Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Proper back end hashing and encryption?

Awesome. Sounds like they were doing things right.

Re:Proper back end hashing and encryption?

[muon-catalyzed]

..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

DRM rocks!

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

Re:DRM rocks!

[Spad]

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

Way to keep us informed?

[feidaykin]

Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

Re:Way to keep us informed?

[cstdenis]

It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

Re:Hilarity

The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

Re:Hilarity

[mr_da3m0n]

I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.

Re:Hilarity

[ewanm89]

Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

Re:Hilarity

[Local+ID10T]

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

If you think this situation is anything like being raped -you do not know what rape is...

Re:Hey gabe

[ludomancer]

You're just being stupid for the sake of comedy right?

Amazon.com looks good right now.
Fuck, even Best Buy looks good right now.

Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.

Re:Hey gabe

[Mashiki]

Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

Re:This is Valve's fault

[Spad]

Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.

Re:Hilarity

[Sitnalta]

Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.

Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.

Re:Hilarity

[Charliemopps]

It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?

Re:Steaming pile

[artor3]

You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?