Steam forum hackers gain access to information

Valve confirms this week's security breach potentially exposed encrypted credit card numbers, passwords, addresses, more.

Hacking activities have been the story of the year within the game industry, and the latest victim is Portal creator Valve Corporation. On Sunday, the Washington-based game company's message forums for its digital distribution platform Steam were infiltrated by a hacker collective. It now appears as if the culprits accomplished more than just vandalizing the website.

Valve appears to have sprouted a leak.

In a message sent to Steam users and forum-goers today, Valve managing director Gabe Newell said that the hacker group gained access to the Steam database in addition to its forums. In so doing, the individuals involved had access to various pieces of information, including "user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information."

Newell said that the company currently has no indication that the intruders took any of the encrypted credit card numbers or personal identifying information. He also said there is no evidence that encrypted credit card numbers or passwords had been cracked. However, Valve is still investigating the attack.

As a result of the security breach, Newell said that all forum users will be required to change their passwords the next time they log in to the message boards. However, as it does not appear as if any Steam accounts were compromised, Newell said that it will only be advisable, and not mandatory, to change these passwords.

Currently, the Steam forums are offline. Valve plans to reopen them "as soon as we can."

Written By

Want the latest news about Half-Life 2?

Half-Life 2

Half-Life 2

Discussion

412 comments
DenisG
DenisG

Currently, the Steam forums are offline. Valve plans to reopen them "as soon as Half Life episode 3 is available for download."

original_elite
original_elite

those guys need to be shot. pathetic a-holes stealing people's sh*t

Chavis02
Chavis02

Thank god I never went on the forums! Sucks to be those people. >_>

spoonybard-hahs
spoonybard-hahs

@prince_vlad First, defending your point with ad hominem and creating straw men of the view points of others betrays a limited understanding of not only your argument, but the conversation as a whole. Second, yes, it sucks DLC exists and that the industry uses it to effectively raise game prices. However, it is working. People buy DLC more and more. A faceless group hacking personally identifiable information is not a proper counter to this industry trend. Third, hackers can talk all they want of "universal culture" until they are blue in the face. But the fact of the matter is, a universal culture is neither practical nor realistic. At some point, someone has to make money on the things they create. Artists are passionate people and share what they make with the world. Craftsmen are the same, except they understand what "overhead" and "being able to afford food" means. And lastly, hackers are a mixed bag. There are good ones and bad ones. However, they are all shortsighted and misguided. Hacking CC info and such to prove how "unsafe" our stuff is is a fruitless mission (or just an excuse), as it is not how theft happens when it comes to personal info.

eternal_blade3
eternal_blade3

Clearly, very few people have any ethics or morals these days..

prince__vlad
prince__vlad

for ydnarrewop: it's not about a world intitled to everything ! Can't you read ? I said universal values ! That is the reason a hacker offers free music and free games on the "market". Not because he hasn't anything else what to do. Nobody pays a hacker to do this. he is doing it because HE BELIEVES in that. The difference it that I can understand and respect that and you and the others ..can't. It's as simple as that

prince__vlad
prince__vlad

for tidus89 : Jewelry and my pc are not UNIVERSAL CULTURE moron! You and the others who think that way. maybe you should visit a library or read a book from tiem to time. Universal values must be FREE for everyone ! Not personal belongings;)

prince__vlad
prince__vlad

for fadersdream: Kiddie ? Me? I have the twice of your age I believe. Maybe you simply don't get it pal. Try concentrate harder;)

prince__vlad
prince__vlad

for LightninLew: The real IDIOT is you pal. I advise you to read again and if you still don't get it go get a life.

parrot_of_adun
parrot_of_adun

@squidracerX These people represent less than 0.001% of steam users, it demonstrates little to say they care. You may be one to get worried about every little thing, but the reality is that you're almost certainly not going to run into any trouble, nor is any steam user (as a result of this event, anyway). If you've bothered to keep up with this thing, you'd know this, as many do and thus don't care. Oh, and that Lifelock guy got his identity stolen not because hackers can do anything, but because his service doesn't work. Lifelock is notoriously useless, actually lost several lawsuits from former clients for it.

