Steam hit by Hackers

[Darkon84]

Hey guys, just thought this should be flagged up.

Steam hit by hackers

Valve's online game service Steam hit by hackers

The Steam video game service, used by 35 million people, has been compromised by hackers.

Its owner and operator, Valve, uncovered an intrusion into a user database while investigating a security breach of its discussion forums.

The attackers used login details from the forum hack to access a database that held ID and credit card data.

Valve said that, so far, it had no evidence that credit cards were being misused or Steam accounts abused.

Losing trust

The defacement took place on 6 November and the Steam forums were taken offline when Valve learned of the attack.

At first the firm said the discussion groups were offline for maintenance.

However, a message posted to the front page of the forums by Valve boss Gabe Newell on 10 November has revealed that the sites were shut down because of the defacement.

Valve's investigation of that incident revealed that the "the intrusion goes beyond the Steam forums".

The initial investigation showed that the attackers gained access to a Steam database that held "user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information".

Valve has not said whether this was the full database of Steam's 35 million active accounts or a subset of that total.

Mr Newell said Valve had no evidence that the encrypted credit card information or personal information on gamers had been taken. However, he added, "we are still investigating".

He said it had only discovered that a few forum accounts had been compromised and used to carry out the defacement.

But Mr Newell added that all forum users will be required to change their passwords when the discussion site re-opens, which the firm is trying to achieve as quickly as possible.

He advised users to change passwords on other accounts if they are the same as the one used for the Steam forums.

"I am truly sorry this happened, and I apologize for the inconvenience," concluded Mr Newell.

Code changes

Steam is a gaming service that lets people buy, download, play and chat about a huge variety of games, only some of which are made by Valve itself.

About 1,500 titles are currently available on Steam including Skyrim, LA Noire and Modern Warfare 3 as well as many independent and free games.

Security expert Paul Ducklin, writing on the blog of security firm Sophos, handed down advice about what to do following the breach.

He said users should change passwords, monitor credit card statements, consider removing card numbers from Valve's servers and sign up for the Steam Guard security service.

He also urged users to insist businesses take steps to make it much harder for hackers to penetrate their systems and use stolen data.

"Community pressure has persuaded many businesses to improve their password-handling code," he said.

[Trav Le Bleu]

I'd guess it's probably the same people who hit PSN, but who knows? If that's the case I'd guess it's only a matter of time before XBox/Windows Live gets hit too and then they'll have the full set.

This kind of thing is why I have a seperate card for online transactions, which I don't do that many of. I can easily see if anything has been illegally taken from the account.

[Fox92]

FFS haven't these hackers got better things to be doing than this, causing everyone like me to change their password etc

[Yojoe36]

Who would want to hack steam? Valve are the best gaming company. Gabe Newell is a fvcking legend.

Makes me want to cry

[Donut]

Bear with me because im SERIOUSLY not technically minded

The only people to worry through steam are those who dont own physical game copies?

I cant lose any bank details because i have bought physical game copies of steam compatible games and not downloaded them online

BUT

will this also leave me open to spamming/viruses to my own computer now they have my email address?

[Trav Le Bleu]

Bear with me because im SERIOUSLY not technically minded

The only people to worry through steam are those who dont own physical game copies?

I cant lose any bank details because i have bought physical game copies of steam compatible games and not downloaded them online

BUT

will this also leave me open to spamming/viruses to my own computer now they have my email address?

Only if you've used Steam to active them and that required leaving your email address I guess.

No point in worrying about something that may never happen though - chances that they got all 35 million account details and tht if they did, they'll get around to abusing all of them, are remote I'd guess.

[Salieri]

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Not at all fucking happy about this. I suggest anyone with a Steam account at the very least removes any card details. Sounds like at this point they don't know the extent of any intrusion so check your statements.

Piss fucking poor.

Just noticed the date is a week ago so not sure why I've only just become aware of this, apologies if similar has been posted elsewhere and delete thread if necessary.

[John Matrix]

it's a tad annoying no doubt. the free games they've offered don't cut it either (mainly cos i'm not interested in them)

[dave_the_fox]

Down the posts a bit m8

http://www.foxestalk.co.uk/forums/index.php?showtopic=77886&pid=2056060&st=0entry2056060

[Salieri]

Down the posts a bit m8

http://www.foxestalk.co.uk/forums/index.php?showtopic=77886&pid=2056060&st=0entry2056060

Oops, didn't see that.

Well i've removed my card details and changed my password. Will just have to have a butchers at my statement at the end of the month to see if owt was pinched, not that there's much in there to bother with.

[Trav Le Bleu]

Oops, didn't see that.

Well i've removed my card details and changed my password. Will just have to have a butchers at my statement at the end of the month to see if owt was pinched, not that there's much in there to bother with.

Just for the record, how do you remove your card details? Do you have to buy something to do it?

[Salieri]

Just for the record, how do you remove your card details? Do you have to buy something to do it?

I just clicked on my account and there was an option to remove card details.

[Phube]

Luckily I've never stored my details on Steam, always ad hoc'd it. Unless they can hack their company details, then we're all screwed!

[danny.]

if the passwords and credit card details were hashed and salted as they stated, then then without the hash method and 'salt' (will be a random combination of characters) then there won't be any way to get the actual passwords and cc details from that.