Information in the database included usernames, passwords, data on members’ game purchases, and members’ email and billing addresses and encrypted credit card information, Valve said on Thursday.
However, there’s no evidence that the hackers stole encrypted card numbers or information that could personally identify anyone, Valve claims.
There’s also no evidence that members’ credit cards are being fraudulently used by third parties, Valve added.
The first indication of the attack was the defacing of Steam forums on Sunday, Valve stated.
“Based on the information we have so far, it seems to me that [Valve] responded pretty quickly, and seemingly as honestly as they can,” Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld.
The Genesis of the Attack
Rumors that the Steam site had been hacked have been circulating on the Internet for the past few days.
The Steam forums were defaced Sunday evening, and investigations showed that the intrusion extended to hacking the Steam database, Valve said.
Redirects for a hacking website, Fkn0wned.com, appeared on the Steam users’ forums on Sunday, gaming blog Kotaku reported. However, Fkn0wned.com denied responsibility, posting a statement to that effect on its site.
It’s Only Words
Valve said it doesn’t have evidence that encrypted credit card numbers or personally identifying information was stolen, or that the protection on credit card numbers or passwords was cracked.
Given that the database contained encrypted credit card numbers and personal information of members, including their email and billing addresses and purchases histories, that implies the hackers didn’t take any particularly valuable information. If that’s true, then why is it suggesting members watch their credit card activity and statements closely?
Perhaps Valve’s just being cautious.
“The risk is both in terms of being found negligent if someone has had their identity stolen and significant damage is done, or being found to have not complied with disclosure rules, which cover both the information stolen and the potential materiality of the exposure to the company penetrated,” Enderle Group Principal Analyst Rob Enderle told TechNewsWorld.
Confessing Isn’t Always a Good Thing
Would Steam members have been better served if Valve had alerted them that their accounts might have been compromised as soon as it discovered the forums had been defaced?
Already, some people have begun comparing Valve’s delay in notifying Steam members to Sony’s holding off on disclosing that its PlayStation Network had been hacked in mid-April.
That delay sparked a user backlash and dozens of class-action lawsuits against Sony.
“The burden is on the vendor to make timely disclosures, but it’s general practice to hold off until they at least have an idea about what has been compromised so they don’t unduly excite people or are forced to retract their comments,” Enderle said.
What Steam Members Should Do
Valve suggests Steam members keep a close eye on their credit card activity and statements, and it says all forum users will have to change their passwords the next time they login.
If members have used Steam forum passwords on other sites they should change those passwords as well.
Valve also suggested members change their Steam account passwords, which are separate from forum passwords, especially if the two are the same.
“One password per site is vital,” ICSA’s Thompson remarked.
Are Gamers Fair Game?
Sony’s PlayStation Network, with 75 million or so users, was hacked earlier this year; and now, Steam has been hit. Are gaming sites especially juicy targets for hackers, and if so, why?
“Lots of hackers are kids, and they may be doing this just for status,” Enderle suggested.
“In their eyes, a gaming site makes a more impressive target,” Enderle continued. “Think of [the hack] as graffiti for geeks.”