Steam – one of the world’s largest distribution networks for online video games – has been hacked, leaving the user accounts of 35 million vulnerable and potentially exposing their credit card details and billing address to hackers.
It follows the prominent hacking of Sony’s PlayStation network in April, which affected 77 million accounts globally, 1.5 million which were Australian.
Valve, the company behind Steam, issued a message to users informing them of the breach today. In it company head Gabe Newell said its online forums were defaced on Sunday November 6 in the US and that on further investigation it found that the intrusion went “beyond the Steam forums”.
The company learned, he said, that the intruders also obtained access to a Steam database which contained “information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information”.
As yet there was no evidence that encrypted credit card numbers or personally identifying information was taken by the intruders, or that the protection on credit card numbers or passwords was cracked, Mr Newell said, but added that the company was still investigating. “We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.”
While the company only knew of a “few forum accounts” being compromised, it said all forum users would be required to change their passwords the next time they signed in. “If you have used your Steam forum password on other accounts you should change those passwords as well.”
The company didn’t yet know of any compromised Steam accounts and was not planning to force a change of Steam account passwords (which are separate from forum passwords). “However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password,” Mr Newell said.
He said he was “truly sorry” and apologised for the inconvenience caused.
Security expert at Sophos in Australia, Paul Ducklin, said the good news about the Steam hack was that the “abusable data” in the haul like credit card information was stolen in an encrypted form. “So as long as the crooks can’t decrypt it, you’re OK.” But he said because Valve hadn’t clarified exactly what type of encryption was used, experts and users were left wondering whether it was good enough.
Ty Miller of Australian security firm Pure Hacking said any security breach that lead to personally identifiable information or credit card details being stolen warranted a serious investigation into how the intruder gained access to the systems, what the intruder has done to the systems, whether they still have access and what data they have stolen.
He said users should change their Steam passwords, as well as passwords on any related systems. “If users have the same password for many of their applications then they should change those also. Although credit card details were apparently encrypted, users should monitor their transactions for suspicious activity,” he said.
Users should also ensure that they have anti-virus installed and up to date in case the attacker had placed malware onto the website targeted towards infecting visitors’ computers, he said.
The lack of convictions for internet-related crimes encouraged hackers to continue to break into organisations’ systems “without fear”, he added.