(This article was updated on the 10th of February 2012, with more information)

Many of you will know that the steam forums were hacked on Sunday.  Valve have now released a statement saying that it looks like the intruders were able to gain access to a main steam database.

It's no use pretending this isn't a very worrying thing, but it's not as bad as it could be. While the attackers should never have been able to get any access to this information from the forums, it looks like fairly decent security procedures were followed for the steam database itself.  So:


What they have:

  1. The attackers have your steam forums email, and any other contact details you put there.
  2. They have your main steam account email address, your purchase history and - the big one - your billing address.

What they might have:

  1. The passwords for the forums and for steam are hashed and salted.  This means they don't know what your passwords are, but they can sit with a computer guessing all day and it'll let them know if they've guessed right.
  2. If your credit card details are saved in steam, they were saved encrypted.  It seems the decryption keys are stored elsewhere, and right now they don't think that these have been compromised.  So, as far as anyone knows, they don't have your credit card details.

What you need to do:

  1. Load up steam and go to Steam -> Settings -> Account.  Make sure steam guard is turned on, and make sure you have a verified email address.
  2. Change your steam account password.  When the steam forums come back up, change that one too.  Make sure they are different.  Change your secret question too.
  3. If you use the same password anywhere else on the web, change those ones too.  Especially change it if it's your email account password.
  4. If you keep your credit card details saved, keep an eye on your bank statement for the next few months, at least.

Valve's full statement can be read after the jump. It should also get sent to you via steam some time in the near future. 

Gabe's Statement:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6.  We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums.   This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password. 

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.


Gabe's Statement #2:

10 February 2012

Dear Steam Users and Steam Forum Users:

We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.


Category: News