Last Year's Steam Security Breach More Extensive Than Originally Thought

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.1up.com/news/year-steam-security-breach-extensive

Last November, Valve revealed that hackers gained access to sensitive
Steam user information, including user names, billing addresses, and
encrypted credit card information. Via a message from company founder
Gabe Newell, the Valve informed users of the security breach but
added, "We do not have evidence that encrypted credit card numbers or
personally identifying information were taken by the intruders, or
that the protection on credit card numbers or passwords was cracked."

Nearly three months later Valve is still attempting to assess the
damage, which, according to a second message from Newell received by
Steam Users today, was more extensive than originally thought.
"Recently we learned that it is probable that the intruders obtained a
copy of a backup file with information about Steam transactions
between 2004 and 2008. This backup file contained user names, email
addresses, encrypted billing addresses and encrypted credit card
information. It did not include Steam passwords." writes Newell.

While frightening, users shouldn't lose any sleep over the news just
yet. "We do not have any evidence that the encrypted credit card
numbers or billing addresses have been compromised. However as I said
in November it's a good idea to watch your credit card activity and
statements. And of course keeping Steam Guard on is a good idea as
well." adds Newell.

The incident is just one amongst many high-profile security breaches
to take place in the last twelve months. Last year's disastrous
PlayStation Network breach seemed to trigger a wave of similar
incidents. As alarming as these cases can be, you shouldn't worry too
much about the breach. As Newell pointed out, Valve did not uncover
any evidence indicating that the hackers have broken the encryption on
the most sensitive information. That said, Steam users should take
some extra time to double check their credit or debit card statements
in the coming months. Just because these hackers didn't break Valve's
encryption yet doesn't make it impossible or prevent the criminals
from selling the files to those who can.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/