Steam forums shut down; breach to blame?

If you are trying to access the official message board for Valve's PC game download service Steam, you likely are seeing a message that states, "The Steam Forums are temporarily offline for maintenance. Your patience is appreciated." While that sound like a normal note, but Eurogamer reports that the real reason may be due to a breach from one or more hackers.

Apparently some Steam forum owners saw the image you see above last night when they attended the forums. It shows a slightly redesigned message board with a note to head to the video game multiplayer hacker side Fkn0wned.com. Other gamers received emails with similar messages with the same web site mentioned.

At the moment there's no reason to assume that any critical Steam user information, such as passwords or credit card info used to purchase games via Steam, has been collected by this forum hacker attack. However, Steam users who have the same user name and password for both the forums and the main Steam site might want to change those details just in case.

Steam would seem to be a fairly large target for possible attacks by hacker groups since it is the single biggest PC game download service with over 20 million registered users at last count. It's about to launch what will likely be two of its biggest games of the year this week: Call of Duty Modern Warfare 3 (due out later tonight) and The Elder Scrolls V Skyrim (out on Friday).

Image via Eurogamer

Report a problem with article
Previous Story

This week's highlights in new game releases: November 7-13

Next Story

Video of massive NYC Windows Phone posted

45 Comments

Commenting is disabled on this article.

bjoswald said,
Until I see proof of a breach, I'm just going to be ignorant and pretend it's just down for maintenance.

because the pic at the top of the article isn't proof; as well as the emails that went out.

If it was, I would not be surprised if it was Anonymous... they seem to love taking down gaming servers to screw everyone over. They have no life.

Wow I knew something was wrong last night when the steam forums redirected me to this stand gaming hacking website. I was like huh ?

People are going to have a field day with the Steam forums getting hacked. I kept asking about it too.

Yeah I was watching a movie on my PC when I decided to look at my firefox and saw the strange message. I assumed the forums was hacked into. My steam client is fine because I know the support, forums and client accounts are seperate for this excat reason. Very good that Valve foresaw this and introduced the multi-account system.

KSib said,
The forum accounts are NOT tied to your steam account.

No but people obviously use the same email address for both and most likely the same password. Or the same password for the email account its self which would allow the breacher to also obtain access to your steam account. Just because they're not tied with the same database doesn't mean your steam account is safe.

Morphine-X said,

No but people obviously use the same email address for both and most likely the same password. Or the same password for the email account its self which would allow the breacher to also obtain access to your steam account. Just because they're not tied with the same database doesn't mean your steam account is safe.

If its anything to go by i believe the passwords are secure and cant be 'viewed' as plain text so its kinda safe..

Not to mention the Steam ID key part that is required...

At worst the list of emails is the worst thing they got away with...

Morphine-X said,

No but people obviously use the same email address for both and most likely the same password. Or the same password for the email account its self which would allow the breacher to also obtain access to your steam account. Just because they're not tied with the same database doesn't mean your steam account is safe.

It is reasonably safe. The passwords are at the very least hashed and salted, since Valve is running vBulletin.

It seems like they just got into the Admin Control Panel. They may have guessed a password or something of the like. Everything other than the root administrator account does not have the ability to run sql statements from the admin panel, and vBulletin does not allow the administrator to see the user's hashed password from the AdminCP anyway.

I would reason that things are pretty secure.

brent3000 said,

If its anything to go by i believe the passwords are secure and cant be 'viewed' as plain text so its kinda safe..

Not to mention the Steam ID key part that is required...

At worst the list of emails is the worst thing they got away with...


Passwords in vBulletin 3 aren't that secure. If the hacker got all hash passwords, then they will be able to login as anyone.

brent3000 said,

If its anything to go by i believe the passwords are secure and cant be 'viewed' as plain text so its kinda safe..

Not to mention the Steam ID key part that is required...

At worst the list of emails is the worst thing they got away with...


