Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Steam Breach Follow-up

Valve has issued an update from Gabe Newell with more on the breach of the Steam service late last year. Apparently more information was compromised than was originally believed:

Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe

Post Comment
Enter the details of the comment you'd like to post in the boxes below and click the button at the bottom of the form.

51. Re: jtw321@gmail.com Feb 12, 2012, 20:09 Flatline
 
Mashiki Amiketo wrote on Feb 11, 2012, 07:08:
Flatline wrote on Feb 11, 2012, 03:23:
Dude, this breach happened THREE YEARS AGO and they just "found out about it" in the recent past. Which is, to put it mildly, a cock-up of epic proportions.
Wait did someone mention that you missed the part where this was already stored data, and it wasn't "three years ago" but rather from the same breech. Sometimes I think this is why it would be better if they simply didn't report things like this. People see earlier dates, jump on their asses, flail about, scream, that the sky is falling. When in fact, they've simply missed read it.

What you're saying and what the email from valve said are totally different. So let me post the full email:

If you have accessed your Steam account since November 10, 2011 you know that we had a network intrusion. We learned about this intrusion when the Steam forums were defaced on November 6. Since then our investigation of this intrusion has continued with the help of outside security experts. We now have additional information we would like to share with you. We are providing this information to you in this formal way because it might be required by your state's law.

We've recently learned that it is probable that in 2009 the intruders obtained a copy of a database with information about Steam transactions between 2004 and 2008. This database contained user names, email addresses, encrypted billing addresses and encrypted credit card information. We do not have any evidence that the encryption on credit card numbers and billing addresses has been compromised. We are still investigating and working with the Seattle FBI office.

We don't have evidence of credit card misuse. Nonetheless, you should watch your credit card activity and statements closely.


Now. I bolded my original quote. There are two intrusions mentioned in this email. One in 2011, one in 2009.

They announced that they *just* determined that in 2009 the salted hashes and other data was stolen. This is in addition to anything they discovered from the 2011 attack or the original "investigation" of the 2009 attack (if they even investigated it).

My criticism is that it took 3 years for them to determine the real damage of the 2009 intrusion. And apparently they only realized this because of the 2011 intrusion. That's pretty sloppy work. I have to ask what else have they missed?
 
Reply Quote Edit Delete Report
 
Subject
Comment
     
 
      ;)   ;)   :(   :(   :o   :o   %)   %)   :)   :)   :|   :|   ;P   ;P   X|   X|   :D   :D   More
 
Login Email   Password Remember Me
If you have a signature set up, it will be automatically appended to your comment.
If you don't already have a Blue's News user account, you can sign up here.
Forgotten your password? Click here.
 
          Email me when this topic is updated.
 

Special Codes

  • b[bold text]b
  • i[italic text]i
  • u[underline text]u
  • -[strikethrough text]-
  • c[code text]c
  • +[bullet point]+
  • q[quote text (indented)]q
  • [quote="Author"]quote text (indented)[/quote]
  • [url=Link]text[/url]
  • r{red text}r
  • g{green text}g
  • b{blue text}b
  • m{maroon text}m
  • s{secret text (shows in the background colour)}s

Forum Rules

  1. Disagree all you want but attacks of a personal nature will not be tolerated.
  2. Ethnic slurs and homophobic language will not be tolerated.
  3. Do not post spam, links to warez sites, or instructions on how to obtain pirated software.
  4. Abusing the forums in any manner that could be construed as 'griefing' will not be tolerated.


footer

.. .. ..

Blue's News logo