The damage of last year's Steam intrusion is worse than previously thought, according to an update by Valve co-founder Gabe Newell. In November, the company's servers were breached as hackers defaced Steam's forums and accessed a database with user information.
Although that server contained data such as usernames, hashed passwords, game purchases, email addresses, billing addresses and encrypted credit card numbers, Valve didn't find any evidence that personally identifying information was taken or otherwise compromised.
Upon further investigation, that preliminary conclusion proved to be incorrect. Newell now believes the hackers obtained a copy of a backup file with data about Steam transactions made between 2004 and 2008. Said backup file contained usernames, email addresses, encrypted billing addresses and encrypted credit card numbers. On the bright side, no passwords were in the file.
Also, because the billing addresses and credit card numbers were encrypted, there's no evidence of them actually being compromised and that will likely remain true. Nonetheless, Newell urges Steam customers to monitor their financial statements and to use Steam Guard, a security measure added in March 2011 to help prevent accounts from being hijacked. Newell's full letter is below:
Dear Steam Users and Steam Forum Users:
We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.