Well if they got a list of emails and were able to send out a message to every member of the steam forums then its definitely not the worst they got away with.. I can guarantee you that a decent portion of people, not a huge amount, but some would have checked out the website and registered for the forums there, at which point its not hard for the guys who run that site to modify the registration page to database passwords unencrypted. That ends up making things a whole lot more complicated.

IMO, valve should develop their own in house forum software and move away from an extremely popular piece of bulletin board software that more than likely has quite a few people looking for exploits for pretty much all the time.

Just looks like some script kiddies exploiting a security hole with that certain version of vbulletin.

I don't think they have access to anything other than what administrators of the site have access too.

Lingwo said,
Just looks like some script kiddies exploiting a security hole with that certain version of vbulletin.

I don't think they have access to anything other than what administrators of the site have access too.

Well if they happen to gain access to any admin accounts that are super admins than they have access to the maintenance section in ACP which allows them to download the database. From there they could cross reference the emails/usernames/passwords (once cracked) with steam accounts. Not to mention they could do the same thing to the email addresses and countless other things once they get access to that. A breach in a forum is a big issue for the common folk due to the fact most use their email password for everything =/

The forum breach was more than just a redesigned gui. They sent a ton of emails out to people from the admin account on the site.


---------- Forwarded message ----------
From: webmaster@steampowered.com <webmaster@steampowered.com>
Date: Sun, Nov 6, 2011 at 10:05 PM
Subject: Come join Fkn0wned.com, a gaming resource community
To: <retracted>


Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit Fkn0wned.com. It's safe, secure and undetected.

Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

Thanks again,
the fkn0wned team.

Don't care for the Steam forums. A mod "warned" me (fair game), but when I questioned him as to why he placed the warning he then trawled through over two years of posts to find "offensive" posts to get me permabanned.
Bunch of trigger happy kids if you ask me. Just reset the router and registered again.

AFineFrenzy said,
Don't care for the Steam forums. A mod "warned" me (fair game), but when I questioned him as to why he placed the warning he then trawled through over two years of posts to find "offensive" posts to get me permabanned.
Bunch of trigger happy kids if you ask me. Just reset the router and registered again.

And Steam suport is so fast. When you submit ticket you need to wait more than 2 weeks to they replay

0veR said,

And Steam suport is so fast. When you submit ticket you need to wait more than 2 weeks to they replay

That's support being slow, not the forums.

0veR said,

And Steam suport is so fast. When you submit ticket you need to wait more than 2 weeks to they replay

ONly even taken 2-3 days for me to get a response from support

0veR said,
vBulletin sux. They should go to IPB

Agreed, I mean look how nice Neowin's forums have become with the newest IPB.

As far as I can tell, all that required was guessing someone's password and changing some forum settings. Unless there's more to it, I don't think that's a huge breach.

SPUF is hosted on another box alongside the TF Wiki, so it's doubtful they got anything but some "internet kudos".

The Wiki is still up, so it looks like it was just a breach of the ACP.

Xtreme2damax said,
I am hoping that everyone's financial information is safe and that wasn't compromised in any way besides the forum itself.

financial information is safe. Only the forum was hacked.

Rofl at fkn, such a bad site. Founder deleted the entire site by mistake and made them restart the whole forum... Full of skids and people who think they are good... Shame on you steam.
If fkn could do it any other site could.

Every bulletin board system has security flaws. This is why Valve doesn't have the bbs linked to steam. If anything you be commending Valve for understanding this.

Pc_Madness said,
Oh ****ing hell Valve. Always thought it was stupid that they were still running vBulletin. :\

Are you really just that dumb and don't know who Valve is or are you just being a retard.
There nothing wrong with vBulletinit no woste then other beside that all Bulletin Board can be hack

SHS said,

Are you really just that dumb and don't know who Valve is or are you just being a retard.
There nothing wrong with vBulletinit no woste then other beside that all Bulletin Board can be hack

No, he's right..

Ever since Internet Brands took over after Jelsoft Vbulletin has gone to crap. The software has been plagued with bugs and security issues not to mention lackluster releases that don't add much in the way of new features or improvements. Both IPB and Xenforo have surpassed Vbulletin and have a much brighter future.

