Valve bekræfter læk af kodeord
Tidligere i dag udgav Ekstra Bladet en kort artikel om et gigantisk læk af data fra 89 millioner Steam-kontoer.
En bruger under navnet Machine1337 skulle angiveligt sælge dataen, der indeholder telefonnumre, SMS-metadata og gamle Steam 2FA-koder på det mørke net for en sum af 33.000 kroner.
Ekstra Bladet citerer tech-mediet XDA for historien, og de har nu fået svar fra Valve, der bekræfter ægtheden af dataen i det store læk.
De skriver, at lækket ikke er sket hos Valve, men peger i stedet på, at dataen stammer fra ukrypterede SMS'er, der går gennem flere udbydere, før de når din telefon.
Derfor maner de til besindighed, da intet tyder på, at dine personlige oplysninger og kodeord tilhørende din Steam-konto er blevet lækket. De 2FA-koder, der er lækket, er kun gyldige i 15 minutter og dermed ikke længere brugbare, og hverken dem eller telefonnumrene er sat i forbindelse med din Steam-konto.
Valve mener dermed heller ikke, at der er behov for at ændre alle dine kodeord eller telefonnumre hos Steam, men opfordrer samtidig til altid at være opmærksom på ens sikkerhedsforanstaltninger.
Valves udtalelse:
Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.
