Steam transaction history compromised

Valve confirms 2004-2008 purchase data copied by intruders; no evidence encrypted credit cards, billing info cracked.

by

Those caught up in last year's security breach to Steam and its forums still have no need to fear that their personally identifying information or credit card data has been compromised. Today, Valve head Gabe Newell issued an update on the situation, saying that the company and outside security experts have found no evidence that the hackers stole information from Steam's database.

Hackers can now see who among you have bad taste in games.

However, Newell also confirmed that bandits had secured a copy of Steam transactions made between 2004 and 2008. This data included "user names, email addresses, encrypted billing addresses, and encrypted credit card information." However, it did not contain Steam passwords.

Newell went on to note that those conducting the investigation have found nothing to indicate that the intruders have cracked the encrypted credit card or billing address information. However, he did caution that it is a good idea for users to monitor their credit card activity.

Discussion

142 comments
guildclaws
guildclaws

Good thing i always buy my game Physical.

Landsharkk
Landsharkk

@theshonen8899 Your comment, "Chances are that if the hackers finally cracked the encryption that they would exploit the information as fast as possible before news travels. Since this hasn't happened yet, it's safe to assume they haven't cracked it." Is your opinion, not fact. You can't 'assume' a fact. It either is or is not. And that's how I responded, as if it was your opinion on the matter, which is exactly how you stated it. Your desire to assume I only contain the conversation skills of a 'grade schooler' right from the start of your rebuttal seems to read of your lack of desire to engage in mature conversation on the internet. My comment, "would you bet your bank account on that" was a comment meant to spark a response and to make a point. That's not 'trolling' (an attempt to start an e-argument). If it were trolling, then every comment here could be called 'trolling', because they all warrant a response of some kind.

theshonen8899
theshonen8899

@Landsharkk I explained what his statement meant, not my opinion on it. If you wanna start an e-argument like a grade schooler, find someone else.

emperiox
emperiox

@TevoxZi Ah k, you make a good point. Still doesn't change how dissappointed I am with Valve's handling of the hacking incident though. Anyways, thanks for the clarification. :)

TevoxZi
TevoxZi

@emperiox Yeah, it does unfortunately sound a bit like that. My guess would be that they're on separate servers, but they're not sure have the hackers gained access to that other one. The other option I can think of is that they've hid the code (the key) within something and they're not sure has its origin been compromised. Would explain how it's possible it'd have been compromised - but not used. Although, as far as I'm concerned, there's been no talk so far of wrongly used cards. Having a key would pretty much immediately decrypt such information after all. Of course, if someone does get weird bills they should contact the bank asap - and of course, inform Valve about it.

emperiox
emperiox

@TevoxZi Well Steam said they don't know if hackers also obtained the key...that makes it sound like they store it in the same place...which then wouldn't that make it pointless to encrypt the info? Just curious if any computer experts know the answer to that question. Analogy: That'd be like living in a neighborhood with lots of break-ins and taping the key on the door.

TevoxZi
TevoxZi

So while the information may be compromised, I doubt they can decrypt it. Billing information is encrypted as well, just so you guys know. VALVe took extra caution to security since the Half-Life 2 hack back in Q3 2003. The only reason there's to be cautious for, is that there's a key to decrypt the information with as it has to be processed. However, like I stated before, I really doubt Valve stored the key on the same server which was infiltrated. A database consisting information of 2004 to 2008 was POSSIBLY compromised, even that - not necessarily. Watch your balance, but don't rip your pants over this, it's more than likely going to turn out alright anyway.

TevoxZi
TevoxZi

@Zloth2 Well, the rumours go that they use AES-256 with CBC. It's not necessarily true, but it's possible. AES-256 consists of 2^256 possible keys, so I'd go that it's pretty secure considering it's 116,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000. different combinations. Source: Click me [quote="Article above"] Even if the largest botnet ever discovered - the 30-million-computer-strong BredoLab botnet - was given the task of attacking an AES-256 implementation, the sheer number of possible combinations would make the task virtually impossible. So, should you be worried about your electronic transactions being insecure? At the moment, no. [/quote] [quote="Also"] Media reports suggest the researchers found a way of decrypting AES that is three to five times faster than any previous method. Fine. Good. But let's put that into context. Until this new development, any attempts to decrypt information encrypted with AES-256 would have taken many times the length of the universe to carry out. This is due simply to the number of possible encryption keys that need to be guessed. Three or four times faster than the age of the universe is still billions of years and as a result, circumventing AES-256 encryption is still incredibly impractical, to put it mildly. [/quote] So no, I wouldn't say it's 'easy' That article is of August 19th, 2011, so most likely not outdated either.

emperiox
emperiox

@maxwell97 So hackers having a week headstart to crack the credit card encryption, sell your identity, and move locations is fine? On what planet dude. You've obviously never lost your wallet and had to call equifax and place a watch on your credit score. It's a MASSIVE pain in the ass. A 24 hour timeframe to say "We had a breach and we are currently investigating the extent as of right now. Please call your local credit center and place a watch on your credit score in case any information was compromised. Also, be sure to change your passwords and be wary of any emails sent from us. CHECK HEADERS!"...how is that not acceptable or reasonable?

