Steam database hacked; encrypted credit card information and passwords compromised

Steam has been hacked. Valve’s co-founder Gabe Newell reported the hack to users, thusly:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

22 Comments

  1. You just know those hackers want to crack iTunes. The question is whether or not they’ll be successful. Everytime I read about such an incident, I fear I’ll visit MDN one day and see the headline that says iTunes accounts have been compromised, followed of course by a week’s worth of mass hysteria.

    1. You’re spending your time worrying about *that*? What purpose does that serve? If it never happens, you’ve spent a ton of time worrying for nothing, and if it does you’ve wasted a ton of time stressing about it beforehand only to stress about it all over again.

      Dude, life is too short to spend obsessing over things you can’t control which may never happen anyway. Better to focus on the positive things in life, and taking control of the things you *can* influence and change for the better.

    2. Head on over to the apple discussions… You won’t like what you see.
      Multiple threads, one I know is like 60+ pages of the same story with different people telling it.

      For over a year now iTunes accounts have been attacked.
      Maclife posted an article about it, mdn still won’t report it no matter how many times I send it to them.

      Somehow they are able to target those that have gift card balances, people put in a card.. Next day it’s gone. All buying the same handful of apps and in app purchases.
      Read the post from the guy that purchased his very first Mac, an air, and they setup his iTunes account in the apple store and applied his card in store… He gets home and it’s all gone.

      Apple has been going against their own policy for over a year now, and refunding people. (official policy is to not refund anyone)
      There IS a breach somewhere, apple knows of it and most of the media will not report on it. Some do but they never get much traction.

      1. 60+ pages or not, anecdotal stories on the web are just anecdotal stories on the web, and are probably nearly all bullshit. Note that the same tech press that goes apeshit over a non-issue like “antenna gate” would go even more apeshit if this were widespread and true. It’s not. The “guy who bought his very first Mac, an air” doesn’t exist. He’s probably just some monkey behind a kbd somewhere adding to the drama that people seem to enjoy so much.

        1. Call it what you want. But I’m in that list.
          Dropped a gift card in, via iPad, 3 days later it’s gone. Was going to be used for lion.

          I don’t buy anything but apps from iTunes, nor do I input my appleid anywhere except inside iTunes/Mac app store on my iPhone/iPad/iMac.

          Explain the emails from apple saying the purchases were unauthorized… And they break their tos and refund you?
          Maybe read the thread? People have posted apples emails they have received.
          I believe one of the people hit by it, works for Macworld.. How they found the thread.
          There is a problem with apple/iTunes security. And apple acknowledges it with the emails they send out since June this year, and how they refund the money.

          Believe what you want, but apple isn’t immune.

          1. At least they are doing the right thing here by fixing this via refunds.

            But I would definitely sleep a little easier when/if they announce that they have revamped their security.

  2. Well I guess the 20 something’s will really be in deep shit now! Their Steam account using mom’s credit card just got hacked. They may have to actually get out of the basement for a day or two. Not to worry dude, they can stay at a bud’s basement. Maybe mom will make em get out and get a job? Naw!

    1. Talk about a very stereotypical and ageist comment. You assume everyone in their 20s who plays games don’t have jobs and just play games all day. -_-

      I am in my mid 20s and I work a 9 to 5 job involving driving to customers houses to repair computers on-site. I like to play games now and then to relieve stress of the work day and I have afew games on Stream. Thankfully I never set it to save my credit card info but I am genuinely worried about them getting my address, email, etc. from that account now.

    2. You sad muppet, you sound ancient and bitter.

      Time has passed, average gamer is 36 years old and has wife and kids and job.

      The passwords are salted and hashed, which means they are practically impossible to break and the credit card details encrypted so it’s highly unlikely that anyone will be affected … that’s the reason you have encryption, is in case your servers are broken into they data is worthless to the hacker. That’s the case here.

      It’s interesting that it was the vBulletin system that was hacked with a SQL-injection which gave hackers access to one server which could then be compromised and access gained to wider Valve network.

  3. What is this, National Inquirer? They don’t know if passwords and credit card information has been compromised. Forum accounts (a few) have been. The passwords and CC numbers are hashed and salted. That means they’re very difficult to decrypt. And there’s no evidence they have been decrypted so far.

    Talk about a misleading headline. I thought I was at PC World or something.

  4. My account was hacked. I got the notification that my Steam account was requesting permission to be accessed from another browser. I signed in to find the account had been used for a couple of weeks. After changing the password, the hacker then had the cheek to request a password reset!

  5. Steams always been a piece of crap

    “oh, you actually want to /play/ the game!?”
    “here, there are some updates available, I’ll just re-download the game while you wait”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.