Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Re:Hey gabe

[kelemvor4]

Origin looks mighty tempting right about now.. with BF3 and all...

Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138

Re:Way to keep us informed?

[X0563511]

as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.

Sounds like you don't like this.
1. Steam Menu
2. Settings
3. Interface Tab
4. Uncheck the "Notify me..." box near the bottom

Re:Way to keep us informed?

[Anubis+IV]

Sony was quite public about it, what are you talking about?

They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).

Here's a complete timeline including other announcements besides e-mails:
January or February 2011 - Sony is told by security experts specifically why their server security sucks
Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
April 21st - PSN goes down as Sony realizes something is up
April 23rd - Sony blames outage on external intrusion; makes no mention of compromised accounts
April 24th - Sony starts "rebuilding" PSN after attack; still no mention of compromised accounts
April 26th - Sony admits that someone may have some account information for their 77M accounts
April 27th - Sony confirms that some data was stolen
April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
May 1st - Sony confirms that 10M users had credit cards compromised; promises PSN up by week's end (spoiler: it didn't happen); doesn't send an e-mail
May 2nd - SOE goes down after they realized it was compromised too
May 3rd - Sony admits 24.6M SOE accounts were compromised
May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
June 2nd - PSN finally comes back up
June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program

I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.

Re:Hey gabe

[Ant+P.]

Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts.

Re:Way to keep us informed?

[Cl1mh4224rd]

They did? I never got that one myself.

I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.

The email, with redactions by me:

Subject: Come join [redacted], a gaming resource community
From: webmaster@steampowered.com

Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.

Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

Thanks again,
the [redacted] team.