Steam Hack: The Aftermath

Steam Hack: The Aftermath


It first came to public attention with the mishandled PSN hack: There are people out there who can, through one means or another, force their way into places they don’t belong, gaining access to servers that may hold some of your personal information. In the weeks and months following the PSN hack, gaming company after gaming company reported intrusions into their websites, servers and databases.

Valve was among them and, in a message sent out today, founder Gabe Newell details the fruits of these hackers’ labors:

Dear Steam Users and Steam Forum Users:

We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.


The message is viewable upon Steam start-up. While it’s good to see a degree of transparency in the company’s handling of this security breach, keeping its customers informed and aware, it’s unsettling that it took months to narrow things down to what information was “probably” compromised. Even though that information is years old and no passwords, the encrypted personal information could theoretically be decrypted, and enough of it might still be valid to cause headaches for individuals who’ve used Steam in the past.

By Shelby Reiches

To top