Valve confirms this week's security breach potentially exposed encrypted credit card numbers, passwords, addresses, more.
Hacking activities have been the story of the year within the game industry, and the latest victim is Portal creator Valve Corporation. On Sunday, the Washington-based game company's message forums for its digital distribution platform Steam were infiltrated by a hacker collective. It now appears as if the culprits accomplished more than just vandalizing the website.
In a message sent to Steam users and forum-goers today, Valve managing director Gabe Newell said that the hacker group gained access to the Steam database in addition to its forums. In so doing, the individuals involved had access to various pieces of information, including "user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information."
Newell said that the company currently has no indication that the intruders took any of the encrypted credit card numbers or personal identifying information. He also said there is no evidence that encrypted credit card numbers or passwords had been cracked. However, Valve is still investigating the attack.
As a result of the security breach, Newell said that all forum users will be required to change their passwords the next time they log in to the message boards. However, as it does not appear as if any Steam accounts were compromised, Newell said that it will only be advisable, and not mandatory, to change these passwords.
Currently, the Steam forums are offline. Valve plans to reopen them "as soon as we can."
@prince_vlad First, defending your point with ad hominem and creating straw men of the view points of others betrays a limited understanding of not only your argument, but the conversation as a whole. Second, yes, it sucks DLC exists and that the industry uses it to effectively raise game prices. However, it is working. People buy DLC more and more. A faceless group hacking personally identifiable information is not a proper counter to this industry trend. Third, hackers can talk all they want of "universal culture" until they are blue in the face. But the fact of the matter is, a universal culture is neither practical nor realistic. At some point, someone has to make money on the things they create. Artists are passionate people and share what they make with the world. Craftsmen are the same, except they understand what "overhead" and "being able to afford food" means. And lastly, hackers are a mixed bag. There are good ones and bad ones. However, they are all shortsighted and misguided. Hacking CC info and such to prove how "unsafe" our stuff is is a fruitless mission (or just an excuse), as it is not how theft happens when it comes to personal info.
for ydnarrewop: it's not about a world intitled to everything ! Can't you read ? I said universal values ! That is the reason a hacker offers free music and free games on the "market". Not because he hasn't anything else what to do. Nobody pays a hacker to do this. he is doing it because HE BELIEVES in that. The difference it that I can understand and respect that and you and the others ..can't. It's as simple as that
for tidus89 : Jewelry and my pc are not UNIVERSAL CULTURE moron! You and the others who think that way. maybe you should visit a library or read a book from tiem to time. Universal values must be FREE for everyone ! Not personal belongings;)
for fadersdream: Kiddie ? Me? I have the twice of your age I believe. Maybe you simply don't get it pal. Try concentrate harder;)
for LightninLew: The real IDIOT is you pal. I advise you to read again and if you still don't get it go get a life.
@squidracerX These people represent less than 0.001% of steam users, it demonstrates little to say they care. You may be one to get worried about every little thing, but the reality is that you're almost certainly not going to run into any trouble, nor is any steam user (as a result of this event, anyway). If you've bothered to keep up with this thing, you'd know this, as many do and thus don't care. Oh, and that Lifelock guy got his identity stolen not because hackers can do anything, but because his service doesn't work. Lifelock is notoriously useless, actually lost several lawsuits from former clients for it.
markus31 - "Good! I'm glad, I hope it keeps getting hacked. It pleases me to see a little misery coming Valve's way as punishment for making us all wait so damn long for Half-Life 2 Episode 3" You impatient bastard.
@crossdudu I'll go with this: Click me [quote="Link above"]Even if the largest botnet ever discovered - the 30-million-computer-strong BredoLab botnet - was given the task of attacking an AES-256 implementation, the sheer number of possible combinations would make the task virtually impossible. So, should you be worried about you electronic transactions being insecure? At the moment, no.[/quote] Edit: fixed* and even if they theoretically managed to do it faster [quote="The same link"]Media reports suggest the researchers found a way of decrypting AES that is three to five times faster than any previous method. Three or four times faster than the age of the universe is still billions of years and as a result, circumventing AES-256 encryption is still incredibly impractical, to put it mildly.[/quote]
@Darth_Starwind Actually it's happened twice, and there was nothing I could do to prevent it. And most people I know are dumb enough to put all that stuff on Facebook. Now, I think you're overestimating the intelligence of the hackers and their clients. Let me remind you how many information the Russian mafia currently possesses; if people want an identitiy that badly they don't need to hack a website, they just need to pay a small fee for the credit card numbers and such from the Russian mafia. And credit cards were probably not acquired, unless the hackers obtained the decryption key (which is unlikely). If they don't have the key, they will almost surely not obtain the credit card information. And from my experience opening a credit card is much harder than simply going 'Hi, my name is John Doe, here's my address and date of birth". Once again, things are probably different in Canada, or maybe I've just been lucky. I'm not spreading misinformation, I'm tellng people to calm down because it's really not that big of deal (at this present moment). Things have happened to me and I was fine, which is why I don't think the situation is that serious (to me at least). Besides, but what will panicking do to resolve the situation anyways?