MotherBound1
MotherBound1

markus31 - "Good! I'm glad, I hope it keeps getting hacked. It pleases me to see a little misery coming Valve's way as punishment for making us all wait so damn long for Half-Life 2 Episode 3" You impatient bastard.

TevoxZi
TevoxZi

@crossdudu I'll go with this: Click me [quote="Link above"]Even if the largest botnet ever discovered - the 30-million-computer-strong BredoLab botnet - was given the task of attacking an AES-256 implementation, the sheer number of possible combinations would make the task virtually impossible. So, should you be worried about you electronic transactions being insecure? At the moment, no.[/quote] Edit: fixed* and even if they theoretically managed to do it faster [quote="The same link"]Media reports suggest the researchers found a way of decrypting AES that is three to five times faster than any previous method. Three or four times faster than the age of the universe is still billions of years and as a result, circumventing AES-256 encryption is still incredibly impractical, to put it mildly.[/quote]

Komania
Komania

@Darth_Starwind Actually it's happened twice, and there was nothing I could do to prevent it. And most people I know are dumb enough to put all that stuff on Facebook. Now, I think you're overestimating the intelligence of the hackers and their clients. Let me remind you how many information the Russian mafia currently possesses; if people want an identitiy that badly they don't need to hack a website, they just need to pay a small fee for the credit card numbers and such from the Russian mafia. And credit cards were probably not acquired, unless the hackers obtained the decryption key (which is unlikely). If they don't have the key, they will almost surely not obtain the credit card information. And from my experience opening a credit card is much harder than simply going 'Hi, my name is John Doe, here's my address and date of birth". Once again, things are probably different in Canada, or maybe I've just been lucky. I'm not spreading misinformation, I'm tellng people to calm down because it's really not that big of deal (at this present moment). Things have happened to me and I was fine, which is why I don't think the situation is that serious (to me at least). Besides, but what will panicking do to resolve the situation anyways?

Darth_Starwind
Darth_Starwind

@Komania Well if you keep getting your credit card number stolen then I suggest to you that your not doing something right. And yes you have been lucky. To you point about Facebook, to an extent you are right. That said, it's one thing if people are dumb enough to put that kind of info out there (i.e. birth date, location, full name, etc.) then they are playing with fire and very well may get burned. It is a completely different thing when detailed personal information (like what is found in credit card data) is stolen. Someone who goes to that length to get that information may very well use that particular card to gather as much personal information as they can and then open up new cards in the victims names. Credit Card companies can't stop that kind of thing and the bill goes to victim. My overall point is you can't be spreading around miss information because you have been lucky. Yes, credit cards have protections, but they aren't perfect. Saying that people shouldn't worry is irresponsible. I will admit that it is impossible to completely protect yourself from identity theft. Also, personal information is hacked everyday for the purpose of identity theft. Saying otherwise is basically deluding yourself and lying to others. I was not offended but annoyed at your willingness to spread ignorance.

crossdudu
crossdudu

@TevoxZi Just one question: can't the hackers use botnets to decrypt the encrypted data faster? I mean, that's what Stanford (if memory serves me) does with their Folding@Home, isn't it?

andrius45
andrius45

first psn now steam. who's next, microsoft seems like the next logical choice.

