Steam Forum Downtime Follow-up; Steam Also Breached

Valve confirms indications from earlier this week that the downtime on the Steam Users' Forums was the result of a break-in, revealing that the Steam service itself also suffered an intrusion. Here is a message from Valve's Gabe Newell explaining the situation:
Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
View : : :
49.
 
Waiting to warn is irresponsible.
Nov 10, 2011, 20:45
49.
Waiting to warn is irresponsible. Nov 10, 2011, 20:45
Nov 10, 2011, 20:45
 
DrEvil wrote on Nov 10, 2011, 18:36:
Giving details before they could confirm what happened would have been irresponsible.
Absolutely not! The responsible thing to do when you suspect a breach has occured is to alert those customers who may be affected immediately so that they can take precautions. It is much better to err on the side of caution because there is no harm done to the customer for being wrong. Protecting customers first NOT a company's reputation should be the priority.

Four days to properly assess the situation, ensure all systems were secure again, and to determine exactly what caused the damage does not seem unreasonable.
Of course it is unreasonable because first, it gave the crooks a four day headstart to exploit the information they stole. Waiting does nothing to help customers protect themselves in the meantime. Second, it is highly likely that Valve will never fully know the scope of the breakin especially after only four days time. So again waiting doesn't help customers and puts them at further risk. In addition expecting that everything is safe and secure after only four days is absolutely laughable especially when the people making that pronouncement are the same incompetent or irresponsible fools who didn't prevent or stop the breakin in the first place.

These are problems that you can't just throw a huge amount of people at to solve; it takes time.
Sure, it takes time to fix, but NOT to warn. Waiting to warn customers so they can take steps to protect themselves is irresponsible, and it is only done so that a company can keep from looking bad in case it was wrong about a breach.
Date
Subject
Author
 49.
Nov 10, 2011Nov 10 2011
  Waiting to warn is irresponsible.
53.
Nov 10, 2011Nov 10 2011
54.
Nov 10, 2011Nov 10 2011
66.
Nov 11, 2011Nov 11 2011
67.
Nov 11, 2011Nov 11 2011
      removed
68.
Nov 11, 2011Nov 11 2011
27.
Nov 10, 2011Nov 10 2011
34.
Nov 10, 2011Nov 10 2011
40.
Nov 10, 2011Nov 10 2011
47.
Nov 10, 2011Nov 10 2011
41.
Nov 10, 2011Nov 10 2011
43.
Nov 10, 2011Nov 10 2011
58.
Nov 10, 2011Nov 10 2011
51.
Nov 10, 2011Nov 10 2011
59.
Nov 10, 2011Nov 10 2011
60.
Nov 10, 2011Nov 10 2011
61.
Nov 10, 2011Nov 10 2011
62.
Nov 10, 2011Nov 10 2011
64.
Nov 11, 2011Nov 11 2011
65.
Nov 11, 2011Nov 11 2011
76.
Nov 12, 2011Nov 12 2011