What The PSN Outage Tells Us About The Steam Hack

What The PSN Outage Tells Us About The Steam Hack

While the scope of the Steam Hack remains to be seen, for millions of gamers its early developments — indeed, even Valve’s early statements — match those of this year’s notorious PlayStation Network outage, which may provide a guidepost for what is to come.

Earlier today, Valve confirmed that a database containing private information, including encrypted credit card information from its more than 35 million Steam customer, was exposed in a defacement attack on the Steam Forums this Sunday. The Seattle-based PC gaming giant says it has no information that any credit card numbers were stolen in the attack, but says it still is assessing the scope of the breach.

While Steam’s 35 million accounts are less than half of the registered accounts affected by the 23-day PlayStation Network outage most, if not all of those, are attached to a single credit card. Many of the PlayStation Network accounts compromised in the April attack were duplicates, or even inactive, considering that PSN offers online multiplayer and PlayStation Store access for free. Indeed, when Sony announced that credit card information was caught in the PSN hack, it said roughly 12 million credit card accounts were potentially compromised.

The Steam Hack affects only the Steam Forums — the download service remains online for tomorrow’s heavily anticipated release of The Elder Scrolls V: Skyrim. But in this case, it’s more likely that the number of Steam accounts compromised is closer to the number of credit card accounts exposed, though it’s unknown whether the compromised database was a comprehensive accounting of the Steam installation base, or only a portion of it.

Still, Valve has taken about as long as Sony to publicly declare the compromised information, doing so six days after the first signs of trouble. PlayStation Network was taken offline April 20; after an investigation, Sony announced April 26 that personal information, potentially credit card numbers, were exposed.

Sunday saw a defacement of the Steam Forums blamed on the hacking website Fkn0wned.com (it has not taken responsibility). After an investigation, Valve announced today that personal information, potentially credit card numbers, were exposed.

Valve’s Statement today:

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

Sony’s Statement on April 26:

Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. … While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. … Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

In the worst case scenario, what happens next will be influenced by Valve’s size relative to Sony’s. Though unquestionably the dominant download service among PC gamers, where PSN has a strong competitor in Xbox Live, Valve also isn’t a company anywhere near the likes of Sony, with attendant friends and/or enemies in government. Console gaming scandals are also more likely to become the kind of consumer-protection issue that summoned Sony officials to Capitol Hill to explain the problem.

That said, just because Valve has enormous respect among the gaming population for its forthrightness on subjects like file-sharing and piracy, and is led by a respected developer who maintains a genuinely open-door relationship with video gamers, does not mean that today’s announcement describes the size of the problem. And the Steam Forums remain offline.

If the past is any guide, we will likely discover more about the depth of this attack and the actual exposure in days to come. And then, like the PSN Hack, users will be reminded that no network is truly secure, and the price of participating in an open, connected society is eternal vigilance.


  • The one massive difference between the 2 networks being that Sony stored user information in unencrypted plain text. Valve on the other handed encrypted, salted and hashed user information.

    • Kudos to Slek. That is a fact that needs to be remembered and why the Sony incident stands out. It revealed that they were not keeping data encrypted.

    • Reread Valve’s statement, there isn’t much difference actually, except that Valve used salting as well when hashing the passwords. Valve refers only to the passwords and Credit Card details as being protected, the rest of the user information is not encrypted, although the poor phrasing can be misread as stating otherwise. “…or that the protection on credit card numbers or passwords was cracked” would have referred to the user details as well if this was the case.

      It’s kind of frustrating that the fallacies spread during the PSN hack are still appearing. I’ve seen more than one call of “Sony stored passwords in plain text.” today.

    • The data was protected by encryption, the user database was encrypted and passwords were encoded on top of that. Individual data was not encrypted because the resources required to that properly are insanely high (which is why such measures are usually only used for credit card information)

  • I’m still seeing a lot of ‘Nah PSN breach was worse because of *insert reason here*’

    The more concerning fact for both of these incidents is that ‘they’ GOT IN. Shouldn’t that be of greater concern?

    • There is NO SUCH THING as a totally secure network. What matters is how sensitive information is stored, and prompt communication to the affected parties.

      • No, the important thing is that they were unable to access or view any financial information. EVERY Network has vulnerabilities and eventually someone will break into the system.

  • Whats with these scaremonger articles?
    Sony took 10 days to respond after complete silence, didnt encrypt user information and it was a breach of the actual service.
    This a breach of the forums, the info is encrypted and protected and there are safeguards in place to alert users if your account is being used and Valve has made the issue public early on.
    The situation is almost completely different

    I mean christ Kotaku, your reading like the fricking Daily mail with your scaremongering articles. Inform people about the issue, don’t try to scare them with misinformation

    • Steam themselves have admitted even they don’t know the full extent of the breach yet. It’s good business practice to warn your customers to prepare for the worst. There’s also the fact that even if it was only a forum database that was compromised and corresponding information possibly stolen, I guarantee there’s poeple out their dumb enough to make their Steam login the same or similar to their forum credentials.

      There’s nothing wrong with erring on the side of caution. If it turns out to be insignificant, no harm done. If it turns to be a serious breach and they didn’t warn anyone, they’d be crucified.

      Be realistic.

      • @ Yfnel

        Thats not what I was talking about at all…
        I was talking about Kotaku was deliberately using fear and misinformation to get more views on their site.
        News should be used to inform people of issues, not scare them silly so you’ll get more traffic

        • Umm where’s this “fear” that you’ve been so insistent on? The article never uses any certainties and only uses possibilities of outcomes. The article also provides an in-depth comparison between this and the Sony incident.

          This is no different, Sony took 10days to respond but only because the hack took place closer to the weekend and then fell into a public holiday the week in, had this been Valve at the time I see no reason why the 6 days they took to respond wouldn’t become 10days.

          • One of the story advertisements right at the top of their site, in big bold letters states “STEAM HACKED”.
            Think of any rubbish tabloid newspaper, they usually have similar headlines like “PEDOPHILE ON THE LOOSE”. Its a commonly used tactic by news reporters to attract views, because people get scared of things like that and so view the story to find out what’s going on in case it could happen to them.
            Follow this up with a bunch of wild speculation during the article of the possible effects this could cause and you’ve got gold on your hands.

Show more comments

Log in to comment on this story!