Gabe Newell: Intruders Accessed Steam Database [Update]

[Hectic Glenn]

After the recent attack to the Steam powered user forums a few days ago, Gabe Newell has released the following press release:

Dear Steam Users and Steam Forum Users,[br]

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.[br]
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.[br]We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely. [br]
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well. [br]We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password. [br]We will reopen the forums as soon as we can. [br]
I am truly sorry this happened, and I apologize for the inconvenience.[br]
Gabe.

<strong>Update: The screenshot of the Gabe email stating free copies of Portal 2 and DOTA 2 would be given out is a fake according to Gabe himself.[br]We will continue to update this post with updates from Valve.

 

[Omnomnick]

Valve are going to come down on these hackers like a tonne of bricks, if gaming history has taught us anything, you don't **** with Valve.

 

[Acepilotf14]

Ooouch. I turned on Steam Guard just in case. Too many games to risk it.

 

[morgs]

That's ok Gabe, I forgive you!

 

[hool10]

That's ok Gabe, I forgive you!

I don't. The forums I was told was separate but now it turns out that may not be entirely true. Really the part that makes me really angry is that Valve has pulled a Sony on us. This happened on Sunday and it's now Thursday afternoon. :angry: Not happy at all Valve.

 

[DEATH eVADER]

Holy shit! :O

With the forums down for so long, I thought that they were starting over from scratch after the defacing, I didn't realise the breach included data theft and they were in the middle of an investigation

I would like it if they elaborated on encrypted credit card information vs. encrypted credit card numbers

I didn't change my steam password, but I had to change my email password as it was the same password

 

[morgs]

I don't. The forums I was told was separate but now it turns out that may not be entirely true. Really the part that makes me really angry is that Valve has pulled a Sony on us. This happened on Sunday and it's now Thursday afternoon. :angry: Not happy at all Valve.

Except Valve only thought the forums were compromised until now.

 

[hool10]

Except Valve only thought the forums were compromised until now.

Well they should have checked more than the forum now should they? Really this feels like 2003 all over again and I mentioned this to Glenn when this first broke. Sure Valve has been hacked large and small since that time but it wasn't really major. This is major. Gabe yet again is at that "oh my company is in the shitter again with this fiasco" yet last time he asked the community for help.

This time he is just doing the typical Gabe along with Episode 3.

 

[<RJMC>]

so no danger whit credit car dnumber information yet? what I can do if I see suspicious movements in my account? can I alert the bank in some way?

 

[Hectic Glenn]

Also to clarify for those who missed it in the message from Gabe, "We learned that intruders obtained access to a Steam database in addition to the forums." So this was an additional breach, this information was not on the Steam forum database. How so much was able to be accessed from the original Steam forum breach is a mystery, all we know is that a Steam forum admin account was used to deface them and that account could possibly have had credentials which were identical to those for accessing other databases. Hopefully this isn't the case as that would be a serious blunder in security terms.

 

[Barnz]

Stop crying, hool.

 

[brad92]

Nah, there's no way Hool could be that much of an idiot.

Wishful thinking?

 

[V-Man339]

I'm just glad they told us the same day the hack happened that it wouldn't be out of the question that card information was stolen, unlike Sony's "everything is fine, they just hacked the psn, it'll be back within the week" load. Something I've always appreciated about Valve is the fact that they care about the fans, and I can honestly feel as though Gabe means sorry when he says as much, if only because he is as vigilante in responding to the problem as the victim would be.
Also worth pointing out? Valve is smart enough to encrypt practically all of the information included, unlike, again, Sony's policy of "lets store credit card numbers in plain text, unencrypted." Valve seems to be handling this as perfectly as possible so far, and I have to give them credit for it.
Yes, I'll be watching my bank statements and transactions that much more carefully from now on, possibly even changing debit card. But for pete's sake, I forgive Valve because it is woefully apparent they hate this as much as we do, and they're going about handling the spill as carefully as anyone effected by it would.

 

[Krynn72]

I only have my $300 limit CC on Steam so its not a huge deal for me, but this is sad news. Valve is handling it like a pro as always though. Immediate notification and not downplaying it. If it was an admin account that was used on the forums, which used the same password for accessing the Steam database, then thats a pretty big blunder for sure, but at least it wasn't the result of poor policy as it was in Sony's case (with unencrypted data even), but rather one person being foolish enough to use the same password for his important accounts.