@Komania Well if you keep getting your credit card number stolen then I suggest to you that your not doing something right. And yes you have been lucky. To you point about Facebook, to an extent you are right. That said, it's one thing if people are dumb enough to put that kind of info out there (i.e. birth date, location, full name, etc.) then they are playing with fire and very well may get burned. It is a completely different thing when detailed personal information (like what is found in credit card data) is stolen. Someone who goes to that length to get that information may very well use that particular card to gather as much personal information as they can and then open up new cards in the victims names. Credit Card companies can't stop that kind of thing and the bill goes to victim. My overall point is you can't be spreading around miss information because you have been lucky. Yes, credit cards have protections, but they aren't perfect. Saying that people shouldn't worry is irresponsible. I will admit that it is impossible to completely protect yourself from identity theft. Also, personal information is hacked everyday for the purpose of identity theft. Saying otherwise is basically deluding yourself and lying to others. I was not offended but annoyed at your willingness to spread ignorance.
@TevoxZi Just one question: can't the hackers use botnets to decrypt the encrypted data faster? I mean, that's what Stanford (if memory serves me) does with their Folding@Home, isn't it?
If government and military networks can be hacked into, it comes as no surprise that any corporate network can also be hacked. I'll start worrying when they get into paypal though (someday it'll happen)
@TevoxZi said - "even the CEO doesn't believe in the chances of them decrypting the code" That may be true, it may be totally safe, but hackers are ALWAYS one step ahead of security, so i would never believe the chatter of security people (they probably told Valve that Steam could never be hacked either). But there was that guy that was the CEO of LifeLock, who said 100% no one would steal your identity with their protection, so much so that he put his social security number on a sign for everyone to see, and yeah they stole his identity.... :) so again, any security can be broken, and any CEO can be dead wrong. http://today.msnbc.msn.com/id/24790921/ns/today-today_people/t/id-theft-ceo-who-had-identity-stolen-defends-service/#.TsLciz0k6so
@parrot_of_adun said- "People don't care because there was no service interruption" ummm I 100% totally care, and 90% of the people on here care. I wouldnt mind if Steam went down for a week or a month if it guaranteed all of my info was safe, I care soley that some hacker might have my bank account email and address information. First off you try to say the 2 cant be compared because it was so terrible that PSN was down. PSN is ONLY for online, all of your games still worked fine. If Steam went down you couldn't even play single player. So Sony most likely took it down to safe guard us at cost to them but not taking away our games, i don't think Valve could afford to take all of Steam down for a month anyway, it would literally end their service completely. but yeah saying that all Steam credit card info could be out there, encrypted or not, is no big deal? and comparing PSN directly to Steam? now that is ignorant!
@Darth_Starwind You realize how easy it is to acquire those things, right? You do a 2 second search and you can literally find the names, dates of birth, and addresses of thousands of people (just look at FaceBook). I hardly see how people would need to hack something in order to acquire that information. And for credit cards, mine has been stolen multiple times before and the credit card company shuts down spending when they notice large purchases or anything going amiss, and restore that no problem (and my credit score remained perfect). I'm sorry if you took offense to my comment. I'm in Canada, so things are quite different (social security numbers don't exist here, we have SINs though). I've had my identify (attempted) to be stolen, and my credit card stolen, and everything turned out just fine. So I do know what I'm talking about, it just seems as though I got lucky.
HA! This is why I use pre-paid VISA gift cardsevery time I make a purchase!!!! Wait!...?...aaaah shiiiiit!
