Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Steam security breached

i sell platypus
Member
Joined
Jun 26, 2009
Messages
2,640
Reaction score
1,326
this:

EcEUJ - Steam security breached - RaGEZONE Forums


sigh...
 

Attachments

You must be registered for see attachments list
Joined
Jan 9, 2005
Messages
669
Reaction score
83
nothing is really safe nowadays eh? regardless of high security measures as long as it is made by us humans, well.. nothing is really 100% protected Xc. now hopefully my credit card is not among them xc
 
1/11/1995 ~ 23/11/2011
Member
Joined
Nov 23, 2010
Messages
2,310
Reaction score
460
Do i risk anything? I purchased by paypal so I don't know :s
 
Custom Title Activated
Member
Joined
Aug 16, 2007
Messages
1,378
Reaction score
581
you must expect that every information you put there was stolen
so they know your paypal address, and maybe your forum/steam account pass, if that's the same pass as your paypal or as any other account you should change it
 
1/11/1995 ~ 23/11/2011
Member
Joined
Nov 23, 2010
Messages
2,310
Reaction score
460
you must expect that every information you put there was stolen
so they know your paypal address, and maybe your forum/steam account pass, if that's the same pass as your paypal or as any other account you should change it

Luckily I don't think steam registers my paypal account. I really hope though, concerning the account details, password and email are completely different so I think I'm good for now.
 
Elite Diviner
Joined
May 30, 2011
Messages
443
Reaction score
95
If Steam stores sensitive information hashed and salted, what is the cause for concern? That the hackers might be able to associate Steam usernames with e-mail addresses?
 
Custom Title Activated
Member
Joined
Aug 16, 2007
Messages
1,378
Reaction score
581
hashed and salted means uncrackable?

You can bruteforce a 8-9 letter md5 hashed password in less than an hour if you use OpenCL or CUDA and a high end gfx card
 
Joined
May 23, 2008
Messages
1,071
Reaction score
574
If Steam stores sensitive information hashed and salted, what is the cause for concern? That the hackers might be able to associate Steam usernames with e-mail addresses?

Information like passwords may be more heavily encrypted than credit card numbers, in a way.

Essentially, with passwords, one-way encryption is used. You aren't able to convert the encrypted password back in to normal characters. Although, you ARE able to compare other encrypted texts to the encrypted password, to see if it matches. If you ever see a website that sends your password to you when you reset/forgot your password, INSTEAD of literally resetting your password, then it does not use one-way encryption, which is almost always a bad idea.

But, credit card numbers only have to be entered once. Then they are saved in to the database, and automatically reused when need be... obviously without you having to enter your credit card number each time you buy something.
What this means is that the credit card number must use two way encryption. It saves when you enter it the first time, encrypts it - almost certainly heavily, with multiple lengthy random, specific keys, and powerful two-way encryption methods. But, it is still two-way encryption. It is not technically impossible to decrypt, unlike one-way encryption.

This means that, with enough time, computer power, and knowledge of decryption and encryption, a group of hackers could possibly fully decrypt a lot of the info, including the credit card numbers.

Passwords can be brute forced using a random character generator. You can't decrypt one-way encryption, but you can brute force it. Hopefully the encryption on passwords was very strong. In other words, if the password goes through strong two-way encryption and then through one-way encryption, then it would be almost infinitely more difficult to decrypt.
Because you have to first figure out the strong two-way encryption, and then put the result of that through the brute forcer to test comparisons with the one-way encrypted text[passwords]. Because the text's end result is the only thing visible, and it is one-way encrypted, it makes the task of finding the previous two-way encryption nearly impossible.

You may not have to brute force as painstakingly with a two-way encrypted string. It is possible to decrypt, and once you fully successfully decrypt it... that's it. It's fully decrypted and easily readable.


I would imagine, if the hackers do plan to do anything with the data in the database, it would more than likely be decrypting all the credit card numbers, attaching as much personal information(retrieved from the database) as possible to each credit card number, and then selling tons of them in bundles over the 'dark side of the internet'.


The initial implication of the website fkn0wned.com is interesting - see:
Improved - Steam security breached - RaGEZONE Forums


The website owners claimed that they had nothing to do with it, despite the above image and the steam forums redirecting to their site (before the forums were shut down).
I would tend to believe them. It would be border-line retarded to link to your own gaming community after committing a huge crime like this. It's a pretty obvious false implication IMO.
 
Last edited:
Initiate Mage
Joined
Dec 29, 2009
Messages
38
Reaction score
43
But, credit card numbers only have to be entered once. Then they are saved in to the database, and automatically reused when need be... obviously without you having to enter your credit card number each time you buy something.
What this means is that the credit card number must use two way encryption. It saves when you enter it the first time, encrypts it - almost certainly heavily, with multiple lengthy random, specific keys, and powerful two-way encryption methods. But, it is still two-way encryption. It is not technically impossible to decrypt, unlike one-way encryption.

This means that, with enough time, computer power, and knowledge of decryption and encryption, a group of hackers could possibly fully decrypt a lot of the info, including the credit card numbers.

I'm going to guess that this is incorrect. I've never run a site that handles raw credit card numbers, but I'm assuming it goes something like this:

1. User puts credit card number in site and checks save
2. Site authorizes the credit card through Visa (for example). If the card is valid, Visa will return a string based on some type of SSL cert that the company probably paid for + the the number provided.
3. Site uses the returned string as their saved credit card 'number'
4. Next time user purchases, site will use the saved string paired with the site's SSL cert.
 

NTV

Anime Network
Member
Joined
Sep 12, 2008
Messages
1,205
Reaction score
50
Hackers are getting away with more and more stuff.
 
1/11/1995 ~ 23/11/2011
Member
Joined
Nov 23, 2010
Messages
2,310
Reaction score
460
Though, internet still needs hackers lol.
 

NTV

Anime Network
Member
Joined
Sep 12, 2008
Messages
1,205
Reaction score
50
Though, internet still needs hackers lol.

Not necessarily I don't think, just for piracy. Good hackers are alright but bad ones are a pain.

Especially if some hacker uses your card and locks your account.
 
Joined
Apr 28, 2005
Messages
6,953
Reaction score
2,420
Not necessarily I don't think, just for piracy. Good hackers are alright but bad ones are a pain.

Especially if some hacker uses your card and locks your account.
I'm not really worried about any poop like that. If my card / ssn get used for anything suspicious the credit will be erased and I will be credited any lost money back to my card.

Its so hard to steal identities nowadays. Only idiots get their identity stolen, and its even hard for them to do that now.
 
Not working on UnitedFlyf
Member
Joined
Apr 21, 2009
Messages
1,385
Reaction score
934
I'm not surprised tbh. The internet wasn't ready for the next generation of black hackers.

I love seeing this stuff, as it makes my job more valuable to companies.

Blackhats haven't gotten better, just more numerous which is why you see companies with crappy security getting hit frequently now.


Not necessarily I don't think, just for piracy. Good hackers are alright but bad ones are a pain.

Especially if some hacker uses your card and locks your account.

There's no "good hackers" and "bad hackers" and even if there were, crackers(piracy) definitely wouldn't qualify as "good". Ever think of the companies that put hard work into their product just to have it be stolen? Or what about the limits that are placed on the legitimate customers to keep pirates out?

Hackers are part of the tech world. There's no one to blame other than the companies with the crappy security. The company should be held responsible for the user data lost because it was their fault. The hackers didn't get in with anything that couldn't have been blocked. The exception would be if a company was hacked with a 0day on an application built by a reliable company. Then the developers of the application would be partially responsible(the company could have chosen another application in most cases).
 
Back
Top