GarGx1
GarGx1

If government and military networks can be hacked into, it comes as no surprise that any corporate network can also be hacked. I'll start worrying when they get into paypal though (someday it'll happen)

squidracerX
squidracerX

@TevoxZi said - "even the CEO doesn't believe in the chances of them decrypting the code" That may be true, it may be totally safe, but hackers are ALWAYS one step ahead of security, so i would never believe the chatter of security people (they probably told Valve that Steam could never be hacked either). But there was that guy that was the CEO of LifeLock, who said 100% no one would steal your identity with their protection, so much so that he put his social security number on a sign for everyone to see, and yeah they stole his identity.... :) so again, any security can be broken, and any CEO can be dead wrong. http://today.msnbc.msn.com/id/24790921/ns/today-today_people/t/id-theft-ceo-who-had-identity-stolen-defends-service/#.TsLciz0k6so

squidracerX
squidracerX

@parrot_of_adun said- "People don't care because there was no service interruption" ummm I 100% totally care, and 90% of the people on here care. I wouldnt mind if Steam went down for a week or a month if it guaranteed all of my info was safe, I care soley that some hacker might have my bank account email and address information. First off you try to say the 2 cant be compared because it was so terrible that PSN was down. PSN is ONLY for online, all of your games still worked fine. If Steam went down you couldn't even play single player. So Sony most likely took it down to safe guard us at cost to them but not taking away our games, i don't think Valve could afford to take all of Steam down for a month anyway, it would literally end their service completely. but yeah saying that all Steam credit card info could be out there, encrypted or not, is no big deal? and comparing PSN directly to Steam? now that is ignorant!

Komania
Komania

@Darth_Starwind You realize how easy it is to acquire those things, right? You do a 2 second search and you can literally find the names, dates of birth, and addresses of thousands of people (just look at FaceBook). I hardly see how people would need to hack something in order to acquire that information. And for credit cards, mine has been stolen multiple times before and the credit card company shuts down spending when they notice large purchases or anything going amiss, and restore that no problem (and my credit score remained perfect). I'm sorry if you took offense to my comment. I'm in Canada, so things are quite different (social security numbers don't exist here, we have SINs though). I've had my identify (attempted) to be stolen, and my credit card stolen, and everything turned out just fine. So I do know what I'm talking about, it just seems as though I got lucky.

jollybest1
jollybest1

this is why i like to buy my games from a store :D

v_14
v_14

HA! This is why I use pre-paid VISA gift cardsevery time I make a purchase!!!! Wait!...?...aaaah shiiiiit!

ChaosUndivided
ChaosUndivided

Those Hackers can Kiss my ass after I've takin a huge S#@T

Darth_Starwind
Darth_Starwind

@komania "In terms of stealing your identify, well, I doubt knowing somebody's date of birth and address are enough to steal an ID" You're really without a clue aren't you. If a hacker can get a name and a date of birth, they can figure out your social security number and really screw your life over. This isn't a bloody joke. While you are mostly right about credit cards being insured, it still takes weeks to fix the false charges with the company and longer to fix your credit score if you can at all. Debit card users are just screwed since most banks won't cover fraudulent charges. I have know people whose lives have been jacked up royally for years because of this kind of thing. So quit commenting on things you don't have a damn clue about.

Komania
Komania

And sorry to double post, but why are people worried? The Russian mafia has so many credit card numbers, that they are running out of clients (so nobody cares about your credit card). And even if they did, your credit card company would likely give you back the money that was stolen. In terms of stealing your identify, well, I doubt knowing somebody's date of birth and address are enough to steal an ID, and if it is, well couldn't people just go on to FaceBook pages and take their ID? The fact is that these types of hacking are done for fun; it's a challenge for hackers. There are other ways to make money through cybercrime without getting caught. This was simply a crime for fame, same as PSN (as of now). So everybody just relax and enjoy your free games :)

Komania
Komania

[This message was deleted at the request of the original poster]

LUMIN4RY
LUMIN4RY

I would rather trust a dog than another human being... if you can call some people human.

DLobotomist
DLobotomist

Dear hackers..... stop messing with our gaming community and go do sth productive.... u guys can be so good at protecting our cyber network instead of wasting time and being hated by us....

