Steam forums and database hacked

Valve admits extent of attack 5 days after event

Valve has issued a statement detailing a hacking attempt which took down the Steam forums last week, but also penetrated the defences of a database holding passwords, plus billing, purchase, address and credit card information.

Passwords and credit card information was encrypted and Valve says that no evidence has come to light so far of any theft or misuse of details.

"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked," read a statement sent to Steam users by Valve boss Gabe Newell.

"We are still investigating."

No indication was given of how many accounts were breached.

"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

"While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

"We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password."

Whilst the attack itself is perhaps an understandable and difficult to prevent danger, the delay in informing customers of the breach is likely to raise some eyebrows, especially given the ire which Sony attracted by staging a similar delay after the PSN security breach this year.

The first indication that the company had suffered some sort of attack was when the Steam forums dropped on Sunday, 6 November. Several users were then sent emails from a group identifying itself as "fkn0wned".

"Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks," read the mail.

"Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

"Thanks again, the fkn0wned team."

This is the first public statement which Valve has made on the issue.

Related stories

Counter-Strike's Jess Cliffe arrested for sexual exploitation of a child

Co-creator of classic first-person shooter suspended by Valve until more is known of charges

By Brendan Sinclair

Latest comments (25)

Carl Hudson Studying Computer Science, University of Adelaide6 years ago
The end of Steam?
0Sign inorRegisterto rate and reply
Stephen McCarthy Studying Games Technology, Kingston University6 years ago
I better edit my password to be on the safe side.
0Sign inorRegisterto rate and reply
Terence Gage Freelance writer 6 years ago
I have a Steam account, but don't think I've bought anything from them - I'm sure it was just for a demo or something. Might log in tonight and change my password just in case.

These hacking incidents this year are pretty worrying though - you would think a company like Valve would have top security.
0Sign inorRegisterto rate and reply
Show all comments (25)
Greg Wilcox Creator, Destroy All Fanboys! 6 years ago
As I keep saying, until there's 100 percent security, NO digital dl sites are safe, PERIOD. Valve has solid security, I'd say, but you can't stop some people from doing what they do when they want to do it once they figure out how.

The thing that kills me is every time this has happened (Amazon, PSN, XBL, major banks, et cetera), this line or a variation of it crops up in the inevitable press release/official statement:

"We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely. "

Which means there's a good chance your info has indeed been stolen. Why else would someone get into an encrypted card database and NOT take info to use or sell on the lucrative market for it.

People who still want to trumpet how smartphones and other digital devices will kill dedicated handhelds and how digital downloads will kill retail off for good NEED to realize that this path isn't the best way to go unless you have a means deal with those who want to do harm to users. This shit is NOT something we have to "get used to" or "deal with" AFTER it happens.
0Sign inorRegisterto rate and reply
Jonathan Savery Creative Director/Co-Founder, Toxic Games6 years ago
Valve probably do have top end security. But there's always going to be someone out there that can hack it.
0Sign inorRegisterto rate and reply
Max Priddy6 years ago
Well, on the plus side our personal data/passwords/credit card details are AES256 encrypted along with Steam Guard so good luck cracking that eh? Also, knowing Valve they're going to do something pretty cool for Steam users in light of these events, at least they give me no reason not to have faith in them.
0Sign inorRegisterto rate and reply
Greg Wilcox Creator, Destroy All Fanboys! 6 years ago
Well, getting a free game REALLY doesn't make up for having to get one's credit repaired or some other, lesser hassles these hacks cause. As for Steam Guard, well it's probably secure as hell, but again, who knows whether or not it was breached. I'm guessing like other companies, valve isn't going to let EVERY bit of info out until they can make sure that nothing was stolen and triple check things again as time goes on.
0Sign inorRegisterto rate and reply
Henry Durrant Programmer, SUMO Digital6 years ago
Valve is a high-profile target, I guess it was only a matter of time. If its plugged in, its vulnerable.
Luckily I always use PayPal or dont save my billing info on Steam.
Still, changed my password, even though im using Steam-Guard.
0Sign inorRegisterto rate and reply
I, for one, am disgusted and think the only way to make it up to their customers is to release Episode 3.
0Sign inorRegisterto rate and reply
@O'Connor: Well spoken my dear friend. Well spoken ... :D
0Sign inorRegisterto rate and reply
Terence Gage Freelance writer 6 years ago
How about a free copy of DOTA 2 as well?
0Sign inorRegisterto rate and reply
Chris McKay6 years ago
@O'Connor: Agreed!!!
0Sign inorRegisterto rate and reply
Kingman Cheng Illustrator and Animator 6 years ago
+1 O'Connor
0Sign inorRegisterto rate and reply
Dave Herod Senior Programmer, Codemasters6 years ago
@Greg Wilcox - I'm not really sure what the point you're trying to make is? Are you saying digital downloads should be completely abandoned just because sometimes things get hacked? Or are you saying that companies need to beef up their security measures? If it's the former, then you might as well say lets end all online shopping, online banking etc too. If it's the latter, well, that's a bit obvious after they've just been hacked, of course they'll do a big review of their security and close the flaws that made it possible.
0Sign inorRegisterto rate and reply
Terence Gage Freelance writer 6 years ago
I presume Greg's generally having a rant about the predicted download-only future for all games. At least at the moment we can buy games in store or buy PSN/Live/Facebook credit, so if the security of online payment systems concerns you, you need never partake in it.

