If you use Steam, you should be aware that they have been compromised recently. Their online forums have been defaced and intruders have also gained access to a Steam user database that contains, among other things, usernames, salted and hashed passwords, games purchased, billing information, and encrypted credit card details.
First, a quick overview of the related computer security topics, then some advice on what to do if you read about this type of thing happening to one of your accounts.
"Hashing" something (such as a password) means to run it through a one-way function. This explains the concept in more detail if you're curious. The result of a hash is often called a "digest". When the user account is first created on a computer, the user types in a password, the password is hashed, and the digest is saved on the computer. The password itself is not saved on the computer, and the digest cannot be converted back into the password. When a user logs into the computer, the password that he/she types in is run through a hash and the resulting digest is compared with the stored digest. If the digests match, the password is correct.
The problem with simply hashing passwords is that somebody with a lot of computer time and a lot of storage can make a program that creates a dictionary of words, hashes each of those words, and stores a digest for each word. This is called a rainbow table. Somebody with a rainbow table and a database full of password digests can compare the two quickly and come up with a list of accounts that have passwords that match words in the rainbow table. So then somebody came up with the idea of salting.
To "salt" a password, random text is generated when a user first sets a password on his/her account. This text is added onto the password the user has entered before it is hashed. The text is also stored with the user account. The next time the user logs in, this salt is added to his/her password attempt before it is hashed and compared with the stored digest. Because of rainbow tables, salting passwords before they are hashed is a common security practice, and with a sufficiently large salt and password length this can make rainbow tables ineffective.
One-way encryption is great for one-way things like password comparisons where the real information will be supplied, hashed, and compared to a digest. But for things like credit card information where the data is stored and reused in an automated fashion, such as recurring monthly billing or buying things from an online merchant without having to reenter your credit card every time, the server must be able to decrypt these encrypted records. If somebody copies a database with encrypted data AND figures out how the system decrypts it for billing...
Also, even if passwords are salted and hashed (sounds kind of delicious) it's still possible for someone to figure them out through a process called brute force. This may consist of a program that guesses weak or common passwords and tries them against every user account in the database. This is far less desirable for an attacker than using a rainbow table because it takes more time and usually offers fewer results, but it'll reveal the accounts with the weakest passwords in a reasonable timeframe.
So, some things to consider if your account with an online service may be compromised:
- If your password is the same or similar to the password on your e-mail account, change your e-mail account password immediately. Many websites will, if you've forgotten your password with them, allow you to reset your password by following a link they'll e-mail to you. If an attacker has access to your e-mail account, he/she can use this feature to compromise your account on any system that uses this feature.
- If your password is the same or similar to passwords on other websites that use your e-mail account as your username, change your passwords on these websites.
- Use a unique and strong password for each account you've got. Easier said than done, I guess, but there's no substitute for it.
- If credit card information is ever part of a compromise, whether encrypted or not, watch your credit card statements like a hawk. Avoid using check cards online or maybe altogether if you can -- my friend is now waiting 10 days for his bank to refund $500 to his account because his card was fraudulently used in a different country. You should also make note of any services that automatically bill you via credit card and prepare to change your details with them should you have to report your current card stolen.
- Be aware that with the combination of your card information and your e-mail address, billing address, or phone number, someone can more convincingly impersonate your bank or credit union when attempting to phish information from you. They may seek details of how to get into your online banking account, for example.
- If your phone number is involved in a compromise, don't rule out the possibility of the intruders impersonating your bank or other authority over the phone and soliciting sensitive information from you. When my card was briefly shut off by my credit card company (they thought buying several things online was suspicious) the company security called me and asked for the name of my bank, my date of birth, my social security number, and if I recall correctly the credit card number. Nothing stopping an enterprising malcontent with some of that information from doing a little telemarketing to get the rest. If you are to give sensitive information over the phone it is best that you do it by getting a phone number to call and to verify that number online first by punching it into a search engine to make sure it's affiliated with the company you want to talk to. Don't call us, we'll call you.
- In addition, to foil phishing, don't follow links that are sent to you by e-mail; directly type your online banking website address (or online auction web address, or PayPal web address, etc.) into your address bar when you want to visit, or make it a bookmark/favorite in your web browser. If your bank or other institution seems to ask for personal details through e-mail for whatever reason, ignore it. And if it's really them and they complain or mess with your service, loudly chastise them and move your money elsewhere (course, some people are already ahead of me on this.)
Anyway, I'm sorry to hear about this because I really do enjoy using Steam. But hopefully this information will be of some use to you if one of your own favorite e-tailers gets broken into in this fashion.