It's a d??«j??í vu reprise of the Sony gaming site attacks in April with Valve admitting that attackers compromised some forum accounts on the Steam gaming service and also accessed a database containing credit card data
In a two-pronged attack, cyber-attackers have broken into a
database belonging to the Steam videogame service that contained credit card
information for an unknown number of users.
After unknown perpetrators defaced the Steam discussion
forums a little over a week ago, investigators discovered the same attackers
had accessed at least one database belonging to the gaming service, said Valve
in a message to users on Nov. 10. Steam is a service that lets people buy,
download, play and chat about games. Not all the games on the site are made by
Valve, and include prominent titles such as Skyrim, LA Noire, Call of Duty, and
Modern Warfare 3.
Valve took the defaced Steam discussion forums offline after
the Nov. 6 incident, claiming it was for maintenance purposes. During that
investigation, Valve discovered that the breach went "beyond the Steam
forums," Valve co-founder Gabe Newell said in the statement on Nov. 10.
Attackers had gained access to a Steam database that held usernames, hashed and
salted passwords, game purchases, email addresses, billing addresses and credit
card information, Newell said.
"We learned that intruders obtained access to a Steam
database in addition to the forums," Newell wrote in the statement. It was
not clear whether the database contained all 35 million active Steam accounts
or if it was a subset.
Valve said it had not seen any evidence to date indicating that
credit card information had been misused, nor was there any evidence of
accounts being accessed illegally.
"Gaming companies are the new gold mine of consumer
identity information for hackers," Wasim Ahmad, data protection expert and
a vice-president at Voltage Security, told eWEEK. Until recently, gaming
companies haven't really paid attention to security to the extent that
financial institutions have, Ahmad said.
Network and Sony Online Entertainment
services were attacked mid-April, and
over a 100
million user accounts
were compromised. Like Valve, Sony initially took the
services offline for "maintenance" and admitted
to the breach
about a week later.
Unlike Sony, which had a myriad of security issues including
data being stored using a weak hashing algorithm, it appears Valve had
encrypted the credit card information. This makes it likely that even if
attackers had stolen the data, they would not be able to decrypt the file to
use the information.
In the Steam attack, the perpetrators originally attacked
the service's discussion forums after compromising a few accounts. The login
details used in this attack was then used to access a database containing ID
and credit card data. Even though only a
"few" forum accounts have been compromised, Valve will be requiring
all forum users to change their passwords, according to the statement.
Newell recommended that users change passwords on other
sites if they had reused the Steam password elsewhere. Valve also suggested enabling Steam Guard, a
service provided by Valve where users are notified by email every time someone
tries to login to the account from unknown hardware.
The Steam discussion forum accounts themselves do not appear
to be impacted, so Valve will not require users to change them, although it
"wouldn't be a bad idea to change that as well," Newell wrote,
especially if the passwords were the same.
"Hackers always find a way to get to the data, so
securing data itself is a main priority," Ahmad said. Looking for evidence
of tampering or just trying to keep intruders from breaching the servers was
not "sufficient," he said.
Valve also apparently used the vBulletin software for its
discussion forums. The platform is commonly targeted by online attackers using
cross-site scripting and SQL injection techniques. From looking at Valve's main
page, it appears that the company was using an older version, 3.x, instead of
the newer 4.x.