Steam Hacked, Database Accessed

Steam users will find a message from Gabe Newell when they next sign into the service.

“Our Steam forums were defaced on the evening of Sunday, November 6,” begins the message. “We began investigating and found that the intrusion goes beyond the Steam forums.”


It appears intruders got access to a Steam database in addition to the forums.  The database contained “user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

Valve claim that whilst they don’t have any evidence that the card numbers or personal information were taken, they are “still investigating” and suggest you “watch your credit card activity and statements closely.”

All Steam forum users will have to change their passwords the next time they log in.  “If you have used your Steam forum password on other accounts you should change those passwords as well,” advises the message.

We remind all users to ensure passwords are unique for every site and service.



  1. your welcome ;) but on a serious note this is really worrying yet another one bites the dust :/

  2. Nightmare!

  3. What the hell is a “salted” password?

    • An encrypted password.

      • Just wait until they start factoring in layers of deniable plausibility to passwords…

      • Oops, I meant deniable encryption!

      • Hmmm, yes and no, it’s still a hashed password. It’s just makes it a whole lot harder to crack a whole database of passwords. The salt is a sort of modifier for the hashing algorithm, so that every password can essentially have it’s own hashing pattern.

        Salting is really just a way to make passwords more effort than they’re worth. Don’t worry about the CC info though, that’s actually encrypted, unless the hackers have access to a quantum computer, you’re pretty much safe…

      • Depending on a) the level of encryption b) how quickly the key for it is generated by chance by their software/script, although unlikely it could happen.

        Name, address, DoB etc is still useful for identify theft though.

        Will be interesting to see how Valve differ from Sony in the aftermath

      • welcome back packs all round

      • “hashed and salted passwords”

        This is already more information than we got out of Sony. They never said if the passwords were salted or not, which makes me believe they were not.

        Now can we please have the details of the encryption too?

        Salting does not make brute force attacking a single password significantly harder.

        If you have a list of, lets say, 10000 unsalted passwords. You could do a brute force attack against the list and in about 1/10000th of the time you would have a match on a random. (Because you could compare that hash of “hunter2” to all the hashed passwords)

        Salting means that the attacker would have to calculate the hash with the salt for all the passwords, making it no faster than attacking a single password. (because the hash of “hunter2” would be different for all the different salts).

        Hashing isn’t encryption, because encryption is intended to be reversble if you have the key. Hashing has no key, all you can do is hash whatever you think the plaintext may be, and then compare.

  4. I wonder how the internet will treat this, after the reaction to Sony’s breach earlier in the year.
    I smell another dose of internet hypocrisy around the corner.

    When will people learn, it is the hackers, not the company hacked, that is at fault when a company gets hacked?

    • On the flipside though, given the preference developers have these days for “online passes” & “online DRM” – surely this is an argument against promoting online only play?

      • PS I agree with your point though, it’s not Steam’s fault that they’ve been targeted.

        Just highlighting that they won’t be the only ones & with more developers agressively pushing online play, they are in turn making themselves targets…

      • To be honest, I’m not sure we could go back to the days of no online play.
        Now we’ve had it, and it’s been successful, it’d be like closing Pandora’s Box.

        Although I wish it didn’t have to kill my glorious local multiplayer… :(

      • True on both counts.

        Just hoping this might stem the flow of single-player online only activations & DRM.

    • It took them a few days to investigate, but Gabe’s come out, been frank, clear, and reassured everyone. On face value, then, this is a much smaller and less significant breach compared to the PSN hack.

      Firstly, everything has been encrypted to a higher degree. Secondly, Steam Guard is a simple system, by which you authenticate your account being accessed on new devices via email, along with account changes. So a hacker has to hope you’ve used the same password for both the Steam forums, Steam and your email account. Lastly, card details were encrypted too.

      So on the face of it, change your passwords, and then just be aware of what’s going out of your bank account. Business as usual, then.

      • I’m fairly certain that the thing that worried most people in the PSN hack was that they wouldn’t confirm that anything was encrypted for such a long time. Seriously, go back and look at the original PSN hack release, no word of encryption. According to Google, that news came in a blog post about one week later.

