Feeds

Valve admits forum hack exposed gamers' privates

Punters steamed about sensitive data leak

Using blade systems to cut costs and sharpen efficiencies

Steam, the online platform of video game firm Valve Corporation, has admitted that customer personal details including encrypted credit card information might have been exposed by a hack attack last weekend.

The hack led to the creation of a new "promoted" discussion thread on the Steampowered forum, ostensibly promoting a site offering gaming cracks. In addition, some users began receiving spam promoting the same site.

The Steampowered site was suspended, initially without explanation. However, in an updated message posted on Thursday (below), forum administrators admitted the site had been hacked and that the collateral damage caused extends well beyond that caused by a simple defacement.

Back-end databases – holding sensitive data including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information – were also breached. Users are advised to change their passwords and to keep a close eye on their bank statement, in case crooks manage to use the stolen data to commit fraud or perhaps to run identity theft scams.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they log in. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

News of the breach coincides with the release of Skyrim, the fifth game in Bethesda Software's popular Elder Scrolls series; unlocking the game and playing it online required access to Steam's online services.

Steam's game servers were taken offline, as a precaution, following the breach on its forums but they were back online in time for the Friday launch of the game, avoiding the need to delay the launch, as net security Sophos reports.

More than 1,400 games are available through Steam, which has an estimated 35 million active user accounts. How many of these accounts also use the Steampowered forums affected by the breach is unclear, but the figure probably runs comfortably into the millions.

Paul Ducklin of Sophos has some pointers for gamers on precautions to take following the Steam breach, the latest attack on only gaming firms over recent months, here.

The most notorious incidents in an annus horribilis for gaming firms was the April hack on the PlayStation Network, which exposed the private data of millions, leading to the network's weeks-long suspension. Victims of lesser attacks have included Nintendo, Bethesda and Sega, among others. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.