Valve notified users of the company's extremely popular online Steam gaming platform on Thursday that cyber-criminals had succeeded in stealing its Steam customer database in addition to hacking the online service's user forums last Sunday evening.
"We will reopen the forums as soon as we can," said Valve co-founder Gabe Newell in an online statement. "I am truly sorry this happened, and I apologize for the inconvenience."
Valve said it had encrypted the credit card information from customers stored on the company's servers. "We don't have evidence of credit card misuse at this time," Newell noted. "Nonetheless you should watch your credit card activity and statements closely," he advised.
In the wake of the notorious hacker attacks on the Sony PlayStation and Sony Pictures web sites earlier this year, companies doing business online have become more cautious about how they handle sensitive information, such as customer credit card numbers and other personal identification details. Still, Sophos security expert Paul Ducklin thinks companies like Valve could do more.
"Send an email to Steam asking why they encrypted credit card data and passwords, but apparently not the rest of its users' personally identifiable information," Ducklin advised Steam account holders in a blog. "In fact, send an email to every company with whom you do business online, and ask them how much of the data they hold about you is encrypted."
An Excellent Starting Map
Too many companies are simply treating payment card industry (PCI) compliance as if it were just another box they needed to check without thinking things through, Ducklin noted.
"They have taken the whole issue of PCI compliance as a security destination to be reached, rather than an excellent starting map for their security journey," Ducklin wrote.
Valve first became aware of the Steam intrusion last Sunday, when hackers defaced the online gaming platform's member forums and provided a link to the domain fkn0wned.com, which hosts community forums on topics such as computer security and hacking. However, the site's owners told media outlets earlier this week that it had not been involved in the attack.
Upon discovering the intrusion, Valve shut down its own Steam forums and Newell said further investigation revealed that the hackers had also gained access to the Steam customer files stored on the company's servers.
"This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," Newell said.
Since the credit card details had been encrypted by Value, it may prove difficult if not impossible for the hackers to crack open the files, depending on the robustness of the encryption algorithm that Value used. On the other hand, Newell said "we are still investigating."
Meanwhile, Newell advised Steam users to take the elementary precaution of immediately changing their Steam forum passwords. And if they use identical login credentials for both the Steam forum and a Steam gaming account, they would be well advised to switch to new site-specific passwords.
"We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords," Newell added.
Valve's online gaming platform Steam provides more than 35 million users worldwide with instant access to 1,800 game titles as well as interconnectivity with other Stream gaming enthusiasts. The extremely popular gaming service is currently available in 21 different languages and has active members in 237 countries around the world.