Back in November of last year, Valve’s Gabe Newell sent out a notice to Steam users that the Steam database had been breached, and that some user data had possibly been taken. Details on what exactly happened were slim, but now we know a little more.
Newell once again sent out an email today to update Steam users on the situation, and in the email he said that company confirmed that some personal data was compromised in the breach, including usernames, email addresses, and possibly even encrypted billing addresses and encrypted credit card information. However, Newell said that hackers didn’t take information directly from the database, but rather a backup file containing Steam transaction information–this means that your Steam passwords appear to be safe.
Fortunately, Newell went on to say that, as of now, there has been no evidence to suggest that hackers were able to gain access to the encrypted billing addresses and passwords. Still, he suggests that you keep a close eye on your credit card statements just to be on the safe side.
Below is the letter from Gabe Newell in full.
Dear Steam Users and Steam Forum Users
We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.