Steam has been hacked

[3vans]

TL;DR: Steam has been hacked. The hackers have a list of encrpyted passwords and credit cards, and unencrypted email addresses and usernames. They so far have not cracked it. The following is a good read though, so take your time because you'll learn something. It's a VERY good idea to CHANGE your password for steam. THEN, if your password for steam is the SAME as your email password, change your email password. This should stop the hackers. It will take them a long time to access the credit cards, though. But be careful.

BTW, Sorry for bad formatting.

So, top story on reddit today. It looks like we're safe though:

Well in the database, there's a table that looks something like this
username passwords email
sam enable [email protected]
john secret [email protected]
alice class [email protected]
bob car [email protected]
This is the worst case scenario, if someone steals this they know the passwords and can use them to break into your e-mail and other fun stuff.
So, in order to keep them from just typing it in and breaking into your e-mail, the passwords are stored "hashed" with md5 (or sha1 or something to get a table like this:
username passwords email
sam 208f156d4a803025c284bb595a7576b4 [email protected]
john 5ebe2294ecd0e0f08eab7690d2a6ee69 [email protected]
alice a2f2ed4f8ebc2cbb4c21a29dc40ab61d [email protected]
bob e6d96502596d7e7887b76646c5f615d9 [email protected]
Now to break these back into passwords that work, people built tables like this:
word hash
a 0cc175b9c0f1b6a831c399e269772661
b 92eb5ffee6ae2fec3ad71c777531578f
c 4a8a08f09d37b73795649038408b5f33
d 8277e0910d750195b448797616e091ad
all the way through zzz, because there's no easy way to reverse the hash (that's the definition of hash). But, you can download these tables to reverse the hashes quickly.
To fix this we use a salt, which is a randomly generated string attached to the password. This means you need a special table for every hash and that makes them much harder to break, the table would look like this:
username passwords salt email
sam 2fe0cfb635139262f0af630a127df9ad fiel [email protected]
john e70ade5b55b8a520e0c1552806276ecb moow [email protected]
alice 80e65ac99b05d3dddf5ff1346f762f4e caaa [email protected]
bob abe9d9bcf79b9bb66af40c39bb4ba1d5 monki [email protected]
So when you submit the password the server will say
does the md5 of "submitted value + salt" = the-value-in-the password-column

Aaaand:

TLDR - Salt = adding more stuff to your password so when it's hashed, it's more complicated unique, this protects (prolongs) from brute forcing and dictionary attacks by making your password less obvious so it cannot be looked up in what's called a rainbow table (table of pre-figured out hashes). Hashing = One way function that turns your salted password into a very complex and random looking piece of data that cannot be reversed. So a stolen database of hashed passwords is useless.
Salting = Adding random characters to your password upon creation, usually unique for every account. This basically changes your password to something else - making it harder to guess. For example the password "cat" when hashed with md5 has already been figured out so it would not be secure! If we gave "cat" a random salt of "se823fnkad", the rainbow table does not have an answer for "catse823fnkad". So it's main purpose is what happens when combined with hashing. For example, if when I set up my account I chose "helloworld" for a password, a random load of characters would be added, so my password becomes "helloworldakdgriwadhgkr248&1823kf" or something. When you login with your password, it will add the salt that is tied to your account and then hash it and verify with the server. This is mainly to make your hashed password more complex but it also means that two users with the password "helloworld" will actually have different stored passwords in the hashed database, due to the fact the users have different salt.
Hashing = One way encryption, basically changing a password into something else using an algorithm. You can only "unhash" if you have the algorithm. Sorry that was incorrect. Hashing is one way and there is no way of turning a hashed password back into a raw password (unless you figure out every possible output of a hash function which, depending on the function is a astronomical amount). You submit your password and it will get salted then hashed and sent to the server, the server will then check if the hashed password matches the stored hashed password. If it does, you log in! This means that if your hashed password database is stolen, there's pretty much nothing they can do with it.
To break it you have to guess basically. You try passwords over and over until you get a match. This is pretty much what brute forcing is but even basic hash functions on short passwords can take hours. The more characters you add, the more complex it gets. With decent salt and a long password, it would take longer than you'd be around to crack by brute forcing. Something called a rainbow table exists. This is basically a table of "if input is 1234 then output of hash is ad6e7hg2". You could run a computer program for years to try every possible character combination but it would never finish. Then, even if they could use a rainbow table to find a match, they would find a match to your salted password - which is of no use to them! Pretty clever huh?
Edit: These aren't textbook definitions but probably the easiest way of understanding it. There are many many many techniques for salting/hashing too. You may chose to add characters to the end, start or middle of the password (or a few at each location). The general idea is making the stored password nothing at all like the real password. You have to careful not to leave patterns though (I mean if you tried to write your own hash function) otherwise people can break your code but all the hash functions I know of output such a complex mess of characters that they cannot be reversed.
Hashing is also good as it can be done on your computer before you send your password over the internet. This means that if anyone was to intercept your message to the server - they still wouldn't be able to find out your password. However, this isn't always what the company chooses to do. Websites especially (as they use mainly server side scripting, php for example has hash functions built in) will instead use encryption to secure your password (encryption basics: An algorithm is used to convert your plaintext password into something else, a 'key' has to be used to reverse the conversion. The key is agreed on by the sender and receiver so only they know what it is) as it travels to their servers to be salted/hashed.
Edit for possible example:
You create an account, your username is stored in valve's database.
Valve's servers generate a random salt, unique to your account and send it to you. they also store the salt with your username in the database.
You set your password and the salt is added.
The hash function is then run on your password + salt.
The now hashed password is sent to valve's servers to be registered to your account. Note: This is why you cannot request your password as they don't know it ether! It can only be reset and the whole salt/hash process started again. If you know a site/company/whatever that allows you to request your password then there are several severe security flaws!
Now when you log in and type your password, it will get your username's salt from valve's servers.
The salt is then added to your password and the hash function is ran.
The hashed password and your account name are sent to valve's servers.
Valves servers look up your account name and find the attached "hashed password"
If they match, success!

So after all this, it's a VERY good idea to CHANGE your password for steam. THEN, if your password for steam is the SAME as your email password, change your email password. This should stop the hackers. It will take them a long time to access the credit cards, though. But be careful.

 

[Vincent2128]