Speaking of which, can you buy in-store credit for Steam, or would that just be a self-defeating exercise for retailers?!
0Sign inorRegisterto rate and reply
@Andreas Gschwari: You do realise that the physical shop you buy your games from could just as easily have its credit card database hacked?
0Sign inorRegisterto rate and reply
Steven Pick Lead Graphic Designer, Atomhawk Design6 years ago
I think the mistake Gabe made regarding this was to give out his login information and password before boasting about SteamGuard. Sure, SteamGuard is super-secure, but his actions were like a red rag to the Bull of Hackery.
0Sign inorRegisterto rate and reply
Stephen Wilson graphic/web designer 6 years ago
And where is the email from Steam/Valve to inform its customers about this? Why do we have to learn this information second hand from the press?
0Sign inorRegisterto rate and reply
Robert Aiking Product Manager, InnoGames6 years ago
Stephen, Gabe's statement is in one of the Steam client popups.
0Sign inorRegisterto rate and reply
Greg Wilcox Creator, Destroy All Fanboys! 6 years ago
@ Dave Well, you may not like it, but it's a sad truth.

The stupid catch-22 here is most of these online shops were set up with somehow NO ONE thinking that they could be compromised in the ways they are (not thinking ahead, I say) and worse, when it does happen, they all act shocked and muddle around for a few days or longer as all that data gets sifted out.

As I've said elsewhere, it's amazing that digital entertainment is probably the ONLY area in which theft on a massive scale is continually tolerated simply because people are scared of angering the thieves. I always here stuff like "we can't piss off the hackers because it's just get worse" I often want to ask those people for a copy their house keys, car keys and a shopping cart left outside their door. But I'm no thief, so I don't go there...

This can't go on as these attacks get more sophisticated and pervasive. If a parent can take a toy away from a misbehaving child, then it should be possible for any company that deals with other people's money, security and in some cases, lives to do something a lot more definitive about people who want to steal from them.

It's not as if these attacks are as "sometimes" as you say Dave and besides, isn't ONE enough? How many times do users need to freak out because their CC data and other info "may" have been compromised?

Wait... weren't the Code M forums compromised? I know I got a few emails from Codemasters telling me to change my passwords.

Let's put it this way, it's like a bank saying they ONLY get robbed six times a week instead of a thousand. As for response, the "OK, we got breached, so let's make sure we have the security we should have thought of in the first place so it won't happen again" thing is getting old fast.

Granted, the nature of that sort of activity seems to to figure out how something works and reverse the process, but how about figuring out every way to get in and sealing up the cracks before building the foundation? Then keeping things even more secure as time goes on. It seems that a lot of attacks occur because someone exploits a lazy period by people who think things are just fine because nothing is going on. Or worse, claims they have amazing security, which just sets wheels in motion.

I'm a mostly cash-only guy, so I have no huge stake in all this. I do know people who've had their card info stolen and abused and they ALL have horror stories about a bank or shop trying to blame THEM for the problem or stalling, lying and generally doing all they can to avoid settling a claim.

Valve, of course has always been great to its Steam users, so I'm not even saying they'd do any of the above, by the way.

But my point here is that yes, online "security" is a TOTAL joke to those who want to bypass it. Until there's a way to deal with this, it's always going to be a problem that just gets bigger as we push right into the all-digital age without thinking of ALL the good and bad aspects of it. Bad first, since those are the things that need to be tackled before things get too far out of hand.
0Sign inorRegisterto rate and reply
Eric Tykwinski Studying CIS5502, Temple University6 years ago
@Greg Wilcox
You do have a point, with the advent of cloud computing and massive password cracking, security has become complacent. I'm sure everyone in this forum knows of Amazon's EC2 being used to crack hashes, or programs using GPUs to decode them. Does this mean the end to online commerce? I highly doubt that occurring. Imagine a world where online commerce has disappeared, this isn't just the gaming community you are talking about. It's in my opinion that there needs to be a greater separation between payment systems and login systems. This will force consumers to think more before a purchase, but if every company is enforcing more stringent authentication for purchases than no one will loose.

@Sebastian Sharpe
I would expect that physical stores would have at least the same security of any computer that is open to the internet and contains financial information as would an online storefront.

I guess my rant would be that there has to be more security period, and we can't rely on regulatory bodies which will in fact decrease security by standardizing a way to hack into systems. This will have to come from individual corporations putting forth a best effort approach to isolate payment systems. It's my humble opinion that this is only going to get worse than better for the gaming community and the Internet at large.
0Sign inorRegisterto rate and reply
I feel events like this represent an argument for digital retailers to be regulated to require the *least possible* information from the user that will enable the transaction(s) envisioned. It would also be a good idea for digital retailers to be required to insure and to have liability defined by regulation, if only to mitigate the risk that some consumer group or other organisation harmed by the loss will sue. Hacking incidents feel a bit like lightning strikes: the kind of spiky risk curve that would highly appropriate to insure on.
0Sign inorRegisterto rate and reply
perhaps we might need the painful, use once only credit info whereby you have to always enter your card details for every transaction and during that input, keyboard login is encrypted. ITs a pain but its far sight safer then letting the digital wall keep all the information on a database
0Sign inorRegisterto rate and reply
Reilly Davis6 years ago
all these companies need to hire some hackers, and ffs get a honeypot so anyone that hacks in thinks, they have the goods only to be bombed to hell with viruses and trojans.
0Sign inorRegisterto rate and reply
A honeypot idea is good, and even setting up false areas of vulnerability will help eliminate a goodly majority seeking to disrupt services
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.