Steam hack goes beyond forums, Valve reveals

A letter from Valve boss Gabe Newell has revealed that an investigation into the "intrusion" that "defaced" the Steam forums on Sunday, November 6, was worse than the company originally believed.

23

A letter from Valve boss Gabe Newell has revealed that an investigation into the "intrusion" that "defaced" the Steam forums on Sunday, November 6, was worse than the company originally believed.

"We learned that intruders obtained access to a Steam database in addition to the forums," Newell wrote. "This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked."

Newell states that Valve does not have any evidence that credit cards have misused at this time; however, he recommends that users "watch [their] credit card activity and statements closely."

"While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well," he added.

A touch of promising news came from the letter, however, as Newell stated that they company does not know of any compromised Steam accounts. "We are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password," he recommended, before adding, "I am truly sorry this happened, and I apologize for the inconvenience."

Newell says Valve will re-open the Steam forums as soon as they can. The note to users can be found on the front page of the Steam forum page.

Xav de Matos was previously a games journalist creating content at Shacknews.

Filed Under
From The Chatty
  • reply
    November 10, 2011 3:06 PM

    Xav de Matos posted a new article, Newell: Steam 'intrusion' goes beyond forums.

    A letter from Valve boss Gabe Newell has revealed that an investigation into the "intrusion" that "defaced" the Steam forums on Sunday, November 6, was worse than the company originally believed.

    • reply
      November 10, 2011 2:57 PM

      Well that's depressing.

    • reply
      November 10, 2011 3:02 PM

      Nooo....

    • reply
      November 10, 2011 3:09 PM

      Dammit, Gabe.

    • reply
      November 10, 2011 3:15 PM

      The salt is gaben

    • reply
      November 10, 2011 3:16 PM

      [deleted]

    • reply
      November 10, 2011 3:28 PM

      Well i guess it was only a matter of time before this happened to steam as well .
      time to change my password ; )

    • reply
      November 10, 2011 3:30 PM

      i still haven't received this email. odd?

    • reply
      November 10, 2011 3:37 PM

      [deleted]

    • reply
      November 10, 2011 3:37 PM

      If you've not already (And you should have!), turn on Steam Guard!

    • reply
      November 10, 2011 3:56 PM

      I love the smell of class-action-lawsuits in the morning.

      • reply
        November 10, 2011 6:58 PM

        Why would there be a class action lawsuit? Because some dumbass uses the same name/pw combo for all sites/email accounts?

    • reply
      November 10, 2011 4:15 PM

      Come on guys, this a clearly a clever ARG in anticipation of EP3!

    • reply
      November 10, 2011 4:28 PM

      is this one of the 3 big announcements from valve?

    • reply
      November 10, 2011 4:29 PM

      Steam Guard is nice but a Steam Authenticator RSA key or Android app would be better.

      • reply
        November 10, 2011 7:40 PM

        RSA is no safer and was compromised earlier this year. Not to mention the algorithm may even be compromised due to the intrusion they had. So not sure that is any consolation.

        • reply
          November 11, 2011 12:26 AM

          If you have no idea what you're talking about, then don't talk about it. RSA isn't compromised and the recent crack that took 40 hours requires PHYSICAL access to the machine which has the private-key. But sure it's fun to steer up people and talk trash, I agree!

    • reply
      November 10, 2011 4:29 PM

      I swear this post wasn't here when I posted :(

    • reply
      November 10, 2011 4:33 PM

      ugh fuck this

      does anyone have a good password management system they can suggest? I'm tired of all these security breaches. I can't even tell what's safe to use the same password for anymore and I can only keep so many passwords in my head (I think I'm at 4 or 5 now)

      • reply
        November 10, 2011 4:41 PM

        I really like keepass in combo with dropbox.

        • reply
          November 10, 2011 4:43 PM

          ^^ This has been awesome for me. Along with the Android app it's even better.

          • reply
            November 10, 2011 5:18 PM

            [deleted]

            • reply
              November 11, 2011 12:57 AM

              Is this any better/different to KyPass?

          • reply
            November 10, 2011 6:55 PM

            How does it work with the android app? Does dropbox constantly update the file for you and keep them in sync or do you have to manually say get me the new file to dropbox?

            • reply
              November 10, 2011 8:50 PM

              You need to do it manually. Kind of a pain, but how often are you going to update your passwords? Really often? It's probably worth paying for something better. Rarely? Roll with it and save a few buxxx.

      • reply
        November 10, 2011 4:43 PM

        1password

      • reply
        November 10, 2011 5:00 PM

        I like Lastpass a lot.

      • reply
        November 10, 2011 5:16 PM

        I love KeePass

      • reply
        November 10, 2011 6:19 PM

        thanks dudes, keypass it is then.

      • reply
        November 10, 2011 6:19 PM

        I like http://Lastpass.com I started using it after the Gawker hack and I love it.

        Unique password for each site, this hacking was like a 30 second inconvenience to me while I merely changed my password. No fucks were given.

      • reply
        November 10, 2011 7:46 PM

        This is kind of old fashioned, but I keep all my passwords in a Word file I lock using my most commonly used password. That works just fine because I'm the only one with access to the file.

        • reply
          November 10, 2011 11:23 PM

          I do/did that too (as of writing this I already made the switch), but I figure a program makes managing and organizing them a bit easier.

      • reply
        November 10, 2011 8:01 PM

        I just switched to Lastpass a couple days ago after Facebook told me someone signed into my account from another state.

      • reply
        November 11, 2011 1:44 AM

        make up a sentence like "FearABrownCatPanther" un-bruteforcable (with any sane amount of computing power) and easy to remember

      • reply
        November 11, 2011 12:37 PM

        since i re-installed SC so much, i just use that as my password

    • reply
      November 10, 2011 4:44 PM

      ok, which one of you is responsible?

    • reply
      November 10, 2011 4:44 PM

      This may explain the several password reset attempts from a Cox.net ip address that I received recently.

    • reply
      November 10, 2011 5:13 PM

      this was bound to happen eventually.......

    • reply
      November 10, 2011 6:18 PM

      with everyone else being hit it was bound to happen eventually. frustrating as it is for us consumers all this hacking may lead towards better security so hopefully theres an upside.

    • reply
      November 10, 2011 6:28 PM

      Damnit. I liked my Steam password :(

    • reply
      November 10, 2011 6:29 PM

      I have steam guard so I feel a little better and recently I do not reuse passwords at all so I only have one password to change but for some reason I can't change my password. It keeps on saying "steam can not process your request, try again later." hmmm..

    • reply
      November 10, 2011 6:30 PM

      login: steamadmin: password: gaben

    • reply
      November 10, 2011 7:05 PM

      GODDAMMIT SONY

      • reply
        November 10, 2011 7:11 PM

        Sony stored a lot of important data on plain text though. Valve isn't THAT stupid.

    • reply
      November 10, 2011 7:11 PM

      [deleted]

      • reply
        November 10, 2011 8:06 PM

        [deleted]

        • reply
          November 10, 2011 8:46 PM

          he is saying it wont let him change his password. just like it wont let ME change my password. ive been trying for days with no luck... my passwords arent the same between the forum and steam, but i was of the mind that if one thing got hacked, something else might have as well, and tried to change it as soon as i heard about the hack.,, and every time ive tried it tells me to try again later.

          like he said, its goddamn annoying.

    • reply
      November 11, 2011 12:33 AM

      Oh FFS video game studios

    • reply
      November 11, 2011 11:21 AM

      Forums, when are the forums coming back??

    • reply
      November 11, 2011 11:26 AM

      Random.NextBytes is my hero.

Hello, Meet Lola