People who might have looked at Steam’s official forums this morning might have found them somewhat barren—or even one might say: missing. It seems that last night Valve took their forums offline for abrupt “emergency maintenance” in the wake of what’s being reported as a hack.
Numerous sources are reporting the hack right now including Kotaku, the Inquistr, and SiliconANGLE:
Sometime last night Valve took down their official Steam forums for “maintenance;” however, users who happened to be browsing the site at the time report that it happened because the forums had been pwned by hackers.
In the minutes before the forums went down abruptly for the unscheduled maintenance, users reported that a new category had appeared directing users to a site called “Fkn0wned.” In addition, numerous users have reported that their e-mail addresses attached to the Steam forums have received spam ostensively from the site listed.
Kotaku has reported that Fkn0wned.com is denying responsibility, “Fkn0wned Forum is currently unavailable In lights of someone crediting us for the recent breaches of steam forums, the board is offline. Fkn0wned is not responsible.”
Details are still developing and Valve has not yet commented.
For most, we can breathe a sigh of relief: Steam service accounts and the official forums are separate password databases; however, for many who use both, they might share handles and passwords—so it’s time to get those passwords changed stat.
this could be related to the breach in captcha of those forums some months prior (I suspect they too use a variant of the vb forum)
it appears to me to be an ordinary sql injection, and circumvention of md5 hash
if the latter is true then some passwords may have been compromised
The redirect is an obvious sign that the dns root is hacked, that’s really bad, because some users may have mistakenly filled in their passwords on the false website, in other words they could have been spoofed.
If steam uses an ssl connection for their forum website, then a duplicate, fake ssl certificate is issued through whatever ssl host they have. If the latter is the case, then their ssl host is also hacked and not just steam itself. Such situations have happened before (see the diginotar and Iran scandal).
Oh yes, DNS hijacking is the favorite currency of the modern web-based man-in-the-middle attack as it makes phishing a lot simpler. If Steam’s forums don’t use an SSL vendor, then even browsers like Chrome, and Firefox, with an SSL checker won’t discover that the DNS and certificate don’t match.
I do love the DigiNotar scandal in that it’s literally destroyed them as a certificate authority. After all, SSL certs and crpytographic signatnatory is all about trust and DigiNotar has become the scuzzy black sheep of the industry.
yeah it caused diginotar to go bankrupt