What We Know About The Steam Hack And What You Should Do

Today Valve told us that their cloud-based Steam service has been compromised, and that users' personal information and credit card information could be at risk.

Here are some common questions we've been getting, and the best answers we can provide given what we know. We are monitoring the situation and have reached out to Valve for more information. We'll update as we learn more.

Wait, Valve Was Hacked?

Steam, specifically. Here's what we know.

Is my Credit Card Compromised?

valve isn't sure. According to the email we received, the hackers gained access to a database that included user names, hashed and salted passwords ("hashed and salted" means they were encrypted), game purchases, email addresses, billing addresses, and yes, encrypted credit card information.

Valve does not have evidence that the encrypted credit card numbers or personal information were actually taken by intruders, nor that the intruders have the means to crack the encryption. Valve reports that they don't have any evidence of credit card misuse at this time and are "still investigating."

When did Valve know about this?

Valve started investigating after their forums were defaced this past Sunday, November 6th. It's unclear when exactly they realised that the intruders had also gained access to a Steam database.

Who is responsible?

No one knows, and no one has claimed responsibility.

Should I change my Steam Password?

It couldn't hurt, might as well take this opportunity to change your Steam password. It's really simple—on PC, open Steam and go to "Settings" in the "Steam" menu up top. Your account information can be easily changed under the "Accounts" tab.

Should I reset all of my passwords?

This also couldn't hurt, though it's time consuming. An easy way around this (since surely this won't be the last time one of your services gets hacked) is to get a program like 1Password or lastpass and use those to regularly change all of your passwords.

Are we gonna get free games because of this?

Well, there's usually some sort of "make good" after this kind of thing happens. Sony gave away a few games after they got hacked, so it stands to reason that Valve will do something similar. That or just give everyone some rad hats.

Who cares about my credit cards and passwords. Will Skyrim still unlock tonight?

Though the Steam forums are down, Steam itself is still working fine for all of us. So, you can relax: we don't anticipate a problem with Skyrim's launch.


Comments

    Hats?
    Oh right, hats. Gotcha :)

      I was like waaaaa :/

      Then ahhh right.

      *Dips hat to you good sir Kotaku*

      Did not see this comming NOT hahaah no realy steam has a lot of steam haters out there only just a matter of time and more than likley just the start

    Still annoyed at valve's response time. 4 days to alert customer to the possibility that credit card information was taken?

    If the hackers managed to un-encypt the details, they could have emptied my bank account before I even knew how they go that info,

      I really wonder how some people think, not using Paypal and Steam Guard.... their world must be so simple and bland...

        I do use steam guard if that's what you are implying.

        I use my credit card as a personal choice, mostly due to steam implying that they have good enough encryption to protect my details when I purchase from them I wouldn't need to worry about it being stolen.

        "I really wonder how some people think, not using Paypal and Steam Guard…. their world must be so simple and bland…"

        That is their choice, Pariah. If they wave the protection, they have to own the consequence.

        Even then, those measures are mostly deterrents. To quote from one of my favourite games, BioShock: "Sure the boys at Ryan Industries can make their machines unhackable. But that does not mean we are not going to try and hack it."

          Most certainly they have their own choice and consequence. Though should this stuff happen they have no right to complain when they could have easily put themselves in a far more secure position; any payment info stolen when preventable is entirely their own fault imo.

            That last remark is so silly.

            When using a system like steam, it is the company's responsibility (As they are the ones who have declared that the payment information is secure) to ensure that customers who have chosen to use their service have security with those details.

            If steam DIDN'T claim to have a secure system THEN it would be the customers responsibility to ensure additional layers of protection on their information. To imply that it is the customers fault that their details got stolen while using a secure system is just idiotic.
            Under that line of thinking, considering banks and paypal are potential targets for robbery, hacking and data manipulation, which could incur the loss of a customers money, it is therefore only prudent for you to only store money in an impossibly uncrackable safe and never use it.

      It's actually _really_, _really hard_ to break modern public-key based encryption.

        Almost impossible if its 128-bit encryption. You would need a bot net and lots and lots of time. By the time they crack the encryption those credit cards will be expired. Although there is one guy that has a bot net that might be big enough but I'm pretty sure he's too busy trying to stay alive in whatever non-extradition country he has resigned to.

      That's after they wondered if they had a problem or not. it could be worse though... it could be offline only for forever and you wouldn't even know that it WAS compromised or be able to change your passwords to do anything about it.

      oh wait... that's SONY. This is still really fast work and they're completely honest about it.

      I'd rather the 4 days to Sony's MONTH!

      You do realise that it was mentioned when it happened that Steam had been hacked and they were investigating. THIS TAKES TIME. They dont know straight away what happened and have to scour logs etc to find out. THIS TAKES TIME! When ever a company's program is hacked always assume the worst. 4 days is pretty quick.

    I heard that this was only affecting Steam forum users. I don't use the Steam forum, so should I worry?

      http://www.kotaku.com.au/2011/11/steam-hacked-valve-investigating-possible-credit-card-theft/comment-page-1/#comment-435746

      They gained access to the Steam forums in addition to the Steam database

    Got to say, there are differences between the Sony breach and this breach in terms of how data was stored, etc.

    However, the massive differences in reactions to the two breaches is striking, and seems somewhat unfair.

