Valve: It’s ‘Probable’ That Hackers Obtained Old Steam Transaction Data

Valve CEO Gabe Newell said today in a statement to Steam users that as a result of a hack last November, it is "probable" that hackers have obtained a backup file with information on Steam transactions performed between 2004 and 2008. The compromised material includes user names, email addresses, encrypted billing addresses and encrypted credit card information. It does not include Steam passwords.

Here's the full statement from Valve:

Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe

We'll continue to update if we learn anything new.


Comments

    Encrypted or hashed?

      I'm thinking encrypted. If it was hashed you'd have to re-enter your CC number each time you made a purchase.

    If it was from as early as 2004 then the encryption can't have been that strong compared to what would be used now. On the upside most of it will have been way out of date and probably not that useful.

      That's necessarily the case. By 2002 the Rijndael algorithm had already been adopted as the AES (Advanced Encryption Standard). It would take the age of the universe to brute force and the closest anyone has come to breaking it is an attack that reduces that to a quarter of the age of the universe. Of course if they were still using triple-des... :p

    Oh thankgo they only got our credit card details and not our passwords.

    It took them this long to find out and alert us? Not particularly pleased with Valve... even Sony alerted us sooner.

      This is an update. They told everyone something had happened at the time. Not right away, but quicker than Sony did. They just didn't know what had been taken exactly so they advised a password change just in case.

        I think you meant to say: "IT'S OVER. VALVE IS FINISHED111eleven!"

          YOU'VE LOST THOSE 125 GAMES YOU'VE NEVER PLAYED, RUN FOR THE HILLS!

    04-08? most cards should have been cycled by now surely...

      That's no excuse for keeping the data on the forum's server.

Join the discussion!