Okay so where’s the value here? Like I’m sure the phone numbers are worthwhile but including the 2fa codes with the phone number doesn’t seem like worthfull information, unless steam doesn’t properly have OTP setup and they don’t expire in a timely manner, but I’m willing to bet that a company like steam has a properly configured system
So I know it’s confirmed false, but I wanted to take the opportunity to ask how you good folks stay in the know about critical/time sensitive compromises like this was believed to be?
Dunno if other people have a faster way of finding out about potential data breaches, but for me, the original Bleeping Computer article about this showed up on my newsfeed and that’s how I found out about it, followed a few hours later by other sites parroting the same news while quoting the BC article. It wasn’t till I saw this post that I learned this breach is a fake, though. So, I’d say just keep an eye on your newsfeed and if you see something there, check any tech news communities and other relevant social media communities that you’re a part of for the same news and for further details.
Edit: There’s also sites like Have I Been Pwned where you can put in your email and get information on every known data breach involving your email address. The site can also notify you about any new data breaches where your email showed up in the affected data.
Thank you for sharing this! Why should journalists verify anything, right? It’s not like it’s their job to report factual information they researched or anything…
So what are the details of the risk here? Can texted 2FA use old codes to math out new ones? Is it just that they know which phone number goes to an account they can do another kind of attack on to get new codes?
From what I read these are old texted one time codes. Good one time, generally only for a few minutes. Useless now.
Or is this bad only because there’s a breach somewhere, they don’t know where, and who knows what else they have?
I guess if the affected users are keeping their phone and TFA method you could target their phone numbers to try to intercept new codes, although that’s not doable at scale.
Having phone numbers associated to accounts out in public is pretty bad in general, though.
It says the leak was not on Steam’s side. I think OP may have been misled a bit by this.
Crucially it also says the phone numbers were not tied to emails, which is a big difference that does make this much less of a big deal.
The gist of it:
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
That’s what happens when you don’t have to think one quarter at a time. You actually realize that investing in your IT infrastructure is way cheaper than shit breaking or a breach happening.
I cut Steam some slack because they were early to that particular party, so they got grandfathered in. Plus the QR signin is fairly useful (not that they couldn’t do it regardless, but still).
Their app is pretty ancient, can be kinda buggy and it’s not great overall, though.
I remember reading something about Steam having some of the best login protection even before HTTPS was a thing. I gotta find that article again since it was pretty cool
I’m personally of the opinion that a separate app sign in is okay as an additional measure, if the app is actually useful. For example, GitHub does this well - they support TOTP, and the mobile app is okay. Steam mobile app is useful, but TOTP option as a fallback would be nice.
Maybe the most useless thing I have on this front is the Blizzard app, really. The app is not particularly useful for me, I’d rather just use TOTP, if they had the option.
Like I said I’m torn on that front. I only ever use the Steam app for QR login and TFA. Their grand design was that you’d be monitoring it as a marketplace back when they had these protoNFT ideas of how big their hats and trading cards were going to get.
But I never cared about those and they never put enough effort on the game store side of the app for it to be a better alternative than making purchases on the PC app instead, so… Would it be worth it to use a general TOTP app instead of a QR code for first time login and transaction validation? I’d say very likely, considering I already have a couple of those for a bunch of other services.
Steam is one of the few apps that I’m fully okay with having on my phone and using for 2fa. I especially like that when I go to login it’s like Discord where I can scan a QR code to confirm from the App instead of having to type in a number that expires. Like it would be nice to have the other functionality as well but I’m content with their current system
I don’t mind that they have 2FA features in their app. I mind that using SMS for this has been known to be bad practice for years and they’ve tried to leverage that insecurity to push users to the Steam app. It’s reckless and this current data breach is only possible because of it.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
Welcome to the largest gaming community on Lemmy! Discussion for all kinds of games. Video games, tabletop games, card games etc.
Rules
1. Submissions have to be related to games
Video games, tabletop, or otherwise. Posts not related to games will be deleted.
This community is focused on games, of all kinds. Any news item or discussion should be related to gaming in some way.
2. No bigotry or harassment, be civil
No bigotry, hardline stance. Try not to get too heated when entering into a discussion or debate.
We are here to talk and discuss about one of our passions, not fight or be exposed to hate. Posts or responses that are hateful will be deleted to keep the atmosphere good. If repeatedly violated, not only will the comment be deleted but a ban will be handed out as well. We judge each case individually.
3. No excessive self-promotion
Try to keep it to 10% self-promotion / 90% other stuff in your post history.
This is to prevent people from posting for the sole purpose of promoting their own website or social media account.
4. Stay on-topic; no memes, funny videos, giveaways, reposts, or low-effort posts
This community is mostly for discussion and news. Remember to search for the thing you’re submitting before posting to see if it’s already been posted.
We want to keep the quality of posts high. Therefore, memes, funny videos, low-effort posts and reposts are not allowed. We prohibit giveaways because we cannot be sure that the person holding the giveaway will actually do what they promise.
5. Mark Spoilers and NSFW
Make sure to mark your stuff or it may be removed.
No one wants to be spoiled. Therefore, always mark spoilers. Similarly mark NSFW, in case anyone is browsing in a public space or at work.
6. No linking to piracy
Don’t share it here, there are other places to find it. Discussion of piracy is fine.
