Steam gets hacked, with 35 million user data being accessed by hackers, including (encrypted) credit card numbers
2011 may very well be the year of hacking. At least for gaming companies/ With Sony still recovering from the PSN hacking and data theft, the news this week is that the popular PC (and Mac) digital gaming platform, Steam, has been hacked.
Originally, it was thought only the Steam Forum, which is separately run from the Steam store (and has different sets of logins), was hacked and defaced, but further investigation from Steam has found that the main Steam database has been accessed as well.
Gabe Newell, head of Valve, the company behind Steam, posted a message on the forum main page revealing the full extent of the intrusion, at least what is currently known anyway. "We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating," Newell's post stated.
The security technique of using hashed and salted passwords is a common one (one which unfortunately Sony did not use for the PSN), and it is designed to make it harder for hackers to reveal the plain text password, if they do not have access to the hashing and salting algorithm. But without more details about what hackers have access to, and what kind of encryption was used for the credit card numbers, the full scale of the damage cannot be known at present.
Also unknown is the details of the credit card storage. The Steam store has the ability to store user credit card details to speed up the process for their next purchase, but this is an optional feature users have to specifically opt-in to, and so it could be the case that many users would not have their credit card details stored in the database, especially if they haven't purchased anything recently.
Ironically, one of the more hated security features of Steam may help users keep their accounts secure. Steam Guard works by requiring users to retrieve and input a passcode whenever they try to access Steam on a new computer. But users complain that Steam Guard asks for the passcode too frequently, even after simply restarting their current authorized computer, and also not receiving the email containing the passcode. But thanks to Steam Guard, hackers may have difficulty accessing user accounts even if they manage to get the plain text password, as they would still require a passcode which would only be delivered to the user's email.
Steam has temporarily closed the forum and have promised to release more details as they have it. Users are encouraged to change their Steam passwords, and if the same password has been used for other accounts, to change those passwords as well.