Valve admits to cyber attack on Steam user accounts

Valve has now admitted that a cyber attack on the Steam message board forums, which first happened late on Sunday but which was first reported on Monday, extended beyond the forums to Steam's user account database. In an IM sent to Steam's users, Valve CEO Gabe Newell stated, "This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information." 

Newell said that at the moment there is no evidence that the credit card numbers were actually taken by the unknown cyber attackers, nor is there any indication that Steam user passwords or their credit card numbers have been cracked by whoever is responsible. He added, "Nonetheless you should watch your credit card activity and statements closely."

Newell said that a few Steam forum accounts have been compromised and that the forums, when they come back online, will require users to put in a new password before accessing them again. There's no word on when the forums will be back up. Newell said that even though there's no suspicious activity that has been discovered with Steam user accounts (which has a separate password system from the Steam forums) he added," .... it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password."

Newell added at the end of the IM, "I am truly sorry this happened, and I apologize for the inconvenience."

Obviously this is a huge blow to both Valve specifically and to the PC digital game industry in general. Since launching in 2004, Steam has become the number one destination for downloads of PC games and has been credited with saving the industry as a whole. Hopefully this is just a blip for Valve rather that a huge setback for the company.

Report a problem with article
Previous Story

Call of Duty Elite paid users to get 30 days of extra service

Next Story

Public WiFi hot spots to increase to 5.8 million by 2015

43 Comments

Commenting is disabled on this article.

Having possibly had my details including CC number stolen in both PSN & Steam breaches, I feel much safer knowing my info was salted & hashed & encrypted with 256-bit AES rather than stored in plain text by the cowboys at Sony.

+1 to Gabe for holding his hands up from the outset rather than waiting almost a week to announce the breach after buckling under media pressure.

Long ago I signed up for a Steam account, to try a demo of some game, then I lost the password, a couple of months ago I wanted to try a new demo but was unable to remember my password, and the only solution is to register for a support account and ask to reset the password, but I didn't do it.....

can the hackers pass me my account details

PSN gets hacked, all the PC gamers scream for gaming master race, consoles suck, Sony is the devil qq.

Steam gets hacked, PC gamers try to downplay the issue and ignore the previous "Steam is great, omfg Origin lolol Sony sux" stuff they were spewing a few months back.

Pitiful.

daPhoenix said,
PSN gets hacked, all the PC gamers scream for gaming master race, consoles suck, Sony is the devil qq.

Steam gets hacked, PC gamers try to downplay the issue and ignore the previous "Steam is great, omfg Origin lolol Sony sux" stuff they were spewing a few months back.

Pitiful.

I'm not downplaying anything. I think Newell's response is pathetic. I want to know exactly what happened and what more they're going to do. For example: my CC info is no longer stored. Did Valve remove it or did the hackers do it?

daPhoenix said,
PSN gets hacked, all the PC gamers scream for gaming master race, consoles suck, Sony is the devil qq.

Steam gets hacked, PC gamers try to downplay the issue and ignore the previous "Steam is great, omfg Origin lolol Sony sux" stuff they were spewing a few months back.

Pitiful.

I don't think this needs to descend into a childish Console vs PC war. It's really nothing to do with that.

daPhoenix said,
PSN gets hacked, all the PC gamers scream for gaming master race, consoles suck, Sony is the devil qq.

Steam gets hacked, PC gamers try to downplay the issue and ignore the previous "Steam is great, omfg Origin lolol Sony sux" stuff they were spewing a few months back.

Pitiful.

Maybe if you were a little more honest with yourself you'd realise the reason was because Sony stored their user's details in PLAINTEXT.

GreyWolf said,

I'm not downplaying anything. I think Newell's response is pathetic. I want to know exactly what happened and what more they're going to do. For example: my CC info is no longer stored. Did Valve remove it or did the hackers do it?

Hardly. If you spent the time to read the release you'd of seen that it was clearly stated that all sensitive data was encrypted (Supposedly with 256-bit AES), passwords were salted and hashed and that there was no evidence user data was even taken.

