Steam's Database Hacked, Info Possibly Stolen

Page 3 - Seeking answers? Join the Tom's Hardware community: where nearly two million members share solutions and discuss the latest tech.
Status
Not open for further replies.

V8VENOM

Distinguished
Dec 31, 2007
914
14
18,995
Just as EA launches Origin ... hmmmm ... yeah, I keep all my data encrypted in our public and not so public SQL servers ... not just the connections, but the data. A smart hacker will look for the code that encrypts the data, but that's a considerably harder task, especially when code is obfuscated.

But it's always a good idea to use a low limit Credit Card for any online purchases.

As far as separation of data, especially CC data ... most intermediate CC processing companies require PCI compliance (Payment Card Industry) for any merchant that does public online CC processing/captures (like Steam). Part of PCI compliances is regular quarterly audits of the servers and intrusion testing ... all CC data MUST NOT be directly accessable to the public ... in otherwords the SQL servers must live on a private LAN and the only communication that can happen is thru web service calls (indirect layer).

Theory being that Web Services are a more secure and indirect step prior to reaching the databases. However, these web services are in themselves a weak link and can open the door to many many more databases.

So to make a long story short PCI compliance is really just lip service to protect the payment processors and the banks, from that point onwards if any breach happens both the bank and payment processor can point the finger at the developers who created the web services.

Ironically, Microsoft can NOT be held accountable at all -- they are NOT required to be PCI compliant even if the intrusion were directly related to a security hole in the OS, Microsoft are NEVER "on the hook". How and why Microsoft can get away with this is beyond me. And it not just Microsoft, anyone that produces server OS is NOT accountable and does NOT have to be PCI compliant.

Steam has tools to locate the source of the intrusion, it's a pretty stupid move to attempt to hack Steam ... stay tuned for news updates rounding up yet another batch of hackers.
 

livebriand

Distinguished
Apr 18, 2011
1,004
0
19,290
[citation][nom]aCorrectlyLayeredSetup[/nom]@spikey in tnDoesn't quite work like that, encryption is a multi-stage data transformation process, each stage of the process is designed to makes it harder to reverse engineer the actual encryption routine itself (which has enough variability to allow each company to create a unique routine for their own purposes), it is actually possible to have two different encryption keys yield the same encrypted data result, compound this with the fact that the passwords were also salted, so even if you knew one set of results the chances of reverse engineering another is extremely difficult@NetherscourgeIn case you missed it, Valve did not simply think that a big heavy door equated to a secure system, they had setup a layered security system, yes the crooks broke down the front door, but fact is the data was encrypted and the password salted as well as the segmentation of servers meant they did not believe the front door was the be all end all of a security system[/citation]
Besides, a lot of people changed their passwords upon finding out what's happened anyway, so all the hackers got was a bunch of emails that they can waste their time spamming. Not a big concern to me.
 

livebriand

Distinguished
Apr 18, 2011
1,004
0
19,290
[citation][nom]JonnyDough[/nom]"Your Steam Account$0.00Wallet Balance+ Add funds to your Steam WalletThere is no stored credit card information associated with your account." Sorry for everyone else. Really. Hackers: You suck![/citation]
Ditto. I've just used it for some free games and game codes I got with stuff. I think if you used a credit card there but didn't save the info, it gets flushed from the system afterwards, so there's nothing for hackers to get, right?
 

brotoles

Distinguished
Jul 18, 2011
26
0
18,530
Ok, so they managed to get the salted and encrypted CC data, that doesn't mean they will be able to decrypt the data from every user.

I've seen people comment on other forums that they use PayPal and they're safe... Who in their right mind won't consider that PayPal, the LARGEST online payment in the world, isn't attacked by hackers everyday? The more famous a site is, the more a target it becomes. People used to say that Steam was safe, and it got hacked. Who can tell for sure that PayPal can't be hacked either?

And I bet a lot of users here buy from other sites as well... maybe these other sites got hacked and we don't even know. It's a liability we all have to deal with in the internet, just take at least some basic security measures and let fate take care of the rest :)

If people go overboard worryig about these things, the only thing that this will do to them is get them sick, or even paranoid...
 

brotoles

Distinguished
Jul 18, 2011
26
0
18,530
Ok, so they managed to get the salted and encrypted CC data, that doesn't mean they will be able to decrypt the data from every user.

I've seen people comment on other forums that they use PayPal and they're safe... Who in their right mind won't consider that PayPal, the LARGEST online payment in the world, isn't attacked by hackers everyday? The more famous a site is, the more a target it becomes. People used to say that Steam was safe, and it got hacked. Who can tell for sure that PayPal can't be hacked either?

And I bet a lot of users here buy from other sites as well... maybe these other sites got hacked and we don't even know. It's a liability we all have to deal with in the internet, just take at least some basic security measures and let fate take care of the rest :)

If people go overboard worryig about these things, the only thing that this will do to them is get them sick, or even paranoid...
 

brotoles

Distinguished
Jul 18, 2011
26
0
18,530
sorry for the double post, when I first posted, I reloaded the page several times and my post didn't appear, so I reposted it... I'm really sorry for the incovenience
 
G

Guest

Guest
@ichy... your point is mute, you DON'T have to go through steam to play your games, you can run out to the best/closest retailer near you, buy them, and run them with out ever needing steam.

Say that to my HL collection...
 

brotoles

Distinguished
Jul 18, 2011
26
0
18,530
It isn't mute, I'm from Brazil, and here retail availability is MUCH more limited than in the USA and Europe.

And more than that, Steam prices are much much better than buying retail... Big releases usually cost more than 150 Reais (converting to dollar it would be about 80 dollars), so there's another advantage for me to buy online.

Don't go thinking that where you live is the only place in the world... And my point also wasn't about having to buy online, it was that internet isn't really safe no matter where you browse to, and that people shouldn't become paranoid because of that...
 

brotoles

Distinguished
Jul 18, 2011
26
0
18,530
steamisadrm, sorry, now I've seen you were only quoting someone else, so my reply goes to ichy by rebound :p
I also have the boxed HL collection, but many other games are difficult to find on retail here (beisdes the price thing) :)
thanks for the comprehension
my regards
 
Status
Not open for further replies.