Important! Steam forums 'Possibly' Hacked..

[TheTazman]

Does steam hold card CVV data?

[Kromaatikse]

If you have saved your card details for future purchases, then yes it does.

However, the card database is held encrypted at Steam, so we can reasonably assume that card details are safe unless told otherwise. Just keep the usual lookout for unauthorised activity and tell your bank if you spot any.

[glowball]

I would have also reported this to Steam, if it is bogus I'm sure they will want to know.

[crumplezone]

On Saturday, I had a couple of emails from Steam, sending me a code to change my password..

This is an automated message generated by Steam account administration to help you reset your Steam password.

Please enter the following code into the 'Verification Code' field of the 'Forgotten Password' dialog. (Enter the code exactly as written. You can use copy/paste operations to enter the code):

Code: Select all

Please also enter the *answer* to the following question into the 'Secret Answer' field of the same dialog:

[secret question]

IMPORTANT: Please do not reply to this message to attempt to reset your password -- that won't work. You must enter the above information into the Steam application.

The Steam Support Team
http://www.steampowered.com 

[/quote]

The thing is, I didn't ask to reset my password. Has anyone else had this?

I never joined Steam forums, and generally play offline. I just logged in now with no problems, and made a genuine request to change my password, which worked.[/quote]

You can just ignore this, if you haven't requested it yourself, then someone is trying to be a funny . and change your password by just entering your username and hitting the forgotten password option, as I mentioned in a earlier post, unless your email account is breached and they have physical access to your computer its not possible for anyone to gain access to your account with steam safeguard enabled.

...


I somewhat wish this whole steam forum hacking attempt was not blown out of scale than what it really is. Steam forums are ran on a vbulletin software which requires completely seperate username and password, yes the attempt did manage to hit a database which stored personal data, but the information on that database was HASHED AND SALTED level encryption.

Hashed and Salted encryption is a means of breaking down personal information into random code and bits, the earlier versions used 12 bits and created a bare minimal of 3000 bit combinations to even get it correct, nowadays there is 128bit which can yield 5000+ bit combinations and is likely to be at that level or even higher on steam's servers.

What this means is, any attempt to actually try and crack those passwords requires a vast amount of computer and harddrive space, something in the range of 100 or more hard drives with computers processing and calcuating data to t ry and find the right combination. This is why I said that a small group of hackers, which is very likely what it is to hit a mere vbulletin forum would not have the resources or power to do anything with the data they got ahold of.

So the chances of actually getting and using personal data is extremely low, keeping a vigilant look on ones bank account as per one would usually do and reporting to bank if there is any unauthorized attempts is all you need to do.

I would point out to anyone who is making a purchase on steam that they never keep the box checked for "keep details for further purchases", I have never had ot ticked after a purchase, I don't want my information stored and nor should anyone else, its quite easy to just re type information and it also prevents sticky situations when you might just click through the buying process and forgot your card got renewed and the some details changed.

So folks, you need to stop worrying about this, hacking attempts like this are nothing new, its just become "big news" because Steam's name is on the news posts, also to point out, it was the FORUM and not Steam's main account server which got hacked into and taken down. The forum, vbulletin run software and which has SEPERATE username and password from your main steam account got hacked, so unless your putting your credit card details in as a password, with the above about hashed and salted passwords, and it all being seperate there is such a low chance of anything happening that its just unbelievably silly to start panicking over this or throwing up some kind of boycott against steam.

I'd also point out that steam and using a website store which uses SSL security are no different from each other and no matter how many security checks or means you go through internet shopping and personal data will never be 100% safe, there will always be the risk of having personal data stolen somewhere and is the same as in a brick and mortar shop aswell and well honestly you can't run in the mindset that its not safe to put your personal details in anywhere otherwise you would never buy anything and be some paranoid wreck.

[transadelaide]

I somewhat wish this whole steam forum hacking attempt was not blown out of scale ...

Spot on.

If anything, the response to this unsuccessful hacking attempt increases my confidence in using Steam. With the minor exception of the forum accounts issue, it appears that they are doing everything right.

They took their forum offline as soon as it appeared something was wrong.
They communicated openly to their customers what was going on as soon as they knew what was happening.
They had all the right security measures in place to protect financial data, unlike Sony.

[davejc64]

On Saturday, I had a couple of emails from Steam, sending me a code to change my password..

This is an automated message generated by Steam account administration to help you reset your Steam password.

Please enter the following code into the 'Verification Code' field of the 'Forgotten Password' dialog. (Enter the code exactly as written. You can use copy/paste operations to enter the code):

Code: Select all

Please also enter the *answer* to the following question into the 'Secret Answer' field of the same dialog:

[secret question]

IMPORTANT: Please do not reply to this message to attempt to reset your password -- that won't work. You must enter the above information into the Steam application.

The Steam Support Team
http://www.steampowered.com 

[/quote]

The thing is, I didn't ask to reset my password. Has anyone else had this?