 

[hool10]

No, I'm not an idiot at all. I'm pretty sure that Gabe Newell and everybody else who works for Valve have been having a crazy week. We don't know too much what is going on but I would like to learn when they found out the Steam database was hacked into. To me and correct me if I'm wrong, it sounds like the hackers defaced the forums and then went directly to the database all on Sunday. They only just found out the extent today in the afternoon. There are many admin accounts on the Steam forums because they have dev admins, Valve employee admins, and tech support accounts. I assume it must have been a Valve or tech support admin and I'm hoping the pass was not "GabeN". Also Valve has not sent out an e-mail warning about a security breach which you can make "Valve time" jokes about but this isn't the time for that.

In light of it all I was told by somebody that they encrypt (unlike Sony) your personal details and it's a strong encryption. In addition to the secure encryption they "salt" the encryption to make extra sure that your data is safe. I'm also fairly certain that if you have ever bought or registered on a forum before, your personal identity is somewhere in a hackers database after 2011. The amount of databases hacked every day is a lot and varies but 2011 was a real whopper of a year.

The only good thing that can come out of this is increased security and hopefully one of the hackers stole the source code for Half-Life 3 and Ricochet 2. :upstare:

 

[morgs]

You mean so they'd have to start them all over again? yeah that'd be cool.

 

[Tollbooth Willie]

BLAH BLAH BLAH I WEAR DIAPERS AND SUCK FORTY DICKS A DAY AND JERK OFF TO GABE'S PERPETUAL JIGGLING

jESUS CHRIST YOU ARE A CRYBABY MORON. sHUT UP. If I knew you in real life I would literally punch you in the face several times until your blood was a fine mix on my face. Then I'd lick it off and go for round 2. God damn it. This is not a joke either. I want to do physical harm to someone over the internet. I am going tol ****ING TAW TEAR SOMEONE'S HEAD OFF AND EAT CAKE MIX AND SHIT DOWN YOUR CHIMNEY

 

[Unfocused]

Oh, Willie. Hello there!

Hopefully Valve will crack down on these shitheads.

 

[BauerSlyer]

God damnnnnn, that Gabe guy is fat!

 

[jyggen]

 

[Hectic Glenn]

Was that email to you jyggen? A very kind gesture indeed! If you know the source to be legitimate I will update the news post with this.

 

[jyggen]

Was that email to you jyggen? A very kind gesture indeed! If you know the source to be legitimate I will update the news post with this.

I found it here, not sure if they're the original source though.

 

[<RJMC>]

so technically the card nubmers are safe? debit cards too?

 

[Krynn72]

so technically the card nubmers are safe? debit cards too?

If that email is true then yeah, they're pretty much safe, and yes debit cards would be the same.

 

[Hectic Glenn]

Probably RJMC, but that doesn't mean you shouldn't keep a keen eye on your bank statements.

I personally have only been using Paypal for Steam since it was introduced. I've changed my password for it so I'm hopeful this will limit the damage done.

 

[ZoFreX]

In addition to the secure encryption they "salt" the encryption to make extra sure that your data is safe.

You probably shouldn't discuss encryption if you know nothing about it

 

[<RJMC>]

I allways check my transactions everytime I retire cash,thats like once a week,but now I will do it dayly twice a day if posible

still no one can take money from my account whitout the pin number right?

 

[ríomhaire]

Just checked my bank online. No transactions in the last week unsurprisingly. BRB going to change a few passwords.

 

[Hectic Glenn]

Poverty is the great defence actually. If you have no money they can't take anything. Thank god for the recession eh?

 

[Higlac]

Poverty is the great defence actually. If you have no money they can't take anything. Thank god for the recession eh?

I just use paypal or prepaid cards for online purchases. The only credit card data they could possibly get would be old expired cards.

 

[Bob-taro]

No, I'm not an idiot at all. I'm pretty sure that Gabe Newell and everybody else who works for Valve have been having a crazy week. We don't know too much what is going on but I would like to learn when they found out the Steam database was hacked into. To me and correct me if I'm wrong, it sounds like the hackers defaced the forums and then went directly to the database all on Sunday. They only just found out the extent today in the afternoon. There are many admin accounts on the Steam forums because they have dev admins, Valve employee admins, and tech support accounts. I assume it must have been a Valve or tech support admin and I'm hoping the pass was not "GabeN". Also Valve has not sent out an e-mail warning about a security breach which you can make "Valve time" jokes about but this isn't the time for that.

