Feeds

Valve admits forum hack exposed gamers' privates

Punters steamed about sensitive data leak

Choosing a cloud hosting partner with confidence

Steam, the online platform of video game firm Valve Corporation, has admitted that customer personal details including encrypted credit card information might have been exposed by a hack attack last weekend.

The hack led to the creation of a new "promoted" discussion thread on the Steampowered forum, ostensibly promoting a site offering gaming cracks. In addition, some users began receiving spam promoting the same site.

The Steampowered site was suspended, initially without explanation. However, in an updated message posted on Thursday (below), forum administrators admitted the site had been hacked and that the collateral damage caused extends well beyond that caused by a simple defacement.

Back-end databases – holding sensitive data including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information – were also breached. Users are advised to change their passwords and to keep a close eye on their bank statement, in case crooks manage to use the stolen data to commit fraud or perhaps to run identity theft scams.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they log in. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

News of the breach coincides with the release of Skyrim, the fifth game in Bethesda Software's popular Elder Scrolls series; unlocking the game and playing it online required access to Steam's online services.

Steam's game servers were taken offline, as a precaution, following the breach on its forums but they were back online in time for the Friday launch of the game, avoiding the need to delay the launch, as net security Sophos reports.

More than 1,400 games are available through Steam, which has an estimated 35 million active user accounts. How many of these accounts also use the Steampowered forums affected by the breach is unclear, but the figure probably runs comfortably into the millions.

Paul Ducklin of Sophos has some pointers for gamers on precautions to take following the Steam breach, the latest attack on only gaming firms over recent months, here.

The most notorious incidents in an annus horribilis for gaming firms was the April hack on the PlayStation Network, which exposed the private data of millions, leading to the network's weeks-long suspension. Victims of lesser attacks have included Nintendo, Bethesda and Sega, among others. ®

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.