      • After some Googling, I was remembering slightly wrong, there was only a two day gap between the press release and the blog post. I assumed that the press release would’ve been released sooner than that. Apparently it went:

        Hacked: 17th April
        PSN Down: 20th April
        ‘Some stuff may have been leaked’ release: 26th April
        Blog post: 28th April
        ‘Yeah, definitely got some stuff’ release: 4th May
        PSN fully back: 15th May

      • I’m sorry teflon but I don’t get how this is any different to what Sony did – yet they coped an absolute earful from gamers around the world.

        – Sony took 3 days to advise of the intrusion, Valve took 3 days to advise of the intrusion.
        – Sony had credit card information encrypted, Valve had credit card information encrypted.
        – Sony had passwords hashed, Valve had passwords hashed.
        – Sony had 77 million accounts, although many duplicates so likely < 1/2 that number of real accounts. Steam had 25 million user accounts at the start of this year and is growing at 25% per year, so should be around 30+ million by now.

        Explain to me how "this is a much smaller or less significant than the PSN hack"?

        Explain to me how "everything has been encrypted to a higher degree"?

        Steam Guard doesn't do anything to stop hackers from using the information they have accessed directly, it just means the probably won't be able to activate your account on their computer. If they are after personal information for ID theft they don't need to activate your account, they already have that data from this intrusion.

        You're right, Newell has been clear and frank – but you would hope they would learn SOMETHING from Sony's confusing initial communication problems, because clearly they didn't learn about security.

      • If Uhyve’s info is accurate then it took Sony 9 days to release a statement that something was actually taken and then another two to confirm that CC info was encrypted. I’d say the Steam hack was communicated much better than the PSN one. At least that is how I feel about it.

      • Most people didn’t get the timeline right even back then, so it’s going to be even more ‘conveniently’ exaggerated as time goes on.

        Sony detected on or around the 19th that there had been intrusion attempts between the 17th and 19th. They took the PSN down immediately and on the 20th they posted on their blog that there was problems with the PSN and it was down for maintenance.

        At the same time, they were investigating to see what had occurred. On the 21st April they said:

        “As you are no doubt aware, the current emergency outage is continuing this afternoon and all Sony Online Network services remain unavailable. Our support teams are investigating the cause of the problem, including the possibility of targeted behaviour by an outside party. If the reported Network problems are indeed caused by such acts, we would like to once again thank our customers who have borne the brunt of the attack through interrupted service.
        Our engineers are continuing to work to restore and maintain the services, and we appreciate our customers’ continued support. For further information, please refer to updates on, here on PlayStation.Blog and via our @PlayStationEU twitter feed.”

        Further updates occurred daily on the blog, this on the 23rd:

        “An external intrusion on our system has affected our PlayStation Network and Qriocity services, In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority.

        “We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

        On the 26th they made a clear statement that was overly cautious (as it turns out) but warned everyone that they couldn’t yet rule out what had and hadn’t been accessed.

        Yes, it could have been handled better – but Sony was the first of the big gaming giants to be hit, and they learnt the hard way what to do and not to do. Overall I thought they handled it ok, despite coming under massive public and governmental scrutiny.

        As for Valve, with the benefit of hindsight and seeing all these other companies get targeted, is -how- did they allow this to happen and -why- did they still take 3 days to either detect it or get the message out? It’s almost like every single company assumes it won’t happen to them, until it does.

        I wonder, will the US Government get involved here as they did with Sony? I doubt it – hypocrites.

      • I agree with JesseDeya, pretty much identical to PS3 hack in terms of time and what was stolen, its certainly not a “smaller and less significant breach”

      • I don’t know what the fact that Sony was the first big gaming company that got targeted by hackers has to do with anything. Companies, no matter what their business is, got targeted in the past. By that logic every company except the first one should be smart enough to secure their systems sufficiently. With the Sony hack ist just took too long to get the relevant data out. Was the data encrypted or not? No matter if they knew what was accessed and what wasn’t. This was something that they were certain about and people wanted to know. There was a lot of PR talk and not enough hard facts. Valve came forward after 3 days and flat out confirmed that the CC info was encrypted wheter it was accessed or not. Now I don’t have to check my bank account twice a day.

      • I don’t buy it KeRaSh, all the concern over encryption is largely moot.

