
Wait, why would I change my Gmail password?

~~~
DiabloD3
Because a lot of people use the same password everywhere. I really really
really wish they wouldn't.

~~~
Silhouette
As long as we routinely use dozens of services that rely on "memorable" data
to authenticate us, this is as inevitable as people who try to use different
passwords for everything writing them down.

Password stores are one possible improvement, but most people don't know
enough to use one, and they are probably far too fiddly for most people
anyway. And of course, ultimately you're still talking about using a single
set of credentials to authorise everything in that case, it's just a different
target (which if ever compromised will undermine your entire identity).

Multi-factor authentication is a much better solution, but the technology to
make it ubiquitous in a way that is neither excessively expensive nor creepy
on privacy grounds isn't there yet.

There are some problems in security that we know how to solve, at least to the
extent that no-one has any idea how to crack them directly today and the
effort to brute force them is effectively infinite. I'm really hoping that one
of these days, the combination of mobile technology and the Internet will
provide us with an easily portable device that can integrate with everything
and render obsolete the current mess of hundreds of on-line identities,
"memorable data" to authenticate for every financial service I use, etc.

------
ktusznio
I am finding it pretty difficult to change my Steam password. Where the hell
do you do it?

~~~
nathanhammond
To change your Steam Account password do it from inside the preferences menu
in the standalone application.

The interface for changing your Steam Forums password is not currently
available.

------
machinespit
no email, but the forum page shows the message:
<http://forums.steampowered.com>

------
dabit
Wait, how do you change your Steam password?

~~~
nchaimov
This took me a while to figure out. You have to open the Steam client, go to
Settings (in Windows) or Preferences (in Mac OS X) and click the change
password button in there under the Account tab.

~~~
inportb
What if you don't have (or can't use) the Steam client?

~~~
Natsu
I don't think you can access your account at all without the client? At least,
none I know of.

Forum accounts are separate, after all.

------
Aqwis
I have not received a mail.

~~~
estel
Nor I, but I imagine it just takes a little while to send tens of millions of
emails.

------
primesuspect
And suddenly it's a bad day at Valve :(

~~~
DiabloD3
And there goes HL2:Ep3 for another year.

------
xyzzyz
I am gay.

------
Karunamon
:( Very sad.. but I suppose it was just a matter of time. At least the CC and
passwords were protected correctly.