TevoxZi
TevoxZi

@BryanParksSuper @SicklySunStorm Steam's under AES256. Click me [quote="Internet"] An attack against a 256-bit-key AES requiring 2^200 operations (compared to 2^256 possible keys) would be considered a break, even though 2^200 operations would still take far longer than the age of the universe to complete. [/quote] I'd say the CC info is not in trouble - as long as the hackers haven't gotten access to the key, which VALVe requires per information input for the sake of validity - decrypting the information. I wouldn't worry though, I doubt the key is in the same location where all the other's at, that would simply be dumb. As far as changing the client password: You're not in trouble if you use a different password with your email than the client's, and you're using Steam Guard. Changing the password is not necessary, but advisable. More for you BryanParksSuper: So they haven't done any work on security by using AES256? Guess again, even the CEO doesn't believe in the chances of them decrypting the code - therefore the whole "what with the laws of physics being broken" -part.

kex72
kex72

I hate people.

SicklySunStorm
SicklySunStorm

I've heard now that over the weekend, Steam itself (not just the forums) has been hacked, and that users Credit Card details are possibly under threat? Can GS confirm this?

BryanParksSuper
BryanParksSuper

Steam has been hacked like 5 times now. What they can't beef up there security? That's why I don't buy anything from there website.

LordRaymond
LordRaymond

It is time to take the law into our own hands. Death awaits those who mess with the Gaming industry.

T_REX305
T_REX305

*overused but still awesome vadar no*

Apocalypse360
Apocalypse360

Why would anyone hack Steam?!? They are by far the best game distributors.

Rj_Hutch
Rj_Hutch

lol first sony, now steam, next live? sounds like the same guys that got into sony imo

2bitSmOkEy
2bitSmOkEy

Well Sony gave out some free games, hopefully Valve does the same ^_^

gino_pachino
gino_pachino

remind of of psn.....remember how the 360/pc fanboy was bashing on sony... it karma.... next to get hacked...live users :)..it sad to say but a realy talented hacked can hack everything

parrot_of_adun
parrot_of_adun

@squidracerX Again, what BDK said simply isn't true as Valve didn't "go down". Steam remained active the whole time, and still is. That's why what he said DOESN'T "ring true". People don't care because there was no service interruption (the forums are not part of their primary services mind you, merely a convenience), and all of the information accessed was much better protected than Sony's, which was largely unencrypted or stored as plain text (not to mention that Sony confirmed that it not only been accessed, but unlike here, that it had all been downloaded). The reason the forums are the only thing effected by this is that the steam database was not seriously compromised, and its operation was thus unimpeded. To think that this is comparable to an event that saw Sony's service taken down for MONTHS, and all it's user data not just accessed, but taken, could only result from ignorance.

TevoxZi
TevoxZi

@squidracerX So criticizing one's comment is 'defending a company hardcore'? I guess I'm learning something new everyday. Aren't you sort of doing the same but vice versa? Trying to 'balance it out' by making VALVe seem worse in this scenario in comparison to Sony? We're all entitled to our opinions, but I did, personally dislike how I got to hear of the whole 'hack' of PSN weeks after the server had been taken "down for maintenance." - they did know they had been infiltrated, yet they couldn't even mention that. Then again, try to find a 'Contact us' on their page, really shows off they like to show the middlefinger to us in need. Like said, nothing's unhackable, but what's done due to the hack and how its fanbase is updated is up to the company. Considering Steam's on AES256, we've got nothing to worry about in terms of CC info unless they get the key for it. The key on the other hand is unlikely in the files they compromised, VALVe has learned from 2004 anyway, at least you'd think so. Click me [quote="Internet"]An attack against a 256-bit-key AES requiring 2^200 operations (compared to 2^256 possible keys) would be considered a break, even though 2^200 operations would still take far longer than the age of the universe to complete.[/quote] No one deserves to be hacked, but it's still not fanboyism to say Sony carried out their job at it horribly. I'm not the only one saying that either, a lot of major sites do too. Opinion among others', don't like it? Don't read it. As an user on both services I'm allowed to voice out my opinion - and criticize if one's comparing the two cases. Last I checked PSN was an online service too - it's not like the hackers attacked PS3's hardware. I honestly don't see where you're getting at with this. Anyway, can't be bothered to come back to this article for every response. Byebye, consider this as your win if you want to, I really don't mind. Don't get me wrong though, I do see where you're coming from with the whole Sony being first in queue and therefore VALVe having had to prepare for their turn. I am upset too, but - stuff happens. It still doesn't make me accept Sony having hid the information on the PSN's infiltration for those weeks to keep their ego, had they not done that - people like me would probably not be so pissed off about it. The difference simply is - when VALVe realized that something of value, something other than just the forum was in danger, they informed us instantly. Forum =/= personal information most of the time, therefore they did not mention us on 7th, it's on VBulletin. Whereas PSN - is not a 'forum', it contains personal information on itself including creditcard information and therefore Sony SHOULD'VE informed its users instantly of the risk when they were infiltrated instead of give us the "Down for maintenance" for those weeks keeping us in shadow.

