Must Read: Mint 15: Today's best Linux desktop (Review)

Topic: Hardware

Valve confirms Steam server intrusion

Summary: Hackers gained access to usernames and passwords.

Adrian Kingsley-Hughes

By for Hardware 2.0 |

Games developer and distributor Valve has confirmed that hackers gained access to the Steam server and that have gained access to usernames and passwords.

Earlier this week users began reporting problems and strange messages over on the Steam forum shortly before Valve took the forum offline. Hacking was suspected at the time.

Gabe Newell, Managing director of Valve, confirmed the breach in an email to users:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6.  We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums.   This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

It's a good thing that passwords were encrypted, but it's still an awful lot of information to fall into the hands of bad guys, and a very big black eye for Valve. It's also somewhat worrying that Valve still doesn't have a full grasp of just how big or a breach this was.

It's also sloppy that Steam users aren't told about this via the Steam client software. The news section doesn't mention the breach at all:

[UPDATE: Information relating to the breach appeared in my Steam client today after playing a game:

This is the best way to inform gamers of the breach.]

Thoughts? Do you still trust Valve? Will you buy future games through Steam?

Topics: Hardware, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion

  • RE: Valve confirms Steam server intrusion

    With regards to your last sentence, when you log in to Steam the warning appears as a pop up, the same box that advertises new deals. This behaviour can be disabled so I don't know if it still pops up anyway? Can they override?
    Ben_E
    Reply Vote

    • RE: Valve confirms Steam server intrusion

      @Ben_E I see the new deals but see no warning yet ... I certainly see the deals!
      Adrian Kingsley-Hughes
      Reply Vote

      • RE: Valve confirms Steam server intrusion

        @Adrian Kingsley-Hughes I must have got yours! There were four in total, all mirroring the message on the forums.
        Ben_E
        Reply Vote

      • I was warned

        @Adrian Kingsley-Hughes

        Immediately upon logging into Steam, I was warned about the intrusion. I changed my password and moved on.
        lapland_lapin
        Reply Vote

  • RE: Valve confirms Steam server intrusion

    I got a Steam client pop-up warning me about the intrusion. So did my friends. I still trust Steam, Mr. Kingsley-Hughes' fact checking skills...not so much.
    hanszurcher
    Reply Vote

    • RE: Valve confirms Steam server intrusion

      @hanszurcher ^This
      Crimson Avenger
      Reply Vote

  • RE: Valve confirms Steam server intrusion

    Great Steam. You..... Nevermind. I you can't say anything good don't say anything at all.
    Thanks a lot for being so secure............
    widdybear
    Reply Vote

  • RE: Valve confirms Steam server intrusion

    I never got any e mail from them.
    MoeFugger
    Reply Vote

    • RE: Valve confirms Steam server intrusion

      @MoeFugger
      Me neither. No email. No popup (I just launched steam a second ago). So far, I have received no information from Valve regarding this hack.
      x I'm tc
      Reply Vote

  • Isn't the cloud wonderful?

    [/sarcasm on]
    We should do everything in the cloud!
    [/sarcasm off]
    BillDem
    Reply Vote

    • RE: Valve confirms Steam server intrusion

      @BillDem It's good for some things.

      In fact, it's pretty good for games.

      Losing a forum account or a few games isn't a big deal. I don't use those passwords elsewhere anyways, thanks to LastPass and KeePass. Losing a credit card # is, though.
      CobraA1
      Reply Vote

  • RE: Valve confirms Steam server intrusion

    I have not even received an email about this. Actually found out about this while searching for games on Amazon. Noticed a topic in the forums list on the side and checked. I had been on steam a few times and had seen nothing and with no email I was in the blind. And, if there is a pop-up message I never set my account to disable and I never received one. I did not have any major personal information on the site so I am not worried about anything but for people that do not receiving notification is a bad thing.
    fathog21
    Reply Vote

  • RE: Valve confirms Steam server intrusion

    But the cloud is so cool. Give me a break. Everything touching the web is vulnerable. Want security? Quit giving others (strangers) your information. Remember what your mommy told you? Because its cool doesn't mean its necessary. This topic is getting old.
    ogoforth
    Reply Vote

  • This is the forum and not the main game playing side

    If I understand this correctly, If you don't participate in the forums (have not even registered), then you were not affected ... yet. However, most people who use the same password on both services or more can be in real trouble.

    That might explain why some people get notified and others not.
    Just speculations.
    laxamar
    Reply Vote

  • Ouch

    I deserve what just happened. So do you if, like me, you are too lazy to think up different passwords for each site. Changing my password on Steam will be the least of my problems. It's all the other ones that have the same set of keys.

    Will I now hate Valve and stop buying things from them? Why? Is there an Amazing Hackproof Vendor out there that I can be sure won't be next? I always knew Valve might get hacked. Amazon might get hacked. Newegg might get hacked. Heck, the IRS got hacked. The Pentagon gets hacked. If it's out there, the Bad Guys can get it.
    Robert Hahn
    Reply Vote

  • RE: Valve confirms Steam server intrusion

    It appears that the winner of the cloud ecosystem will go to the company that gets security right... and convinces their customers of that fact.
    kstap
    Reply Vote

  • RE: Valve confirms Steam server intrusion

    http://chilp.it/755f2b http://chilp.it/755f2b
    fjrtutrjgky
    Reply Vote

  • RE: Valve confirms Steam server intrusion

    Valve being compromised will not affect me purchasing from them in the future. My account has 181 games in it and it will grow. Nobody can be hack proof.
    Jimster480
    Reply Vote

  • Passwords

    The passwords were not encrypted... that implies they can be decrypted. They were hashed and salted. Big difference. It's almost impossible for such passwords (granted, depending on the hashing algorithm) to be recovered.
    sloDavid
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close