@komania "In terms of stealing your identify, well, I doubt knowing somebody's date of birth and address are enough to steal an ID" You're really without a clue aren't you. If a hacker can get a name and a date of birth, they can figure out your social security number and really screw your life over. This isn't a bloody joke. While you are mostly right about credit cards being insured, it still takes weeks to fix the false charges with the company and longer to fix your credit score if you can at all. Debit card users are just screwed since most banks won't cover fraudulent charges. I have know people whose lives have been jacked up royally for years because of this kind of thing. So quit commenting on things you don't have a damn clue about.
And sorry to double post, but why are people worried? The Russian mafia has so many credit card numbers, that they are running out of clients (so nobody cares about your credit card). And even if they did, your credit card company would likely give you back the money that was stolen. In terms of stealing your identify, well, I doubt knowing somebody's date of birth and address are enough to steal an ID, and if it is, well couldn't people just go on to FaceBook pages and take their ID? The fact is that these types of hacking are done for fun; it's a challenge for hackers. There are other ways to make money through cybercrime without getting caught. This was simply a crime for fame, same as PSN (as of now). So everybody just relax and enjoy your free games :)
Dear hackers..... stop messing with our gaming community and go do sth productive.... u guys can be so good at protecting our cyber network instead of wasting time and being hated by us....
@BryanParksSuper @SicklySunStorm Steam's under AES256. Click me [quote="Internet"] An attack against a 256-bit-key AES requiring 2^200 operations (compared to 2^256 possible keys) would be considered a break, even though 2^200 operations would still take far longer than the age of the universe to complete. [/quote] I'd say the CC info is not in trouble - as long as the hackers haven't gotten access to the key, which VALVe requires per information input for the sake of validity - decrypting the information. I wouldn't worry though, I doubt the key is in the same location where all the other's at, that would simply be dumb. As far as changing the client password: You're not in trouble if you use a different password with your email than the client's, and you're using Steam Guard. Changing the password is not necessary, but advisable. More for you BryanParksSuper: So they haven't done any work on security by using AES256? Guess again, even the CEO doesn't believe in the chances of them decrypting the code - therefore the whole "what with the laws of physics being broken" -part.
I've heard now that over the weekend, Steam itself (not just the forums) has been hacked, and that users Credit Card details are possibly under threat? Can GS confirm this?
Steam has been hacked like 5 times now. What they can't beef up there security? That's why I don't buy anything from there website.
It is time to take the law into our own hands. Death awaits those who mess with the Gaming industry.
remind of of psn.....remember how the 360/pc fanboy was bashing on sony... it karma.... next to get hacked...live users :)..it sad to say but a realy talented hacked can hack everything
@squidracerX Again, what BDK said simply isn't true as Valve didn't "go down". Steam remained active the whole time, and still is. That's why what he said DOESN'T "ring true". People don't care because there was no service interruption (the forums are not part of their primary services mind you, merely a convenience), and all of the information accessed was much better protected than Sony's, which was largely unencrypted or stored as plain text (not to mention that Sony confirmed that it not only been accessed, but unlike here, that it had all been downloaded). The reason the forums are the only thing effected by this is that the steam database was not seriously compromised, and its operation was thus unimpeded. To think that this is comparable to an event that saw Sony's service taken down for MONTHS, and all it's user data not just accessed, but taken, could only result from ignorance.
