Windows 7: Beware: Steam Hacked, Database Containing Credit Card & Password Info

Generally speaking, we love Steam so much that we occasionally drift off and daydream about long walks on the beach with it, but nothing's perfect. No two ways about it: Steam's been breached, and – though it's faring a lot better than a certain console-based gaming network so far – it's not exactly the prettiest sight. The long and short of it? Your credit card info may be out in the wild, but it's wrapped in a nice, warm blanket of encryption. That said, monitor it closely, and change your password right now. So that's our bit. Now then, play us off, Valve's Gabe Newell.

“Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums,” Newell wrote in an IM to Steam users.

Valve has taken the Steam Forums offline and Gabe Newell has posted a message explaining that Steam has been hacked.

On Sunday, the Steam Forums were defaced, but remained online. However, further investigation found the hack was more than just for the forum software, the intruder had also gained access to a Steam user database. On that database is the following information for customers of the digital gaming service:
Usernames
Hashed and salted passwords
List of game purchases per user
E-mail addresses
Billing addresses
Encrypted credit card details

Valve is currently investigating exactly what happened and specifically what information was accessed on the database. There is currently no evidence to suggest the user information has been taken, and nothing to confirm encrypted credit card details have somehow been decrypted.

Valve is going to force everyone to change their Steam Forum password when they decide to bring them back online as a security measure. Gabe has also apologized for what has happened and the inconvenience it is causing.

If you are one of the millions of Steam account holders out there, then be cautious and watch your credit card activity. If you shared your Steam Forum password with other services you use, then go change the password on those services immediately.

The online video game service Steam has been hacked, Valve chief executive officer Gabe Newell announced to users Friday morning.


Originally, the company thought only the forums had been breached, but a message posted on Steam reveals that more data has been "accessed."

"We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," said Newell.

It looks like there is some level of protection as far as passwords and credit card information is concerned. The "hashed" Newell refers to is a method of password encryption that uses a one-way algorithm. Meaning, it's not possible to reverse the password after encryption. To "salt" a hash is when a random set of data is added to the hashed password for further scrambling.

Newell went on to say that there is currently no evidence that the encryption on users' credit card information has been cracked. The incident is still being investigated.

Users are not required to change their passwords, but it is advised - especially if the same password is being used for both Steam and the Steam forums. Even more so if it is a generic password used on several other sites associated with the same email address.

Below is a statement sent out by Gabe Newell:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.