Feeds

Valve admits forum hack exposed gamers' privates

Punters steamed about sensitive data leak

Internet Security Threat Report 2014

Steam, the online platform of video game firm Valve Corporation, has admitted that customer personal details including encrypted credit card information might have been exposed by a hack attack last weekend.

The hack led to the creation of a new "promoted" discussion thread on the Steampowered forum, ostensibly promoting a site offering gaming cracks. In addition, some users began receiving spam promoting the same site.

The Steampowered site was suspended, initially without explanation. However, in an updated message posted on Thursday (below), forum administrators admitted the site had been hacked and that the collateral damage caused extends well beyond that caused by a simple defacement.

Back-end databases – holding sensitive data including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information – were also breached. Users are advised to change their passwords and to keep a close eye on their bank statement, in case crooks manage to use the stolen data to commit fraud or perhaps to run identity theft scams.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they log in. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

News of the breach coincides with the release of Skyrim, the fifth game in Bethesda Software's popular Elder Scrolls series; unlocking the game and playing it online required access to Steam's online services.

Steam's game servers were taken offline, as a precaution, following the breach on its forums but they were back online in time for the Friday launch of the game, avoiding the need to delay the launch, as net security Sophos reports.

More than 1,400 games are available through Steam, which has an estimated 35 million active user accounts. How many of these accounts also use the Steampowered forums affected by the breach is unclear, but the figure probably runs comfortably into the millions.

Paul Ducklin of Sophos has some pointers for gamers on precautions to take following the Steam breach, the latest attack on only gaming firms over recent months, here.

The most notorious incidents in an annus horribilis for gaming firms was the April hack on the PlayStation Network, which exposed the private data of millions, leading to the network's weeks-long suspension. Victims of lesser attacks have included Nintendo, Bethesda and Sega, among others. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.