@squidracerX So criticizing one's comment is 'defending a company hardcore'? I guess I'm learning something new everyday. Aren't you sort of doing the same but vice versa? Trying to 'balance it out' by making VALVe seem worse in this scenario in comparison to Sony? We're all entitled to our opinions, but I did, personally dislike how I got to hear of the whole 'hack' of PSN weeks after the server had been taken "down for maintenance." - they did know they had been infiltrated, yet they couldn't even mention that. Then again, try to find a 'Contact us' on their page, really shows off they like to show the middlefinger to us in need. Like said, nothing's unhackable, but what's done due to the hack and how its fanbase is updated is up to the company. Considering Steam's on AES256, we've got nothing to worry about in terms of CC info unless they get the key for it. The key on the other hand is unlikely in the files they compromised, VALVe has learned from 2004 anyway, at least you'd think so. Click me [quote="Internet"]An attack against a 256-bit-key AES requiring 2^200 operations (compared to 2^256 possible keys) would be considered a break, even though 2^200 operations would still take far longer than the age of the universe to complete.[/quote] No one deserves to be hacked, but it's still not fanboyism to say Sony carried out their job at it horribly. I'm not the only one saying that either, a lot of major sites do too. Opinion among others', don't like it? Don't read it. As an user on both services I'm allowed to voice out my opinion - and criticize if one's comparing the two cases. Last I checked PSN was an online service too - it's not like the hackers attacked PS3's hardware. I honestly don't see where you're getting at with this. Anyway, can't be bothered to come back to this article for every response. Byebye, consider this as your win if you want to, I really don't mind. Don't get me wrong though, I do see where you're coming from with the whole Sony being first in queue and therefore VALVe having had to prepare for their turn. I am upset too, but - stuff happens. It still doesn't make me accept Sony having hid the information on the PSN's infiltration for those weeks to keep their ego, had they not done that - people like me would probably not be so pissed off about it. The difference simply is - when VALVe realized that something of value, something other than just the forum was in danger, they informed us instantly. Forum =/= personal information most of the time, therefore they did not mention us on 7th, it's on VBulletin. Whereas PSN - is not a 'forum', it contains personal information on itself including creditcard information and therefore Sony SHOULD'VE informed its users instantly of the risk when they were infiltrated instead of give us the "Down for maintenance" for those weeks keeping us in shadow.
@parrot_of_adun - ummm you did read that it wasn't just the forums right? i mean its in the article above: "Valve managing director Gabe Newell said that the hacker group gained access to the Steam database in addition to its forums....had access to various pieces of information, including "user names, hashed and salted passwords, game purchases, email addresses, billing addresses, and encrypted credit card information." Hackers got everything my friend! But you kinda backed up what I said to TevoxZi below, Valve is the kind of company that should have been better protected BEFORE the Sony attack, and that they should be even better AFTER the Sony attack, but it still wasn't enough. So what BDK-Soft said rings true.
@TevoxZi - you don't need to defend Valve so hard core, people have a right to be upset, and I really dont think they DID handle this much better than Sony did. (And we all read what you had to say, we get your points). But Sony got blasted 100 times worse than any other company even though many ended up in the same boat, and they took the extra precaution of taking PSN down at their expense for months. many people are just pointing out that many companies screwed up here and that hackers are evil. But I for one as much as I am angry another one of my favorite platforms was hacked and this could mean financial service headaches for me, at least people can stop dumping on Sony. (I know you will still point out how they are still so much more terrible). I mean did Sony handle it badly? Sure. But they were also first with egg on their face. Steam on the other hand is an online only service (so by default should be better protected), and they had MONTHS notice that this hacker crap was going around and they still fell victim. Sony was caught with their pants down, Valve for some reason also had their pants down, but just never pulled them up for months and then still got caught with their pants down. but this shouldn't be anti-Sony or Valve, i love them both, its ANTI HACKER!!!!
@BDK-Soft Instantly when it became client related. Forum was hacked a week ago, but that doesn't indicate the client was in trouble at the time and therefore VALVe didn't tell its users of the FORUM hack. Whereas in the PSN's case, the PSN was taken down - and Sony, the company they are, should've told their users of the issue, the possible threat of hacking. Calling people stupid because of one zone of information isn't really 'intelligent' of an act either. Just to let you know, calling people stupid over an issue like this, is simply the same as you shooting yourself on the foot with a gun. Calling people stupid over a ridiculous reason - something that doesn't even measure intelligence, indicating that you're stupid yourself Last I checked VALVe was among the only developers giving their full games for free. Among the only ones making free DLC, among the only developers actually listening to what the fanbase has to say. Sure, they work for money, but money is what keeps this stuff going. You may have your own opinion, but I may have my own, saying it's somehow inferior to yours is simply narrowminded - and stupid.
Anyone who puts their info on the interwebz is rolling the dice no matter how you look at it.(be poor and no one will want your info...ha ha ha )
I feel that all Steam users who ever trusted Steam with their credit card information are entitled to compensation (TF2 hats don't count)
Content you might like…
Users who looked at this article also looked at these content items.
Avalanche Studios co-founder says developer's ambition is for action, not moments that make players cry; steampunk-style game on hold. Full Story
- Posted May 15, 2013 6:33 am PT
4A Games creative director Andrew Prokhorov thanks Jason Rubin for telling the studio's story, but says, "We deserve the ratings we get." Full Story
- Posted May 16, 2013 12:44 pm PT