    Sony got a bollocking for weeks and months, with articles everywhere decrying Sony and calling it the End Times of Sony and how the brand would never recover. They waited..what...four days, five days to report the breach, and everyone shouted how it was the end of the world.

    Steam - with supposedly a much greater user base - got hacked. They took four days to report it. No-one seems to be up in arms. No funny tag line on articles about the hack. No wide-ranging calls on internet forums that the system should have been 100% hack proof and they're cancelling their Steam accounts and moving across to Origin.

    Seems a little biased, really. Wonder if it's due to a lot of people liking Gabe?

      "They waited..what…four days, five days to report the breach, and everyone shouted how it was the end of the world."

      I do not mean to be rude, but thou should check again. If I remember right, Sony took PSN offline and finally admitted the breach 10 days later. And the situation got worse in the coming days as the number of compromised accounts continued to rise.

      Any way, the point missed here is that it turned out that Sony had not been using proper security measures and instead used a network of firewalls. Sensitive data has been kept in the clear.

        Ten days sounds about right, good catch.

        I'm still struggling with why anyone wouldn't announce it within a day or two, max, so that users can change their passwords straight away. To me, four days seems excessive.

        Also: completely agree that the way the data was stored is relevant, and even though Sony had an awesome firewall setup, standard logic should have kept the data hashed on the offchance it was retrieved.

        However, even given those differences, I don't see that it would explain the massive difference to the rabid hate and mouth-frothing anger that flew forth, versus this apparently "Meh, whatever" reaction.

          "However, even given those differences, I don’t see that it would explain the massive difference to the rabid hate and mouth-frothing anger that flew forth, versus this apparently “Meh, whatever” reaction."

          They are still investigating. Make sure to have your HEV Mark V Hazardous Environment Suit ready if they every say "yes, we have been compromised". The reaction then will be like the test chamber in Half-Life 1.

            I'm fully expecting an unfair and overreaction to the issue, don't worry.

            Ah, internet, you so classy.

          I think the biggest problem with the sony hack was that you couldn't go online for almost a month, so yeah thr pissed off a lot of people

      How can you not like Gabe - he is a Mudoken after all;)

    Just need MS to complete the trifecta, but they are not without problems, with the issues surrounding FIFA, but it hard to pinpoint if the issue is MS or EA.

    Good thing I don't have a Steam forum account nor any payment details on my main Steam account. I think that counts as 'safe.'

    I can imagine some hacker in his basement with a checklist:

    "Sony? Check."
    "Steam? Check."
    (*looks at his Xbox 360*)
    (*evil smile*)
    "And now for the jackpot..."

      It's funny because M$ set it to auto-renew and until recently you had to cancel to even get them to not charge you, imagine all the credit card info they'd have.

    Actually, I'm more concerned some idiot admin at Steam uses the same password for the forums as they do for the Steam database. Well that's how I'm gathering they could access Steam anyway.

      "I’m more concerned some idiot admin at Steam uses the same password for the forums as they do for the Steam database"

      *Suffers a heart attack and dies.*

    "What do we know?"

    Followed by a whole heap of "We're not sure".

    Woo.

    In terms of Skyrim, I unlocked mine last night at 1AM. Can play as soon as I get home :D

    Hopefully they can compensate us by giving all of us Assassin's Creed or Skyrim :D
    On a serious note, these hackers realy have no life..

      How can you be sure they have no life?

    "Who cares about my credit cards and passwords. Will Skyrim still unlock tonight?"

    Priorities: some people have them

    Even though I purchase games from Steam with a credit card, they shouldn't have my details as I always uncheck "Save details for next time". My vigilance has paid off. :)

    There is a checkbox on the Steam checkout that says dont store my CC info for later, but if I recall you have to turn it off to make it not store your cc details. I wonder if the info is still stored anyway, even if you turn it off? This is the reason I input my CC details each and every time but now Im concerned regardless. Oh steam, you have let me down.
    Who's next? xbox? What about itunes? cha-ching

      lol, I though I saw iTunes was hacked in a slightly earlier post. Click through hyjacking I think it was :P

    I find it hilarious that Valve fanboys are all "LOL Sony hack was worse" when it was the same thing albeit they took 2 days longer to respond, they encrypted and hashed what Valve hashed and encrypted, no one frauded anyone with the CC info and that was it, then the steam hack happens, all these aspergers kids are all "go Valve" because they're fanboys also they probably forever alone neck beards with nothing to do but wait to play skyrim.

    While all that is pretty funny, it's even funnier that this article suggests using lastpass when they themselves were hacked not long ago...

      Wow, someone sounds like a butt hurt neck beard...

        Why yes you do. Don't worry you can play your faggy skyrim later.

    Hackers are assholes. Even the littles ones that just hack WoW accounts or something, it's just meanand unnecessary in my opinon.

    Cancelled my Credit Card just to be sure. When it comes to my hard earned cash, I don't want to be too careful. Probably won't trust valve with my personal details after this.

    So, if you use SteamGuard you're safe?

    Recent adopter of Steam and love it.

    As far as compensation goes I expect Valve are in a much better position. Considering there are regular specials offering games at discount prices, it's hard to resist buying all the things.

    In regards to changing password via steam settings:

    "Steam cannon currently process your request.
    Please try again later."

    *facepalm*

      I got the same thing - but then realised I was putting the new password in the old password field. Maybe check that. =]

    I hope Steam Guard will tell me if somebody is using my credentials.

Join the discussion!