        For starters, it’s a legal requirement for them to store CC details encrypted. Sony do it and Valve do it, when the Sony PSN story hit I (like all the smart people in the world) assumed the CC details would have been encrypted. I also knew that I’m protected against credit card fraud, and that my bank would most likely block any suspicious activity and notify me (which they do regularly even when I make legit purchases overseas).

        The ONLY reason people got their knickers in a knot about Sony not explicitly stating the CC details were encrypted straight up was because some -expletive- hacker wannabes were pushing around bogus chat logs that suggested CC details were sent and store in plain text by the PS3. This turned out to be complete horse manure (as we now know).

        You’re absolutely right that Sony wasn’t the first big company to be hacked – a point that was apparently lost on the world’s media at the time – but the numbers (77 million accounts) made it one of the worst breaches in history. Here is Steam, with ~30million accounts and no one seems to be bothered looking up from their toast and morning paper.

        My final point is that in the PSN hack, and in this one, CC details should be the least of people’s concerns (for the reasons mentioned above). It’s your other details that will be used for ID theft or phishing scams in future – and they weren’t encrypted.

      • I know that it is a requirement for companies to encrypt CC details but after not getting confirmation from sony for over a week you should understand that people got nervous especially since there were rumors that regular user data was stored in plain text. I don’t want to bash Sony or anything. The PSN hack is a thing of the past and nothing happened to me personally, but I’m sure I’m not the only one who thinks that the Valve hack has been handled much better in terms of communicating with the media than the PSN hack.

      • Another thing I found amusing about the PSN hack and the reaction of a lot of people and media outlets:

        77m user accounts existing ==> No way have Sony sold 77m PS3’s, I have x accounts myself, not to mention the PS3’s that aren’t on online and the ones for broken/sold machines, probably half, at best, of those accounts are active, PS3 is a failure

        77m user accounts hacked ==~> OMFG the world is about to explode, 77m individual people have had their details stolen, every single account must be active and have up to date details, aaargh MELTDOWN!!!! PS3 is a failure.

        Just seems to be the “one rule for one, one rule for another” approach that’s been consistantly applied in many mainstream media outlets pretty much since the start.

    • No. The company you entrust your personal details with STILL has an obligation of security, and clearly Steam failed in that regard as much as Sony did.

      In terms of online security, there is no such thing as fatality. Hackers will hack, sure. But whether they operate from their garage or for the mafia, it doesn’t matter. Technologies and procedures DO exist in order to efficiently prevent these thefts. Companies which don’t apply them are lazy and irresponsible.

  5. yet another password change for me….bastards

  6. Changed my password, luckily only my old card details were stored.

    • It’s a good argument to use PayPal rather than storing any card details at all.

      “Paypal users will find a message from…”

      • I only used Paypal once when it started gaining popularity and my account got hacked within a few days and the hacker tried to access around 3000€ from my bank account which wasn’t possible because back then I couldn’t go below 0 but it was still scary and took three weeks to get it sorted with Paypal support. I used a strong unique password…
        I’m not going near that service ever again.

      • @KeRaSh
        Me too. I was screwed over by Paypal and had to pay up for it. They then emailed me a few weeks later to say “we noticed you had an unfortunate incident recently with you account. Why not pay x amount monthly to get protected”….
        Never using it again. At least when money was taken unauthorised from my bank account they paid it back.

      • Yikes. I thought PP was pretty safe.
        Thanks for letting me know otherwise!

  7. Well time to change my name to Bob McBobbett, I feared this from the start so freaking sad

    I’m sure that I signed to the forums but that was years ago.

  8. No! Steam :( takes the piss. If I only knew the hackers…

    • p.s. Just booted up and nothing special appeared..!?

      • Not on my end either, and I can’t even find where to change my password.

      • Oh, there it is – in the application menu, and not in the app itself. Sorry.
        Didn’t receive any heads up about the hack any other place than on the forum sign in page, though

  9. Oh cock. Well I guess it’s a good thing there’s almost no money on my debit card at the moment. To think I was complaining about being poor just the other day…

  10. bastards…not cool. ive got that many passwords these days its impossible to remember them all

    • There’s quite a few password lockers out there. They’ll hook into your web browser, letting you auto-fill log in forms, and tend to offer incredibly strong encryption on your end too. Then you just need to use the one password to unlock the locker, and log in to whatever website.

      They’re also useful, in that many will generate randomised passwords for you too.

Comments are now closed for this post.