Slashdot Mirror

← Back to Stories (view on slashdot.org)

Valve Announces Massive Steam Server Intrusion

Posted by samzenpus on from the save-my-game dept.

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

21 of 434 comments (clear)

  1. Proper back end hashing and encryption? by Anonymous Coward · · Score: 5, Insightful

    Awesome. Sounds like they were doing things right.

    1. Re:Proper back end hashing and encryption? by muon-catalyzed · · Score: 5, Insightful

      ..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

  2. Hilarity by OverlordQ · · Score: 2, Insightful

    Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
    Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

    Love to see the hivemind at work.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Hilarity by Anonymous Coward · · Score: 5, Insightful

      The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

    2. Re:Hilarity by mr_da3m0n · · Score: 4, Insightful

      I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.

    3. Re:Hilarity by Gravatron · · Score: 1, Insightful

      Sony announced it rather quickly, brought the network down till it was fixed, and gave everyone free games and a year of ID theft protection. What, exactly, was Sony's major problem in how they handled things?

    4. Re:Hilarity by ewanm89 · · Score: 5, Insightful

      Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

    5. Re:Hilarity by Local+ID10T · · Score: 3, Insightful

      The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

      If you think this situation is anything like being raped -you do not know what rape is...

      --
      "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
    6. Re:Hilarity by Joehonkie · · Score: 2, Insightful

      Yes, this is exactly like being raped. At a police station. Exactly the same.

    7. Re:Hilarity by Sitnalta · · Score: 4, Insightful

      Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.

      Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.

    8. Re:Hilarity by Charliemopps · · Score: 5, Insightful

      It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?

    9. Re:Hilarity by Anonymous Coward · · Score: 2, Insightful

      Passwords != CC info... Passwords you want to be hashed, it is better than encryption. CC info, by contrast, can't be hashed because you need to reproduce it for the CC company and thus you have to settle for encrypting it. Don't confuse these 2 things, the security needs are quite different.

  3. DRM rocks! by Anonymous Coward · · Score: 4, Insightful

    Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

    1. Re:DRM rocks! by Spad · · Score: 5, Insightful

      As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

      Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

  4. Way to keep us informed? by feidaykin · · Score: 5, Insightful

    Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

    --

    "To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking

    1. Re:Way to keep us informed? by cstdenis · · Score: 4, Insightful

      It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

      Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

      --
      1984 was not supposed to be an instruction manual.
  5. Re:Hey gabe by ludomancer · · Score: 4, Insightful

    You're just being stupid for the sake of comedy right?

    Amazon.com looks good right now.
    Fuck, even Best Buy looks good right now.

    Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.

  6. Re:Hey gabe by Mashiki · · Score: 5, Insightful

    Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

    --
    Om, nomnomnom...
  7. Steaming pile by Culture20 · · Score: 2, Insightful

    I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).

    1. Re:Steaming pile by artor3 · · Score: 4, Insightful

      You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?

  8. Re:This is Valve's fault by Spad · · Score: 4, Insightful

    Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.