Last November, in a story Hardware Canucks broke, Valve admitted that hackers had gained access to the Steam database and had pulled out countless user names, passwords, and other information. Now, Valve has admitted that there is a possibility that last year’s breach was more extensive than originally thought.
In an email sent to Steam users Friday afternoon, from Gabe Newell, the company admitted that it is “probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008.”
“This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.”
Mr. Newell stressed that there is no evidence that hackers have broken the encryption on the stolen file, as it was hashed and salted. He added that using Steam Guard and keeping a vigilant watch over one’s credit card statements was a good idea.
The email also mentioned that Steam is still investigating and working with law enforcement officials to track down those responsible.
Valve has yet to respond to Hardware Canucks’ request for comment.
The transcript of Valve’s email to Steam users is below:
Dear Steam Users and Steam Forum Users
We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.