The apparently low-key attack on Valve’s Steam gaming distribution network reported last week has turned out to be much more serious with attackers breaking into its user database, the company has now admitted.
First indications were that attackers had simply defaced the forum website on 6 November, causing it to be taken down as a precaution. In a disturbing echo of the major Sony hack from earlier this year, however, Valve has now admitted that the attackers also managed to hack into its 35 million-user database, a potential calamity.
Compromised data included user names, billing addresses, details of game purchases (the site is a major game ecommerce operation) and email addresses.
Credit card numbers are believed to be safe although Valve has advised users – or their parents – to watch statements for fraudulent activity.
“We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked” said Valve head Gabe Newell in a message to the entire community. “We are still investigating.”
The company said it would enforce a password change on all forum users with full Steam accounts being unaffected as long as users had not used the same password for both logins.
“I am truly sorry this happened, and I apologize for the inconvenience,” said Newell.
The Valve compromise is the second big attack on a gaming company this year, beaten only in size and significance by that of Sony in April. In that attack, the accounts of 77 million customers were compromised after portions of the company’s databases were stolen.
In some ways, the Valve Steam hack is more significant - the company acts a distribution hub for a large number of third-party games titles and not simply those tied to a single hardware platform.