I never joined Steam forums, and generally play offline. I just logged in now with no problems, and made a genuine request to change my password, which worked.[/quote]

You can just ignore this, if you haven't requested it yourself, then someone is trying to be a funny . and change your password by just entering your username and hitting the forgotten password option, as I mentioned in a earlier post, unless your email account is breached and they have physical access to your computer its not possible for anyone to gain access to your account with steam safeguard enabled.[/quote]

I would just like to point out that you would still get the email to verify the password change even if you had Steamgaurd disabled, essential what Steamgaurd is for is to prevent access to your steam account through the steam client on a more than 1 computer unless you authorize it by a code that is sent to your email, I have it disabled on my account as I quite regularly use another computer for accessing my steam account(or my son does on his laptop), essentially the existing password has to be known by the person who is accessing steam on the other computer, so unless you are in the habit of sharing the password with complete strangers it is quite safe to have Steamguard disabled!  :wink:

[transadelaide]

... so unless you are in the habit of sharing the password with complete strangers it is quite safe to have Steamguard disabled!

I'm sure this was a typo and that you really meant to say "it is quite convenient" to ignore security features, not safe.

[davejc64]

... so unless you are in the habit of sharing the password with complete strangers it is quite safe to have Steamguard disabled!

I'm sure this was a typo and that you really meant to say "it is quite convenient" to ignore security features, not safe.

No, because I don't share my steam password with non immediate family members, and since the so called security breech the password has been changed, so it is completely safe in my case to leave Steamgaurd disabled, end of!

[Kromaatikse]

No, it is considerably less safe to disable SteamGuard.

Valve implemented SteamGuard for a very good reason, which I have already mentioned previously: your Steam account is potentially more valuable even than your bank account.

Please do not continue to suggest disabling any security features of Steam.

[davejc64]

Well I know what works for me, that's all I'm saying, It's more convenient for me to disable Steamguard, and since using it is not compulsory to use it. I am not breaking the user agreement with steam that I have. I was just making people aware of the fact it is not compulsory to use it.

[Leaf85]

One reminder tip with regards to emails; never ever clic the links in the email even if the email looks legitimate. I recommend going directly to the official site (don't clic the site link in an email either as there can be a redirect to a bogus site) to do anything with your account(s). Bogus emails with intent on relieving you of your games, cc info, personal info etc have become more prolific in the last few years, particularily in the world of MMO's (EVE, World of Warcraft, EverQuest to name a few) as there is a lot of money to be made illegally by those scammers. This isn't to make anyone paranoid, but to remind us that those scams exist and niche or not we should still be aware of what we do to keep our past-time secure.

Kind regards,
Dave

[bigvern]

I agree re Steamguard. Back when they introduced the feature I reported considerable difficulties getting Steam and Railworks to run with it enabled, eventually being left with no option but to disable the feature. So far as I know, that hasn't changed.

[chrisiveson]

I'm always amazed at the things that go wrong with different people and Steam related issues.
Am I one of few, or one of many?
Never had a moments problem with Steam, yes, I have Steamguard, no, I don't go on the Steam forums or go anywhere near Facebook.
For most of the time RW3 is played online, ( I only go offline on the odd occasion I want to use RW2 ) the only issue I have since we got TS 2012 is the relationship with RailDriver, and RSC have kindly told me it's not their problem.

Chris. ( happy enough with Steam, not quite so happy with RSC though. )

[transadelaide]

... the only issue I have since we got TS 2012 is the relationship with RailDriver, and RSC have kindly told me it's not their problem.

Chris. ( happy enough with Steam, not quite so happy with RSC though. )

I agree with RS.com, unless you can find me an official statement that they have agreed to support RailDriver. Your problem is with PIE's lack of support for TS2012

One reminder tip with regards to emails; never ever clic the links in the email even if the email looks legitimate. I recommend going directly to the official site (don't clic the site link in an email either as there can be a redirect to a bogus site) to do anything with your account(s). Bogus emails with intent on relieving you of your games, cc info, personal info etc have become more prolific in the last few years, particularily in the world of MMO's (EVE, World of Warcraft, EverQuest to name a few) as there is a lot of money to be made illegally by those scammers. This isn't to make anyone paranoid, but to remind us that those scams exist and niche or not we should still be aware of what we do to keep our past-time secure.

Kind regards,
Dave

It's not just games, the majority of phishing emails target users of well-known banks. This is one strength of the way Steam do things, their emails will always give you a code which you enter in the Steam Client rather than a link.

The exception of course is with sites that have a password reset system that sends you an email within the next few seconds, based on entering your user ID only and not your email address.

[Kromaatikse]

Personally, I have an extraordinary number of machines with Railworks installed due to my testing. I kept SteamGuard enabled during all of that despite the minor extra hassle per machine - a simple matter of pulling out my iPhone at the appropriate moment, and typing in the code which had just appeared in it's e-mail.

After this incident, I nevertheless changed my Steam password. Given the value of stuff locked up behind it, it's simply the sensible thing to do.