moviequest14
moviequest14

@nousername66 : I personally remain indifferent over anonymous..but I do know one thing...they have better things to do than hack steam.That's not their goal or level.This was the result of a low-life hacker that thinks he is the next 'Neo' while living in his parent's basement.

sonicare
sonicare

Honestly, I am getting tired of all these companies getting hacked. They seem to have no problem collecting and demanding all this personal information from you. But all of them seem to have less than ideal protection for it.

nate1222
nate1222

It's probably some people working right there at Steam doing the hacking. Same for PSN's issues. Now watch all the brainwashed little fanboys thumb me down for calling it what it probably is.

soulless4now
soulless4now

I wouldn't be surprised if this was done by you-know-who.

mtait01
mtait01

I used to own a 360 and I hated that my card details were stuck on the System. Now I own a PS3 and I will never do that again - keep your card details to yourself... obviously companies can't be trusted to keep them safe

moviequest14
moviequest14

@Zloth2 : The difference is...Gamestop is one of many,many,many console-stores.If Gamestop were to have a ''security issue'' (which is highly unlikely) you still have Target,Walmart,Best Buy,small game stores,amazon,etc.,etc.,etc. Gamestop is one of the many,many,many console-services..even assuming that the incredibly unlikely event does happen that Gamestop were to have ''security issues'' (which from my knowledge has NEVER happened...just bad business decisions on gamestop's part that end up losing customers) there are many,many options.I know steam isn't the only option in pc gaming..but you are in denial if you don't think it is one of the main features of modern pc-gaming.

TheShadowReview
TheShadowReview

@nousername66 Are you insinuating that this was them? I call bullsh*t and yes, I do still support them.

lonewolf1044
lonewolf1044

Agent-M, You make me laugh, you are aware that even if hackers were to wipe the database there is more than one backup of that database and it is all not in the same location, that would be like thinking you wipe the credit bureaus records and our problems will be solved, does not work like that.

moviequest14
moviequest14

@Sgthombre : Really? Copy and paste..show me exactly where I have said ''Pc gaming is bad''.I've said it isn't as good or perfect as many elitists would hope it to be...or that it isn't better than console gaming,which I still hold to..but where have I said that pc gaming is bad?

DrKill09
DrKill09

I never had this problem with Direct2Drive. :roll:

Sgthombre
Sgthombre

@moviequest14 Steam isn't some random online store, true, but at the same time there are a huge number of PC gamers who don't use the service. Understand that the "many,many others" doesn't mean a majority, and considering that people aren't coming out in droves saying there credit cards have been stolen because of this, there isn't a whole lot to worry about. And, yes, you have been saying PC gaming is bad in several of your comments that I've seen around Gamespot. You know who I hate more than console elitists? Hypocrites

Zloth2
Zloth2

@moviequest14 Huh? You're so eager to bad-mouth "PC Elitists" that you aren't making any sense. What do problems with Steam have to do with the PC platform? If GameStop has security issues, does that reflect badly on consoles? @TevoxZi, is that just a 256 bit key? I don't think those are all that hard to crack. They aren't transmitting this data, though, so they could be using an even stronger encryption.

moviequest14
moviequest14

@Sgthombre : Yes,pc elitists are absolute morons and idiots,as are any system/console elitists..whether it be pc,360,ps3,wii,vita,3ds or whatever system.Steam isn't some random tiny online shop..it is one of the main online shops of the pc..and while you might not be effected by it..many,many other steam user's information has now been compromised.I'm not even saying that pc gaming is bad at all..but this only proves that this isn't the perfect master-race system that so many pc elitists treat it as.

TevoxZi
TevoxZi

@hasancakir It's not like that information's not encrypted.

hasancakir
hasancakir

If they stored the credit card infos and if they got stolen, valve is screwed.

ib_banging
ib_banging

Just don't store your card details! Simple!

darkcomedian
darkcomedian

F***.......... Can't wait to hear all the talk on all of the gaming podcasts about this. Now to go make sure my credit card info isn't totally effed beyond fixing.

almossbb
almossbb

the hacks keep coming in dont they. good thing i dont use steam i guess.

TevoxZi
TevoxZi

@moviequest14 I'd love to see where you read the information's been decrypted. Compromised does not equal decryption. Also, Gabe never anything was taken: proof? Click me [quote="Article above"] Recently we learned that it is that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords. [/quote] Chances of them decrypting the supposed AES-256 are so ridiculously low that this can easily be overlooked by many people. Whereas the PSN -thing was a whole different case and therefore - received a lot of criticism.

Sgthombre
Sgthombre

@moviequest14 No, you didn't say they were perfect, but you're using the steam hacking to argue that PC elitists are morons because PC gaming sucks because this happened. Your argument is... how do I put this... WRONG. You're using what happened to one segment of one part of one gaming platform to show that the whole system is off. There is a considerably large segment of the Steam community that didn't even have accounts before 2008 (myself included), so this doesn't affect them. Also... PC gaming will be around long after each and every console is dead and buried.

