• Valve resets partner logins as result of someone exploiting the "Heartbleed" bug
    72 replies, posted
[QUOTE=EVIL WEVIL;44501528]I've logged into steam every day but never via any browser, this would only apply if logging into steam using browsers right?[/QUOTE] It means the attackers could potentially have the private keys, meaning they can decrypt anything encrypted communication (passwords, financial stuff etc). Doesn't matter what it is, if they've been running any openssl thing in the last 2 years, then they are potentially vulnerable.
[QUOTE=Marik Bentusi;44501590]Thanks for the answers so far, really appreciate it in this chaos. One last question: When you're talking about "logging in", does that just mean typing in your username/password or is there also some communication going on when I visit a site that "remembered" I'm already logged in (via session cookie magic or something)?[/QUOTE] "Remember Me" is session cookie based so a logout would do the trick. (unless they caught you while you were logging in by entering your details)
[QUOTE=Perl;44501608]Alright, according to him whatever the case is [b]you should deauthorize steam guard devices and reset your password[/b] just to be sure as already tons of account details have been stolen. SteamGuard won't help you here. If you were logged into steam, authorized through SteamGuard, they'll also most likely have your SteamGuard authorization.[/QUOTE] And so two-factor authentication fails as well... Wow. Well, thanks for that.
[QUOTE=Perl;44501505]That is correct. The vulnerability has existed since 2012, but it was only released to the public on April 7, when it was patched pretty much instantly. Heartbleed only disclosed recent information (in most cases, anything from the last few seconds to milliseconds).[/QUOTE] I believe the patch was ready in advanced of the disclosure, as Google had informed various major websites (governments?) prior to the disclousure so they could patch before everyone on the planet was able to exploit everything.
[QUOTE=Marik Bentusi;44501590]Thanks for the answers so far, really appreciate it in this chaos. One last question: When you're talking about "logging in", does that just mean typing in your username/password or is there also some communication going on when I visit a site that "remembered" I'm already logged in (via session cookie magic or something)?[/QUOTE] Depends a bit. If it stays logged in with you doing anything then likely no but I recommend logging out and in again to clear the session as session info could have been stolen. GitHub force reset all sessions because of this. If it's the case that it saves your login info so that you only have to click "log in" then you should reset your password as it's sending the username & password to the server.
[QUOTE=Jsm;44501637]I don't think passwords are that much of a risk, unless for some reason the site is storing them in memory in plaintext. Even then its a very low possibility, what is the chance of [B]your[/B] password being in that 64kb of memory after the heartbeat at the exact moment someone exploits the server?[/QUOTE] Many people were running the exploit in a loop and filtering out data they could use so the "what are the chances" excuse really doesn't count here. You underestimate the amount of script kiddies ready to jump at any newly disclosed vulnerability :v:
[QUOTE=Flapadar;44501517][url]http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html#.U0W_k_ldWJp[/url][/QUOTE] That's good to hear, I was a bit worried about that.
snip
[QUOTE=nomad1;44501191]It means someone could log into your developer account and tamper with your store page?[/QUOTE] Not just store page. If a Steamworks account is compromised, a lot more can be done.
I disabled Steam Guard, changed my password, re-enabled Steam Guard, then changed my Email password. Am I safe yet?
So went to play some South Park. . . [IMG]http://uppix.net/03iHpWl.png[/IMG]
[QUOTE=Mr. Someguy;44503329]I disabled Steam Guard, changed my password, re-enabled Steam Guard, then changed my Email password. Am I safe yet?[/QUOTE] Unless you disconnect the power and submerge it in concrete, you'll never be safe. But from what I understand, yes.
Why blank out your game list? And also, all you need to do is change your password in the slight chance they got your encrypted password
[QUOTE=Map in a box;44503857]Why blank out your game list? And also, all you need to do is change your password in the slight chance they got your encrypted password[/QUOTE] Let's just say there are games that I regret.
[QUOTE=S3rpant67;44503890]Let's just say there are games that I regret.[/QUOTE] Should've blacked out your name too then.
I've withdrawn all of my money from my bank account and buried it all in the backyard, am I safe?
Is it necessary to disable and re enable steamguard? Because I won't unless I absolutely have to.
[QUOTE=Flapadar;44501517][url]http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html#.U0W_k_ldWJp[/url][/QUOTE] [QUOTE=Jsm;44501695]That's good to hear, I was a bit worried about that.[/QUOTE] It's been retracted :v: They [U]really[/U] should get new certs, it's not [I]that[/I] much work either since they can still push a client update with the old one to replace it seamlessly.
[QUOTE=AJisAwesome15;44504268]Is it necessary to disable and re enable steamguard? Because I won't unless I absolutely have to.[/QUOTE] If you're already changing your password, disable and re-enable steamguard. The idea is that an attacker might've gotten your steamguard authentication info. Even though it's incredibly unlikely, it's just as unlikely as them stealing your password.
Welp, good thing I haven't used steam for the last couple of weeks then!
Steam hasn't told me to change my password at all, and hasn't even notified me about this. What do I do?
I didn't use Steam until they said it was patched, should I be safe?
[QUOTE=Handsome Matt;44506914]Should change all your passwords for every service regardless.[/QUOTE] There's no need unless there was a sign of accounts being broken into (Like this occasion), and then you only want to change the password after the servers are patched and the SSL certificate updated, doing so before hand runs the risk of giving the attackers your new password.
[QUOTE=TheDecryptor;44507017]There's no need unless there was a sign of accounts being broken into (Like this occasion), and then you only want to change the password after the servers are patched and the SSL certificate updated, doing so before hand runs the risk of giving the attackers your new password.[/QUOTE] which is why you need steamguard as an added measure of course
Well, based of of what everyone's saying, it's probably worth changing your password. How long does it take, less than 30 seconds? It's just to be safe, and it just might save your account.
[QUOTE=TheDecryptor;44507017]There's no need unless there was a sign of accounts being broken into (Like this occasion)[/QUOTE] The problem is that the only sign you'll get is often when it's too late.
[QUOTE=Skyguy113;44506720]Steam hasn't told me to change my password at all, and hasn't even notified me about this. What do I do?[/QUOTE] i think they're only forcing developers to change passwords.
[QUOTE=S3rpant67;44503730]So went to play some South Park. . . [IMG]http://uppix.net/03iHpWl.png[/IMG][/QUOTE] Wait wait wait, I just realised that this happened AFTER developer logins were reset. That's a bit worrying.
[QUOTE=Bo98;44507148]The problem is that the only sign you'll get is often when it's too late.[/QUOTE] like steamguard messages going off? if your like me, you'll have your email on your phone, buzzing when you get a log in attempt.
I was talking more generally.
Sorry, you need to Log In to post a reply to this thread.