November 10th, 2011
Dear Steam Users and Steam Forum Users:
Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.
We will reopen the forums as soon as we can.
I am truly sorry this happened, and I apologize for the inconvenience.
I haven’t gotten the e-mail, which is weird. The forum system might actually be using the old e-mail I used to have for my Steam account before I had to recover my account by actually e-mailing a picture of my HL2 game disc and license.
From what I’ve heard it’s mainly being seen as a pop-up message in the Steam client. Some people are getting it via email, but that might take longer to fully distribute.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.
Classic mistake. Customer-facing websites, and especially forums and blogs which are frequent hack targets, should be in the DMZ and unable to connect to revenue-impacting servers. Forum and blog hacks come out at most weekly. If someone wants to get in, they will.
My company manages the infrastructure for a major MMO house, and we do something similar. We keep the forums and frontend websites in separate VLANs, totally separate from the game itself. The creditcard data is stored in yet another separate segment, behind a third firewall, on a server that literally does nothing but store creditcards running an entirely different database type than the rest of the environment. Completely locked down with host-based IDS.
I am frankly surprised that Valve didn’t do something similar. It’s amateur hour. I would say it’s more likely that the intruders got in through a trojan’d laptop or something, but they came out and said that the attacker compromised the forums and used that as a jumpoff point. So yeah. Amateur mickey-mouse bullshit.
yeah i was wondering about this myself, valve usually gives the impression of being slightly more clued in than other operators. i guess that is not actually the case.
My faith in them was shaken when one of their devs claimed the service had no security vulnerabilities in response to a user on the forum. While I always assumed the service to be reasonably safe, I found that a pretty bold statement to make, and it caused me to question their attitude and service. Now it seems that bit of paranoia was not unfounded.
It sucks this happened though and so much information could have been compromised. Now I just wish I could remember if I ever used my new card on the service or not, the one I received after my LIVE account was hacked and used for a wealth of FIFA purchases, when I don’t even own a 360. Sigh.
Although the message popping up when logging in to the forum is telling me I will need to change my password the next time I log in, I’m guessing they mean after the forums have been restored? Because I can log in (and see the message, and menus) just fine, I just can’t change anything.
Hacks are inevitable and unavoidable. The important thing is in how the data that would inevitably be stolen was protected.
Valve hashed and salted their passwords. They encrypted their credit card databases.
Sony was fucking incompetent. It’s obvious that Valve knew exactly how to prepare for something like this.
Right now, no one has your passwords or credit card information. Cracking hashed/salted passwords would be next to impossible, and I doubt they used some amateurish credit card encryption.
An unfortunate event for sure but I’m with you, one thing is copying the database another completely diferent is actuality craking it, so for the moment I’m not that worried about my credit card or user information.
What is the #1 thing that a competent hacker needs?
Oh that’s right, TIME
Physical access = TIME
How many rows of the database did they get access to? We don’t know, but I can only assume from Valves posting, they are concerned, so I doubt it was only one or few - one of the many safeguards that could have been employed. Restricting ID’s to certain actions is a way to limit intrusion, commonly used to prevent vindictive or idiot employees. Being able to deface their web site and access the database implies employee level access which was not limited.
Finally - waiting 4 days to let us know that our information may have been compromised is not something I applaud.
Luckily I deleted my credit card information from my Steam account shortly after the Xbox Live hack became public. I’m fucking Nostradamus! Or maybe the incompetence of all gaming-related companies when it comes to security is sadly predictable.
What is wrong with you, that you think it’s not a big deal?
Cracking salted & hashed passwords can be quite easily trivial. What if they used md5 encryption? What if they used sha1 with a small salt?
As for the “credit card encryption”, if hackers got access to the live database server, it’s not exactly a leap to imagine they also had access to the live steam store servers, which have the decryption key on them. Hell, maybe the encryption key is in the database.
Companies are, as a rule, incompetent when it comes to protecting customer data. Don’t give them benefit of the doubt.
If you were russian mafia ninja-crackers and you got into steam, why leave a trail of evidence on the forums?
Surely real hackers don’t deface forums, they take the valuable data, and try to cover the tracks that they were ever inside.
Defacing the forums just alerts everyone to check credit card statements and change passwords, rendering your booty less valuable.
