Steam Databases Compromised; Password Changes Recommended

If you have an account over at Steam or are a member of the forums there, consider this a PSA. On Sunday, the Steam forums were compromised by a group known as ‘Fkn0wned’, and announcements were altered to link back to their website. At the same time, the group used vBulletin’s built-in mass-mailer feature and sent spam to many members (including me).

Valve’s Steam

At first glance, the harm seemed minimal. Gaining access to vBulletin’s admin panel only gets you a limited amount of access to the raw database, so it seemed as though the group either brute forced into a moderator or administrator account, somehow gained the password, or took advantage of an exploit.

In an e-mail sent out by Valve earlier tonight, however, it was confirmed that the main site’s database was also compromised. In this database are stored e-mail addresses, billing addresses, game purchases, hashed passwords and their salts, and credit card information – thankfully encrypted.

When the Steam forums are restored, users will be required to change their password, but on the main site, it won’t be a requirement as Valve sees no proof of any data that has been compromised. I don’t agree with this, and would highly recommend you change both your main Steam and forum passwords – especially if they are the same. There was proof that this group gained access to that database, so there’s no reason to believe that they didn’t download as much of it as they could before leaving their mark.

Here’s the verbatim e-mail sent by Valve:

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.