What more do you want? For Gabe to grab a crowbar, hunt down the hackers and beat them to death?

yay no email from steam and if I hadn't seen this today I would not have known about it until some time next week when I logged in to steam. Thats not a great notification system imho
Now I need to wait until I get home tonight before I can scramble my passwords (again) this is getting repetetive and boring now. I have changed my passwords so many times this year I am no having to perform the ultimate no-no and write them down on a pad by my PC at home as I can't remember them all

Teebor said,
yay no email from steam and if I hadn't seen this today I would not have known about it until some time next week when I logged in to steam. Thats not a great notification system imho
Now I need to wait until I get home tonight before I can scramble my passwords (again) this is getting repetetive and boring now. I have changed my passwords so many times this year I am no having to perform the ultimate no-no and write them down on a pad by my PC at home as I can't remember them all

It takes a while to send millions of email. Wait for it

Teebor said,
yay no email from steam and if I hadn't seen this today I would not have known about it until some time next week when I logged in to steam. Thats not a great notification system imho
Now I need to wait until I get home tonight before I can scramble my passwords (again) this is getting repetetive and boring now. I have changed my passwords so many times this year I am no having to perform the ultimate no-no and write them down on a pad by my PC at home as I can't remember them all

It's ok to write them down at home. If they're getting stolen from your notepad you have bigger problems than online security.

GreyWolf said,

It's ok to write them down at home. If they're getting stolen from your notepad you have bigger problems than online security.


LOL imagine getting burgled and all they take are your passwords

If you monitor certain sites where certain things get pasted it appears steam accounts and forum accounts have been compromised best to change both passwords and associated passwords as well

Is it possible to change passwords through steam? I can't find anything, and the forums won't let me login all the way to do so yet. Don't want to forget...(I don't login outside of steam often).

thornz0 said,
Is it possible to change passwords through steam? I can't find anything, and the forums won't let me login all the way to do so yet. Don't want to forget...(I don't login outside of steam often).

Open Steam then click on "Steam" menu in top of steam window, then click on Settings. On Account tab, click the Change Password or Secret Question... button.

It seems like they have what is considered standard practice around their data. Creditcard numbers encrypted and passwords hashed and salted... but perhaps maybe companies might want to reconsider address and emails in clear text...

I think to a degree even Sony used standard practices given the news; we were more upset with Sony for not telling the truth right out about the security breech. Something other companies have learned I'm sure. And perhaps, many of us have become more accustomed to the reality that this is going to continue to happen to many companies before it ends...

I personally don't expect free stuff. I'm more interested in updates on how they are working to improve security, and maybe helping customers fight against the (very possible) coming attempts on there identities or accounts with some sort of identity monitoring service similar what other companies have contracted for their customers as standard practice.

well and thats the big cons of digital distribution something happens and you lost everything... even your info...

eilegz said,
well and thats the big cons of digital distribution something happens and you lost everything... even your info...

The amount of encryption Steam has and not to mention SteamGuard is more than enough to protect most users...

If you lose a SteamGuard protected account then you should not be using the internet sorry

This is a shame that they would target Steam

Changed Password,

Its abit of a worry that there is no news on Steams site about this tho

Edited by brent3000, Nov 11 2011, 12:44am :

This was sent as an IM? Via what service? I didn't think they communicated via IM period.

NVM... it's on the Steam forum landing page.

Hashed and salted passwords and encrypted CC information. Unless they say otherwise, risk of anything is relatively low.

I don't see this as a big issue...but I'm sure a bunch of the TF2 noobs are all upset they can't argue and talk about nonsense on the forums.

netsendjoe said,
I think using Steam or having to use Steam is very irritating.

Did you even read the article? Or just decided you needed to post this totally intriguing information which has zero relevance at all.
/Sarcasm

netsendjoe said,
I think using Steam or having to use Steam is very irritating.