squidracerX
squidracerX

@parrot_of_adun - ummm you did read that it wasn't just the forums right? i mean its in the article above: "Valve managing director Gabe Newell said that the hacker group gained access to the Steam database in addition to its forums....had access to various pieces of information, including "user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information." Hackers got everything my friend! But you kinda backed up what I said to TevoxZi below, Valve is the kind of company that should have been better protected BEFORE the Sony attack, and that they should be even better AFTER the Sony attack, but it still wasn't enough. So what BDK-Soft said rings true.

squidracerX
squidracerX

@TevoxZi - you don't need to defend Valve so hard core, people have a right to be upset, and I really dont think they DID handle this much better than Sony did. (And we all read what you had to say, we get your points). But Sony got blasted 100 times worse than any other company even though many ended up in the same boat, and they took the extra precaution of taking PSN down at their expense for months. many people are just pointing out that many companies screwed up here and that hackers are evil. But I for one as much as I am angry another one of my favorite platforms was hacked and this could mean financial service headaches for me, at least people can stop dumping on Sony. (I know you will still point out how they are still so much more terrible). I mean did Sony handle it badly? Sure. But they were also first with egg on their face. Steam on the other hand is an online only service (so by default should be better protected), and they had MONTHS notice that this hacker crap was going around and they still fell victim. Sony was caught with their pants down, Valve for some reason also had their pants down, but just never pulled them up for months and then still got caught with their pants down. but this shouldn't be anti-Sony or Valve, i love them both, its ANTI HACKER!!!!

kamber87
kamber87

Well, everyone using Paypal to buy on Steam should be safe right?

TevoxZi
TevoxZi

@BDK-Soft Instantly when it became client related. Forum was hacked a week ago, but that doesn't indicate the client was in trouble at the time and therefore VALVe didn't tell its users of the FORUM hack. Whereas in the PSN's case, the PSN was taken down - and Sony, the company they are, should've told their users of the issue, the possible threat of hacking. Calling people stupid because of one zone of information isn't really 'intelligent' of an act either. Just to let you know, calling people stupid over an issue like this, is simply the same as you shooting yourself on the foot with a gun. Calling people stupid over a ridiculous reason - something that doesn't even measure intelligence, indicating that you're stupid yourself Last I checked VALVe was among the only developers giving their full games for free. Among the only ones making free DLC, among the only developers actually listening to what the fanbase has to say. Sure, they work for money, but money is what keeps this stuff going. You may have your own opinion, but I may have my own, saying it's somehow inferior to yours is simply narrowminded - and stupid.

02050muh
02050muh

doesnt matter,i use origin now

BDK-Soft
BDK-Soft

[This message was deleted at the request of a moderator or administrator]

ptown58
ptown58

Anyone who puts their info on the interwebz is rolling the dice no matter how you look at it.(be poor and no one will want your info...ha ha ha )

ptown58
ptown58

Good luck with my info ... ha ha ha ha , lets hear some real news like wheres HL3 ? (semi joking)