Steam, the premier PC digital distribution suite, experienced a security breach on November 6th. On its face, it appeared to be just some garden-variety forum vandalization, but on looking into it further, Valve found that a Steam user database was compromised as well. The server contained some actual Steam users’ account information, which is distinctly seperate from Steam forum account information, but Valve says it has found no evidence that any of the encrypted information was taken.
Some of the information on the compromised server included encrypted passwords, billing addresses, email addresses, records of purchases, and of course, encrypted credit card information. Right now, there haven’t been any reports of unauthorized credit card use, which is good, but users are being encouraged to watch their statements closely. In addition, Valve is forcing a password change on all their Steam forum users, but not their Steam (proper) users since there’s not yet any evidence that the passwords themselves were actually compromised.
It goes without saying that this might be a good time to change your Steam password anyway, just in case. Depending on exactly how well you hold up during Steam sales, your account may be worth a lot of money in its own right. My Steam password has been a string of profanities ever since I thought it got hacked back in highschool so I’m due for a change anyways. Hopefully everything will work out reasonably well, but it just goes to show you that you really have to be careful who has your information, because even the biggest guys aren’t bulletproof.
Here’s the notification that was sent out to all users:
Dear Steam Users and Steam Forum Users,
Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.
We will reopen the forums as soon as we can.
I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.
(via Icrontic Gaming)
- I probably don’t need to remind you, but remember how PSN got hacked?
- And Sony Online Entertainment?
- And Sesame Street(‘s YouTube account)?