SHS said,

Are you really just that dumb and don't know who Valve is or are you just being a retard.
There nothing wrong with vBulletinit no woste then other beside that all Bulletin Board can be hack

You're calling other people dumb, but you can't even spell simple words properly. Hilarious.

Xtreme2damax said,
Both IPB and Xenforo have surpassed Vbulletin and have a much brighter future.

they are not. vb is the most advanced. it's might be isn't reliable, but it's still best we have.

SHS said,

There nothing wrong with vBulletinit no woste then other beside that all Bulletin Board can be hack

I didn't mean there was specifically anything wrong with vBulletin, its just too risky to use in Valve's case. The source code is widely available, so anyone can find an exploit, and SPUF (Steampowered User Forums) has a tonne of accounts, making it a great target.

The proper thing to do would have been to write their own forum software, that way they can be sure its secure. I think Blizzard have already done that with their forums.

The guys on Facepunch are saying that Valve forgot to update their copy of vBulletin, which is certainly not helping matters. :\

coth said,

they are not. vb is the most advanced. it's might be isn't reliable, but it's still best we have.

Sorry to say but Vbulletin hasn't been the best or most advanced in a while, both IPB and Xenforo have more features and less issues in general. Vbulletin is still stuck in the past, the ACP is a nightmare to navigate as they haven't even bothered to improve it by implementing tabs. IPB3 is way ahead of VB4 and VB3 in terms of features and stability/security. IPB did mess up with 3.2 but I trust that they'll re-integrate the important features that were removed due to complaints.

Pc_Madness said,

I didn't mean there was specifically anything wrong with vBulletin, its just too risky to use in Valve's case. The source code is widely available, so anyone can find an exploit, and SPUF (Steampowered User Forums) has a tonne of accounts, making it a great target.

The proper thing to do would have been to write their own forum software, that way they can be sure its secure. I think Blizzard have already done that with their forums.

The guys on Facepunch are saying that Valve forgot to update their copy of vBulletin, which is certainly not helping matters. :\


This can be proof that "Open Source" is not a good thing in these situations.

Pc_Madness said,
Oh ****ing hell Valve. Always thought it was stupid that they were still running vBulletin. :\

yah think valve of all companies would have an enterprise grade community CRM system like Lithium or Jive software's offerings. Those are far more secure and they are SaaS offerings on cloud load balanced platforms. Symantec, Mcafee, and vmware use those. I think they should switch.

jesseinsf said,

This can be proof that "Open Source" is not a good thing in these situations.

Well that not always the case
Some problem are becuases some people my update hell out of there forum but for get update OS so run a outdate OS like Sun RAQ Server.

Pc_Madness said,

I didn't mean there was specifically anything wrong with vBulletin, its just too risky to use in Valve's case. The source code is widely available, so anyone can find an exploit, and SPUF (Steampowered User Forums) has a tonne of accounts, making it a great target.

The proper thing to do would have been to write their own forum software, that way they can be sure its secure. I think Blizzard have already done that with their forums.

The guys on Facepunch are saying that Valve forgot to update their copy of vBulletin, which is certainly not helping matters. :\


It no diff then any othere bulletin board software source code is widely available for all them.

Xtreme2damax said,

No, he's right..

Ever since Internet Brands took over after Jelsoft Vbulletin has gone to crap. The software has been plagued with bugs and security issues not to mention lackluster releases that don't add much in the way of new features or improvements. Both IPB and Xenforo have surpassed Vbulletin and have a much brighter future.


And who doing is that the cry baby developer that use to work at vBulletin he want do things his way well that not how it works.
I perf SMF
Take in to count Steam Forum "Vbulletin" has been runing for 10+ year that not bad

Pc_Madness said,
Oh ****ing hell Valve. Always thought it was stupid that they were still running vBulletin. :\

The breach happened because they were still using an outdated version of vB instead of 3.8.7(like it is now).