Valve confirms user data was stolen in Steam hacking

By Lee Kaelin on November 11, 2011, 8:22 AM

Valve has confirmed that the attacks on its forum late Sunday, which included its defacing before it was taken offline, extends beyond just user account details and includes personal information of those with Steam accounts.

"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," said Gabe Newell, CEO of Valve in a statement released on its forum homepage.

The forum has remained offline since the attacks took place, and it is uncertain when normal posting will return. It is likely to remain offline while Valve finalizes its investigation into the breach. Unlike in previous hacks reported over the last year, passwords were hashed and salted so they should remain relatively safe even in the hands of the hackers -- although a short, simple password may still be vulnerable to a brute-force attack, depending on the level of encryption. Nevertheless, it would be good idea to take the opportunity to change them, and to re-enable SteamGuard for those that have it disabled.

"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating," Newell commented. He also stated that while they only had evidence of a few forum user accounts being compromised, the company will be forcing all users to change passwords when the forum comes back online.

Given that the hackers have the email addresses of at least some of its users it would also be very good practice to change the passwords of any other sites you frequent if the login details are the same. Users are reminded that SteamGuard is only effective if your email account remains secure, so those using the same passwords for both should change them immediately.

The handling of this incident is in stark contrast to the enormous controversy that centered around the intrusions on Sony earlier in the year, and again just last month. While inconvenient and frustrating, it appears that Valve has taken adequate precautions and has been honest to its users. It's also worth noting that while the Steam forums are down, Steam itself is working fine.

User Comments: 17

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

I feel like I should have gotten an e-mail about this from Valve. I shouldn't have to read other sites to find out about it.

dustin_ds3000 dustin_ds3000, TechSpot Chancellor, said:

i got a notification within steam it self.

lchu12 lchu12 said:

Same here, I got an notification from Steam itself.

yukka, TechSpot Paladin, said:

I havent logged into steam for a few days. Valve should have sent out an email about this.

gwailo247, TechSpot Chancellor, said:

No, I got nothing from within Steam. But still, they shouldn't rely on that, an e-mail is needed.

LNCPapa LNCPapa said:

I got a popup as soon as Steam launched last night.

cliffordcooley cliffordcooley, TechSpot Paladin, said:

Maybe your account wasn't compromised, if you didn't get a notification.

I just loaded Steam and didn't see a notification either.

Guest said:

Yup, I received a popup in Steam immediately when they sent it last night. No worries, everything was encrypted, they won't be able to decrypt it... Even if you used the same password on your Steam account, well assuming you enabled Steam guard, no one will be able to enter it.

My Steam username is: mike77 , my password is: 2Elm_treE34

If you try to login it will request the verification code that will be sent to my email. My email has a different password. Good luck.

motrin said:

guest trust too much...

gwailo247, TechSpot Chancellor, said:

I logged off and logged back on and it finally popped up. And I can get 10% off Jurassic Park!

Win and Win!

madboyv1, TechSpot Paladin, said:

My steam password and my email password are different to begin with and I already have SteamGuard enabled, but for good measures I'll still change my password on steam and keep an eye on my bank statements (though I think I've always used paypal, but I can't remember).

Relic Relic, TechSpot Chancellor, said:

An e-mail would've been nice but still props to Valve for actually sharing this information and not sitting on it for weeks before coming clean. I use SteamGuard and different passwords for pretty much everything like most here, but I guess changing them now wouldn't hurt.

Guest said:

I wonder if any SONY haters are here right now.? hhhmmm! Goes to show when a person digs a hole hoping for other companies to go down, they better dig 2.

Who's lol now? Hackers are criminals. I hate them same as I hate mosquitoes.

LNCPapa LNCPapa said:

ROFL - I really enjoyed this quote.

I logged off and logged back on and it finally popped up. And I can get 10% off Jurassic Park!

Win and Win!

Guest said:

@motrin: I guess you never watched that video where Gabe gave out his account name and password, showing how confident he was in Steam Guard's effectiveness.

spydercanopus spydercanopus said:

At least give us a free game after we bend over for you, Steam.

Guest said:

That was only meter of time until some thing like that happens.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.