In light of it all I was told by somebody that they encrypt (unlike Sony) your personal details and it's a strong encryption. In addition to the secure encryption they "salt" the encryption to make extra sure that your data is safe. I'm also fairly certain that if you have ever bought or registered on a forum before, your personal identity is somewhere in a hackers database after 2011. The amount of databases hacked every day is a lot and varies but 2011 was a real whopper of a year.

The only good thing that can come out of this is increased security and hopefully one of the hackers stole the source code for Half-Life 3 and Ricochet 2. :upstare:

I don't see where anywhere that it says whether this hack occurred the same day or when Valve became aware of it. By "pulling a Sony", I assume you mean sitting on knowledge of the hack for a while without alerting anyone. It's possible that happened here, but I've seen no proof one way or the other. It's too bad that whatever else a company is good at these days, they also have to put a lot of effort into security.

 

[Hectic Glenn]

Absolutely and put our faith in companies when we use their services that they will hold this side of the bargain. The cut Steam (Valve) takes for games bought on Steam goes towards bandwidth costs and security (amongst many other things) and so we expect of them to fulfil their duty in keeping our information safe that we have entrusted in them. This confidence is something Valve have successfully built upon since they became pioneers in digital distribution for gaming. Certainly there have probably been larger threats in the past but it has seemed Steam has stood up to the task. The problem lies in the ever changing way that security threats materialise. I'm certain Valve invests significantly in their security infrastructure (if they hadn't, this could have been far worse without encryption) and I imagine the task of staying on top is a very difficult one.

In this particular situation, it could well be possible that the breach has come from a flaw in some software or alternatively, human negligence. The latter is probably worse as it could be avoided. It's a shame that sometimes incidents such as this have to happen for companies to be reactive to a problem. The saying 'It's much easier to react than act' is something I've always related to and now it is Valve's turn to react.

 

[Asknoone]

I wondered if I would find Hool in this thread.

 

[PimpinPenguin]

Don't know if this is connected, but when i tried to purchase Sonic Generations on monday my debit card was suspended and my bank said they had received information that there was security issues with steampowered and a high risk of fraud. Kinda regret letting Steam remember my card details now.

 

[<RJMC>]

Don't know if this is connected, but when i tried to purchase Sonic Generations on monday my debit card was suspended and my bank said they had received information that there was security issues with steampowered and a high risk of fraud. Kinda regret letting Steam remember my card details now.

your card was cancelled because of it?

 

[Mogi67]

No, I'm not an idiot at all. I'm pretty sure that Gabe Newell and everybody else who works for Valve have been having a crazy week. We don't know too much what is going on but I would like to learn when they found out the Steam database was hacked into. To me and correct me if I'm wrong, it sounds like the hackers defaced the forums and then went directly to the database all on Sunday. They only just found out the extent today in the afternoon. There are many admin accounts on the Steam forums because they have dev admins, Valve employee admins, and tech support accounts. I assume it must have been a Valve or tech support admin and I'm hoping the pass was not "GabeN". Also Valve has not sent out an e-mail warning about a security breach which you can make "Valve time" jokes about but this isn't the time for that.

In light of it all I was told by somebody that they encrypt (unlike Sony) your personal details and it's a strong encryption. In addition to the secure encryption they "salt" the encryption to make extra sure that your data is safe. I'm also fairly certain that if you have ever bought or registered on a forum before, your personal identity is somewhere in a hackers database after 2011. The amount of databases hacked every day is a lot and varies but 2011 was a real whopper of a year.

The only good thing that can come out of this is increased security and hopefully one of the hackers stole the source code for Half-Life 3 and Ricochet 2. :upstare:

Wow, and I thought I was a fag

 

[PimpinPenguin]

your card was cancelled because of it?

Not cancelled as such as they put a hold on any payments with it. I soon as a pressed "confirm payment" Steam notified me that my bank had declined payment and put a hold on my card then straight after my bank rang me to confirm that it was really me. The guy told me that they were notified of possible security issues and high levels of fraud with Steampowered hence the extra checks they were making. He warned me about using my card on it and strongly recommended that i removed my card details from it, which i found peculiar, but now it makes sense. Never had anything like this happen to me before.

 

[<RJMC>]

since the update says that email was fake,does it means the cards where not encrypted in that way?

any more updates from velve on the issue?