I don't. I've easily spent 10x on games because of Steam sales and the convenience of downloading directly, etc. via Steam. There are literally dozens of games I would never have purchased and played if it wasn't for this digital distribution model.

excalpius said,

I don't. I've easily spent 10x on games because of Steam sales and the convenience of downloading directly, etc. via Steam. There are literally dozens of games I would never have purchased and played if it wasn't for this digital distribution model.

What he said.

**** me, that's a lot of information they took. Will reset my Password ASAP.

What about Paypal details? I keep mine saved for Steam, so have they taken that too?

Majesticmerc said,
**** me, that's a lot of information they took. Will reset my Password ASAP.

What about Paypal details? I keep mine saved for Steam, so have they taken that too?

There is no evidence any data was taken, and all the information was appropriately salted and hashed as it should be.

Nothing to worry about for now.

Majesticmerc said,
**** me, that's a lot of information they took. Will reset my Password ASAP.

What about Paypal details? I keep mine saved for Steam, so have they taken that too?

They don't store your paypal details, they just store your address and that you would like to pay with paypal.

Athernar said,

There is no evidence any data was taken, and all the information was appropriately salted and hashed as it should be.

Nothing to worry about for now.


Can anyone explain what salted means? I know Hashed, but salted is a new term for me

brent3000 said,

Can anyone explain what salted means? I know Hashed, but salted is a new term for me

Let's say you're stupid and your password is 'walrus'. You store it as a hash (let's say sha-512) 9671014645ce9d6f8bae746fded25064937658d712004bd01d8f4c093c387bf3. If you then google that string, you will see the word 'walrus' come up. So all the hacker had to do was google the hash and they got the password. A salt is an added part. So if you password is walrus, we could add your username to the start of it and that is stored as a hash of brent3000walrus. Now if the hacker tries to look it up, he won't find anything. It would take a while to brute force it. Valve could've used your birth date as a salt, or they could have multiple salts. It's just a way to make cracking passwords a bit harder.

ShiftPlusOne said,
<Snipped>
Valve could've used your birth date as a salt, or they could have multiple salts. It's just a way to make cracking passwords a bit harder.

Thankyou kindly good sir,

Sense this make

ShiftPlusOne said,

Let's say you're stupid and your password is 'walrus'. You store it as a hash (let's say sha-512) 9671014645ce9d6f8bae746fded25064937658d712004bd01d8f4c093c387bf3. If you then google that string, you will see the word 'walrus' come up.

Wow, when I google that I actually get a hit on this comment :-)

Never had an account on Steam's forums so think my password should be in the clear. Besides there's Steam Guard which is handy.

Though I wonder how they got credit card numbers when the forums were attacked. Perhaps this applies only to people with the same password on the forums and their Steam account?

Changed my Steam password just in case, as Newell suggested.

edit: Forget about that. Can't be done at the moment. Getting a "Steam cannot currently process your request. Please try again later." error.

I wouldn't worry too much; as the original statement said, the passwords are salted and hashed; unless you think the attackers are targeting you specifically, it will not be worth their while, and certainly not in the next few hours.
(Plus there's Steam Guard as Denis W mentioned.)

Your PW is unlikely to be broken unless you use the same PW for your email, in which case they could get past Steam Guard. But they would still have to decrypt your password, which will take a long while if it has good amount of bits of entropy!

In any case, I like how Gaben announced this to the public instead of remaining silent until something bad happens.

Esvandiary said,
I wouldn't worry too much; as the original statement said, the passwords are salted and hashed; unless you think the attackers are targeting you specifically, it will not be worth their while, and certainly not in the next few hours.
(Plus there's Steam Guard as Denis W mentioned.)

Salted means nothing in terms in bruteforcing if you have the salt. Of course, it slows you down from using rainbow tables, but it's still not that hard to crack.

Pupik said,
Changed my Steam password just in case, as Newell suggested.

edit: Forget about that. Can't be done at the moment. Getting a "Steam cannot currently process your request. Please try again later." error.

If you get that error that means you entered the wrong password.