http://kotaku.com/5858497/what-we-know-about-the-steam-hack-and-what-you-should-do

So some hackers got into some of the same kinds of information that were taken from Sony all those months ago. I'm not worried about identify theft because noone in their right mind would want my identity, but what about you guys? And do you think they'll have any "we so sorry" game promotions(as Kotaku has suggested) and if so, what? And why the f**k is everybody getting the s**t hacked out of them all of a sudden anyway?

λ

Eh, screw it. I'm not going to let kotaku execute javascript just so I can see how breathless their reporting is. Here's what Ars have to say.

Key points include encrypted credit card data and (hashed) passwords. The attack was run through the forums, so it's unlikely any Steam accounts (rather than Steam forum accounts) are compromised. The big difference here compared to the Sony debacle is that Valve have publicised that they were compromised in a timely fashion (they discovered the hack on the sixth, and I get the impression they discovered the true extent of the compromise more recently still), while Sony didn't really seem to do anything and just tried to hide.

This vindicates my policy of not instructing online retailers to store my ordering information, though. As far as a 'have some free stuff because we screwed up' situation, I don't see any reason they would feel a need to do so. Everybody gets attacked, and Valve had a solid setup that is unlikely to result in any major consequences to their users, and they disclosed the attack in a timely fashion as well as providing solid advice to the affected users.

That's true, but I've noticed Valve likes to give away free stuff(portal, anyone?). It wouldn't surprise me if everyone got a free copy of the Orange Box or something.

Yeah, according to the steam letter, it was just the forums and encrypted data. No free stuff needed, imo.

Oh, look at that, another thing I don't care about because I knew about the dangers of steam in the first place! Justin happened to get his account hacked a few months back, towards the end of the summer. he had about 300 dollars worth of games charged on his account.

Plus, I never liked steam in the first place, always was slow on my computer.

I don't think what games you have matters, they aren't transferable and there are plenty of ways to recover your account. What would be a problem is if you had your credit card on file with your account. However that data is encrypted, and it was forum accounts that were hacked, not Steam ones.

Yay, a company that knows how to properly store credit card info and passwords!

I saw this as well and it seems pretty clear that even though the database was compromised proper security measures meant that unless the hackers own a cluster of super computers to start decrypting the CC info there is really no threat to the users data.

Correct me if I'm wrong, but isn't that essentially what a botnet is?

EDIT-

No.

Regardless, why would you dedicate years of botnet time to crack a single CC when you could make far more money using that botnet for other things?

A botnet is a distributed network of illegally-accessed computers that have been subjugated to the will of the botnet master. Because they're connected via home internet, they're not efficient for use as a compute cluster (something you'd use to crack passwords or collide hashes). They're generally used for things like denial-of-service attacks.

That makes sense. I knew what they were, and that they're used for DDoSing, I just wasn't sure if they couldn't be re-purposed for distributed CC cracking, or if the connections wouldn't be fast enough.

You could instruct a botnet to get to work cracking whatever encryption you wanted to crack (certainly breaking encryption can be done without a lot of bandwidth in a fashion similar to BOINC or F@H), but it's much more profitable to put those machines to work sending spam than spending huge amounts of compute time to crack even a single encrypted CC.

Wouldn't cracking the encryption code mean you could decode any and all credit card numbers you stole from that source? Or am I completely misunderstanding the nature of CC encryption?

Maybe, maybe not. It is quite possible to use a different key for every CC (generating a key is cheap and fast, and it's not big). Even if it was a single key, pretty much all the CCs will have expired before you break the encryption anyway.

Fair enough. Anyone else hear anything new on this or should we end the discussion?