Earlier this week, the Steam user forums, where gaming fans gather to discuss a wide range of titles from Left 4 Dead to Call of Duty, in addition to the Steam platform itself was defaced, causing some to fear the worst. On Thursday, Valve – the software company behind Steam and several popular games – confirmed those fears.
Steam is a gaming platform where gamers can buy and download more than a thousand games, from classic shooters to new releases, and play them from any computer. The Steam service is also backed by a large gaming community on the forums, and many of them use the service to chat as they play.
In a message posted to users, Valve said that the investigation into the forum defacement has led them to the reality that the attack was much larger.
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating,” the statement to the community explained.
“While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
“We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.”
The forums run vBulletin, a platform commonly targeted by attackers online. It is currently unknown of Valve uses the vBulletin publishing platform or just the forum software, but both offerings have had several security releases this year. Currently the platform is on version 4.x, while Valve is reporting 3.x on their main page.
Several of the vulnerabilities disclosed and patched on the vBulletin platform are related to XSS and SQL Injection, both avenues of attack could be used to gain access to the database in question.
In the meantime, forum access remains restricted until things are sorted out. While nowhere near the scope of the attack on Sony, Valve does have millions of accounts on the Steam service, and thousands more on the forums. If the Steam accounts were compromised as well, this could get ugly.