TevoxZi
TevoxZi

@staranise Quite a conspiracy theory, don't you think? Bioware's a concern of a company to Electronic Arts in addition, so there's no gain really for them if they did do that. EA's a publisher, and Bioware develops under them. Sure, EA's Origin would gain from a drop of Valve's reputation with Steam, however EA's got a bit of attitude to fix before they'd be able to get reputation up simply because of that. I'm sure, that even EA has better ways around getting reputation among consumers. EDIT: You don't really need to look sharp to see my negativity towards EA in my rhetorics.

staranise
staranise

I don't wanna say anything but.....its ea/bioware's fault! its a way to second guess you about steam so that you'll swoon over their crappy origin...just sayin' imo. ^_^v

TevoxZi
TevoxZi

The reason not everyone got an email is because this doesn't concern us all. Like this article mentions, it's 2004 to 2008. It's 'a database', not 'the database.' It means there's multiple databases from where they POSSIBLY gained access to one. Those who were in that zone, were given e-mails on about it as a notify. If nothing, you'd be notified of it on the client regardless to know about the situation. If you didn't get an email back then, you're not really in the dangerzone.

TevoxZi
TevoxZi

@maxwell97 and if the rumours are true, Valve uses AES-256 encryption for the creditcard information. Which, with current technology takes billion years to decrypt, seriously. Even the largest botnet isn't bothering with it. The only fear here is if Valve stored the key to it in the same place as the attack took place in, but.. knowing Valve, very doubtfully. As for this article: Valve never confirmed it, Gabe said it's "probable", which does not equal a yes - or a no. It's possible such information has been compromised, but decrypting the CC info is very, very unlikely. That however, does not mean that you shouldn't look at your balance if you've bought from Steam between 2004 and 2008 using your card as it's better to be safe than sorry. Also: to people on about changing to physical dics because of this: I just want to point out that your credit card company has your information on file as well. Just simply having a credit/debit card leaves you open to this kind of stuff. @XanderZane No, this is a followup to the last year's. @rarson Plus, the service being Steam, you should use Steam Guard, have an email with a different password to Steam. If Gmail, you can even lock your phonenumber to your Gmail account so you cannot access the Gmail itself without going through your cellphone's TXTs to gain access to the code sent by Valve for Steam Guard on your email. Talk about work for those who're not permitted access.

alesmana
alesmana

luckily i didn't purchase anything until last christmas sale :)

nyran125
nyran125

luckily i have a credit card that cant be used for actual credit, i can only put money on to it and thats all.

Drakillion
Drakillion

Why would you hack Steam? Not cool guys.

maxwell97
maxwell97

@Agent-M: falling behind, are we?

maxwell97
maxwell97

@dRuGGeRnaUt: "Those that believe that companies "encryption" is completely fail safe is fooling themselves. " I'm not a cryptography expert, but my understanding is that algorithms typically used in credit card databases are un-cracked and generally considered impossible to brute-force with current technology. Go to Wikipedia and look up "triple DES." So, from what I can tell, our credit cards are safe.

downloadthefile
downloadthefile

just please stop hacking. these guys hack video game sites??? they waste their abilities on garbage. they hack sites whose customers are people their age, sometimes even them. occasionally they do funny stuff like with PBS and the story of Tupac being alive in New Zealand, but most of the high profile things hackers have done recently are no better than the Nigerian email scam.

Shinobi120
Shinobi120

@synthetiksin: Game discs can last for a very long time, providing that you take really good care of them. Plus if their discs gets stolen, they can always find themselves another copy.

Agent-M
Agent-M

To the hackers who enjoy hacking into company servers and databases: Please hack into the student federal loan database and wipe out all student debts, now that would be a great use of your skill.

asmoddeuss
asmoddeuss

Hackers trying to damage companies hacking end users & gamers. When will they learn they are aiming wrong?

Hirasugi
Hirasugi

thanks hacking entrepreneurs, hacking showboaters, and hacktivists. No one in the industry or the gaming community likes you--congrats. I sincerely hope you are tracked down and dragged through the streets for your selfishness! THIS is why online innovation is so slow because corporations have to continually set up barriers from filthy thieves instead of simply making money. bah!

synthetiksin
synthetiksin

This article is making it seem like something else happened. It didn't. Oh and discs and stuff still have a lifespan not to mention someone can easily steal it. Just sayin...

strayfies
strayfies

Hacking used to be a lot more lucrative.

foxhound_fox
foxhound_fox

The hackers broke in to what, see if VALVe was telling the truth about their sales data?

Shinobi120
Shinobi120

@THA-TODD-BEAST & @KamuiFei: I agree. This is one of the reasons why I don't turn towards digital only products. All for what? For digital copies of games that probably won't be around forever once companies shut down servers for specific games or to take them away completely? Or for them to be kaput if something terrible happens to your computer, console, or your backups? Physical copies for games, music, etc., are always good for the consumer in the long run.

Shinobi120
Shinobi120

[This message was deleted at the request of the original poster]