While the scope of the Steam Hack remains to be seen, for millions of gamers its early developments -- indeed, even Valve's early statements -- match those of this year's notorious PlayStation Network outage, which may provide a guidepost for what is to come.
Earlier today, Valve confirmed that a database containing private information, including encrypted credit card information from its more than 35 million Steam customer, was exposed in a defacement attack on the Steam Forums this Sunday. The Seattle-based PC gaming giant says it has no information that any credit card numbers were stolen in the attack, but says it still is assessing the scope of the breach.
While Steam's 35 million accounts are less than half of the registered accounts affected by the 23-day PlayStation Network outage most, if not all of those, are attached to a single credit card. Many of the PlayStation Network accounts compromised in the April attack were duplicates, or even inactive, considering that PSN offers online multiplayer and PlayStation Store access for free. Indeed, when Sony announced that credit card information was caught in the PSN hack, it said roughly 12 million credit card accounts were potentially compromised.
The Steam Hack affects only the Steam Forums -- the download service remains online for tomorrow's heavily anticipated release of The Elder Scrolls V: Skyrim. But in this case, it's more likely that the number of Steam accounts compromised is closer to the number of credit card accounts exposed, though it's unknown whether the compromised database was a comprehensive accounting of the Steam installation base, or only a portion of it.
Still, Valve has taken about as long as Sony to publicly declare the compromised information, doing so six days after the first signs of trouble. PlayStation Network was taken offline April 20; after an investigation, Sony announced April 26 that personal information, potentially credit card numbers, were exposed.
Sunday saw a defacement of the Steam Forums blamed on the hacking website Fkn0wned.com (it has not taken responsibility). After an investigation, Valve announced today that personal information, potentially credit card numbers, were exposed.
Valve's Statement today:
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
Sony's Statement on April 26:
Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. ... While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. ... Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
In the worst case scenario, what happens next will be influenced by Valve's size relative to Sony's. Though unquestionably the dominant download service among PC gamers, where PSN has a strong competitor in Xbox Live, Valve also isn't a company anywhere near the likes of Sony, with attendant friends and/or enemies in government. Console gaming scandals are also more likely to become the kind of consumer-protection issue that summoned Sony officials to Capitol Hill to explain the problem.
That said, just because Valve has enormous respect among the gaming population for its forthrightness on subjects like file-sharing and piracy, and is led by a respected developer who maintains a genuinely open-door relationship with video gamers, does not mean that today's announcement describes the size of the problem. And the Steam Forums remain offline.
If the past is any guide, we will likely discover more about the depth of this attack and the actual exposure in days to come. And then, like the PSN Hack, users will be reminded that no network is truly secure, and the price of participating in an open, connected society is eternal vigilance.