Valve: Encrypted credit card data, other info taken in Steam hack

By on February 10, 2012, 5:00 PM

The damage of last year's Steam intrusion is worse than previously thought, according to an update by Valve co-founder Gabe Newell. In November, the company's servers were breached as hackers defaced Steam's forums and accessed a database with user information.

Although that server contained data such as usernames, hashed passwords, game purchases, email addresses, billing addresses and encrypted credit card numbers, Valve didn't find any evidence that personally identifying information was taken or otherwise compromised.

Upon further investigation, that preliminary conclusion proved to be incorrect. Newell now believes the hackers obtained a copy of a backup file with data about Steam transactions made between 2004 and 2008. Said backup file contained usernames, email addresses, encrypted billing addresses and encrypted credit card numbers. On the bright side, no passwords were in the file. 

Also, because the billing addresses and credit card numbers were encrypted, there's no evidence of them actually being compromised and that will likely remain true. Nonetheless, Newell urges Steam customers to monitor their financial statements and to use Steam Guard, a security measure added in March 2011 to help prevent accounts from being hijacked. Newell's full letter is below:

Dear Steam Users and Steam Forum Users:

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe




User Comments: 15

Got something to say? Post a comment
RH00D RH00D said:

I actually feel bad for Gabe. He is consistently very nice to the community and treats gamers better than most major developers and publishers can say. Then he has to deal with immature fat jokes on almost any YouTube video or forum post about him and now has had to deal with this unnecessary crap.

I just hope one day he doesn't get tired of people's **** and say "f*** it!" and start treating us with the same level of respect these internet tards are treating him.

TL;DR - Be nice to the ones who are nice to you.

Guest said:

@RH00D: +1 Internets

Guest said:

@RH00D

you are absolutely right, Steam is the best digital distributor, valve is one of the finest developer and Gabe is my personal fav person around, he is the guy who knows how to treat his customers as customers, such a nice person.

Darth Shiv Darth Shiv said:

Yes this is the way to handle data breaches. People should know IT systems aren't perfect but they at least encrypted important data and are being transparent about it.

Guest said:

lol w8 a minute this happened a year ago ? and now is when you tell us wow....

mailpup mailpup said:

Guest, read the article again. It happened last year in November not a year ago and it was covered at the time by this article: [link]

treetops treetops said:

I like valve that being said they should have emailed everyone about this.

EDIT I don't got anything in my inbox.

gwailo247, TechSpot Chancellor, said:

Sorry but this: "However as I said in November it's a good idea to watch your credit card activity and statements." is bullshit.

Maybe Valve should pay for that service?

By the time you check your statement, 30 days worth of purchases may have been made. I never got a single e-mail from them, sorry but a Steam pop up is not notifying me properly of my CC info being potentially in the wild.

I really like Steam too, but why is everyone kissing his ass for this? Finding out 3 months down the line on Techspot that my CC info may have been stolen is not exactly the gold standard for notification. Just cause he's apologetic and not a **** like Sony, doesn't make this thing kosher.

mattfrompa mattfrompa said:

gwailo247 said:

Sorry but this: "However as I said in November it's a good idea to watch your credit card activity and statements." is bullshit.

Maybe Valve should pay for that service?

By the time you check your statement, 30 days worth of purchases may have been made. I never got a single e-mail from them, sorry but a Steam pop up is not notifying me properly of my CC info being potentially in the wild.

I really like Steam too, but why is everyone kissing his ass for this? Finding out 3 months down the line on Techspot that my CC info may have been stolen is not exactly the gold standard for notification. Just cause he's apologetic and not a **** like Sony, doesn't make this thing kosher.

I highly recommend you enroll in online banking. With PNC you can even dispute charges online, and have email/text alerts.

RH00D RH00D said:

gwailo247 said:

Sorry but this: "However as I said in November it's a good idea to watch your credit card activity and statements." is bullshit.

Maybe Valve should pay for that service?

By the time you check your statement, 30 days worth of purchases may have been made. I never got a single e-mail from them, sorry but a Steam pop up is not notifying me properly of my CC info being potentially in the wild.

I really like Steam too, but why is everyone kissing his ass for this? Finding out 3 months down the line on Techspot that my CC info may have been stolen is not exactly the gold standard for notification. Just cause he's apologetic and not a **** like Sony, doesn't make this thing kosher.

Whoa buddy, Gabe said way back when this initially happened that didn't have solid evidence that encrypted CC info may have been taken, but the fact that they were even hacked should be enough for you to pay attention to your CC info and realize it was a possibility. Don't expect Valve to hold your hand and babysit you (watch your CC statements) maybe you should take the imitative and be doing that anyway.

Nonetheless, the info is encrypted, your acting like someone actually did spend thousands off your CC.

mailpup mailpup said:

Please try to make your points without the personal comments. Such posts may find themselves disappearing into the void like a few already have. Thank you.

rvnwlfdroid said:

Personally I like what steam has to offer. I?ve never had an issue myself (aside from running a 64bit OS and having some issues running some of the older titles purchased in a pack) Even those issues are not Steams fault. I have to say (the 64 vs 32 bit issue) has helped me expand my knowledge base a bit by setting up a VM to take care of those issues.

Guest said:

Just another legitimate reason to be a pirate.

Guest said:

^^ Not a chance in hell.

Guest said:

Personally I haven't purchased anything from Steam, I guess Steam is not as awesome in Europe (in my case Switzerland) as it is in the US. Here Steam is usually pricier for new games compared to a e-tailer and many special-sales are not supported in Switzerland :-(

What I really see as dangerous trend is to store credit card information on an Account. Not just on Steam, Amazon and others do this too. Sure, it is handy not have to enter your address, your phone and email every time you buy something but the more information you put in a database the more it is going to attract criminals. Especially if there are credit cards to grab. Is it too much work to enter your credit card info every time you buy something - I don't think so. For me the comfort is not worth the risk, too many databases have been breached in the last year or so.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.