Valve Admits Steam Gaming Service Hack
Another gaming service has suffered a damaging hacking attack, but this time it is Valve’s Steam not Sony
Seven months after Sony’s gaming sites were hacked, Valve has admitted that attackers compromised some forum accounts on the Steam gaming service.
Even worse, it said the hackers also accessed a database containing credit card data.
In a two-pronged attack, cyber-attackers broke into a database belonging to the Steam videogame service that contained credit card information for an unknown number of users.
After unknown perpetrators defaced the Steam discussion forums a little over a week ago, investigators discovered the same attackers had accessed at least one database belonging to the gaming service, said Valve in a message to users on 10 November. Steam is a service that lets people buy, download, play and chat about games. Not all the games on the site are made by Valve, and include prominent titles such as Skyrim, LA Noire, Call of Duty, and Modern Warfare 3.
Valve took the defaced Steam discussion forums offline after the 6 November incident, claiming it was for maintenance purposes. During that investigation, Valve discovered that the breach went “beyond the Steam forums,” Valve co-founder Gabe Newell said in the statement on 10 November. Attackers had gained access to a Steam database that held usernames, hashed and salted passwords, game purchases, email addresses, billing addresses and credit card information, Newell said.
“We learned that intruders obtained access to a Steam database in addition to the forums,” Newell wrote in the statement. It was not clear whether the database contained all 35 million active Steam accounts or if it was a subset.
Valve said it had not seen any evidence to date indicating that credit card information had been misused, nor was there any evidence of accounts being accessed illegally.
“Gaming companies are the new gold mine of consumer identity information for hackers,” Wasim Ahmad, data protection expert and a vice-president at Voltage Security, told eWEEK. Until recently, gaming companies haven’t really paid attention to security to the extent that financial institutions have, Ahmad said.
Sony’s PlayStation Network and Sony Online Entertainment services were attacked mid-April, and over a 100 million user accounts were compromised. Like Valve, Sony initially took the services offline for “maintenance” and admitted to the breach about a week later.
Unlike Sony, which had a myriad of security issues including data being stored using a weak hashing algorithm, it appears Valve had encrypted the credit card information. This makes it likely that even if attackers had stolen the data, they would not be able to decrypt the file to use the information.
In the Steam attack, the perpetrators originally attacked the service’s discussion forums after compromising a few accounts. The login details used in this attack was then used to access a database containing ID and credit card data. Even though only a “few” forum accounts have been compromised, Valve will be requiring all forum users to change their passwords, according to the statement.
Newell recommended that users change passwords on other sites if they had reused the Steam password elsewhere. Valve also suggested enabling Steam Guard, a service provided by Valve where users are notified by email every time someone tries to login to the account from unknown hardware.
The Steam discussion forum accounts themselves do not appear to be impacted, so Valve will not require users to change them, although it “wouldn’t be a bad idea to change that as well,” Newell wrote, especially if the passwords were the same.
“Hackers always find a way to get to the data, so securing data itself is a main priority,” Ahmad said. Looking for evidence of tampering or just trying to keep intruders from breaching the servers was not “sufficient,” he said.
Valve also apparently used the vBulletin software for its discussion forums. The platform is commonly targeted by online attackers using cross-site scripting and SQL injection techniques. From looking at Valve’s main page, it appears that the company was using an older version, 3.x, instead of the newer 4.x.