We don’t want us moderators or the admins of lemmy.world to get in trouble for linking to piracy. Therefore, any link to piracy will be removed. Discussion of it is of course allowed.
Okay so where’s the value here? Like I’m sure the phone numbers are worthwhile but including the 2fa codes with the phone number doesn’t seem like worthfull information, unless steam doesn’t properly have OTP setup and they don’t expire in a timely manner, but I’m willing to bet that a company like steam has a properly configured system
So I know it’s confirmed false, but I wanted to take the opportunity to ask how you good folks stay in the know about critical/time sensitive compromises like this was believed to be?
Dunno if other people have a faster way of finding out about potential data breaches, but for me, the original Bleeping Computer article about this showed up on my newsfeed and that’s how I found out about it, followed a few hours later by other sites parroting the same news while quoting the BC article. It wasn’t till I saw this post that I learned this breach is a fake, though. So, I’d say just keep an eye on your newsfeed and if you see something there, check any tech news communities and other relevant social media communities that you’re a part of for the same news and for further details.
Edit: There’s also sites like Have I Been Pwned where you can put in your email and get information on every known data breach involving your email address. The site can also notify you about any new data breaches where your email showed up in the affected data.
removed by mod
Oh, so they are selling phone numbers.
The 2fa codes are useless after 1 min.
Yeah. I think someone used the term “historic” appropriately, that it’s old
And people are assuming it was used as an exaggeration like “this is a big deal”.
Yeah, that’s pretty dumb.
Were I a nefarious scheming hacker, I wouldn’t pay shit for that.
Already debunked
https://bsky.app/profile/tannerofthenorth.bsky.social/post/3lp572utm5c2c
Thanks for the update. False alarm.
Well I already changed my password and my old password was shit so thank you late april fools prank.
Thank you for sharing this! Why should journalists verify anything, right? It’s not like it’s their job to report factual information they researched or anything…
Looking at how this started, it’s even more depressing.
So what are the details of the risk here? Can texted 2FA use old codes to math out new ones? Is it just that they know which phone number goes to an account they can do another kind of attack on to get new codes?
From what I read these are old texted one time codes. Good one time, generally only for a few minutes. Useless now.
Or is this bad only because there’s a breach somewhere, they don’t know where, and who knows what else they have?
I guess if the affected users are keeping their phone and TFA method you could target their phone numbers to try to intercept new codes, although that’s not doable at scale.
Having phone numbers associated to accounts out in public is pretty bad in general, though.
In case any time travelers want to make some slow cash?
According to Steam, no leak occurred.
This doesn’t say that no leak ocurred.
It says the leak was not on Steam’s side. I think OP may have been misled a bit by this.
Crucially it also says the phone numbers were not tied to emails, which is a big difference that does make this much less of a big deal.
The gist of it:
Aside from this being false, it’s kinda crazy that Steam has had no significant public leaks.
That’s what happens when you don’t have to think one quarter at a time. You actually realize that investing in your IT infrastructure is way cheaper than shit breaking or a breach happening.
I once wrote the guy listed for their infrastructure that one of their mail servers is configured incorrectly.
He got back to me after 2 hours thanking me and telling me he fixed it.
Thought that was pretty impressive for a company of their size.
Fuck off and let me use my own TOTP app already.
I cut Steam some slack because they were early to that particular party, so they got grandfathered in. Plus the QR signin is fairly useful (not that they couldn’t do it regardless, but still).
Their app is pretty ancient, can be kinda buggy and it’s not great overall, though.
I remember reading something about Steam having some of the best login protection even before HTTPS was a thing. I gotta find that article again since it was pretty cool
I’m personally of the opinion that a separate app sign in is okay as an additional measure, if the app is actually useful. For example, GitHub does this well - they support TOTP, and the mobile app is okay. Steam mobile app is useful, but TOTP option as a fallback would be nice.
Maybe the most useless thing I have on this front is the Blizzard app, really. The app is not particularly useful for me, I’d rather just use TOTP, if they had the option.
Like I said I’m torn on that front. I only ever use the Steam app for QR login and TFA. Their grand design was that you’d be monitoring it as a marketplace back when they had these protoNFT ideas of how big their hats and trading cards were going to get.
But I never cared about those and they never put enough effort on the game store side of the app for it to be a better alternative than making purchases on the PC app instead, so… Would it be worth it to use a general TOTP app instead of a QR code for first time login and transaction validation? I’d say very likely, considering I already have a couple of those for a bunch of other services.
Steam is one of the few apps that I’m fully okay with having on my phone and using for 2fa. I especially like that when I go to login it’s like Discord where I can scan a QR code to confirm from the App instead of having to type in a number that expires. Like it would be nice to have the other functionality as well but I’m content with their current system
I don’t mind that they have 2FA features in their app. I mind that using SMS for this has been known to be bad practice for years and they’ve tried to leverage that insecurity to push users to the Steam app. It’s reckless and this current data breach is only possible because of it.
Although it is not officially supported you can do this: https://github.com/keepassxreboot/keepassxc/discussions/9591
I did it years ago (I would say 10+ years) and it works perfectly fine.
You can also extract and give it to bitwarden as well for those folks using that.
5000$ for 89 million 2FA codes, obviously its false 😂