Friday, February 10th 2012

Valve Asks Users to Keep An Eye On Their Credit Card Usage

In November 2011, Valve admitted that its Steam forums were hacked, and some user data including encrypted credit card information and hashed passwords were stolen, and that pending investigation, it asked users to change their Steam passwords. Valve noted that at that time, it had not seen any evidence of encrypted data being hacked. Today, Valve issued an update to all its Steam members via e-mail, where it notified them that investigation is still in progress, that Valve is taking help of external agencies to investigate, and that it still sees no evidence of encrypted credit card data being tampered with. As a note of caution, though, it asked users to keep an eye on their credit card activity and statements.

The transcript of Valve's email to Steam users follows.

Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe
Add your own comment

28 Comments on Valve Asks Users to Keep An Eye On Their Credit Card Usage

#1
mtosev
I haven't changed my Steam account password. should I worry? i'm not registered on the steam forum
Posted on Reply
#2
Crap Daddy
Haven't changed my password then and my credit card is in fact a debit card and my bank account is empty most of the time.
Posted on Reply
#3
WhiteLotus
by: Crap Daddy
Haven't changed my password then and my credit card is in fact a debit card and my bank account is empty most of the time.
These days the banks will let that money go out, and then charge you a fortunate for allowing your account to get like that. Best to keep an eye out.
Posted on Reply
#4
Kantastic
by: WhiteLotus
These days the banks will let that money go out, and then charge you a fortunate for allowing your account to get like that. Best to keep an eye out.
I made sure that my card cannot be overdrawn. :)
Posted on Reply
#5
CJCerny
That credit card data is encrypted to hell and back--very little chance they will be able to unencrypt it and reassemble it. It is possible but, at best, they'll get just a handle of cards--definitely not all the users.
Posted on Reply
#6
mrw1986
by: Kantastic
I made sure that my card cannot be overdrawn. :)
Here's something most people don't know about that feature...

The only kind of purchase that won't overdraw your account is if it's swiped physically. Making purchases online and EFT's will still overdraw your account. How do I know? I accidentally overdrew my account with an online purchase even though I used my debit card. They refunded me the charge because of a misunderstanding, but the new regulation clearly states it only prevents overdraws from an actual swipe of the card.

Edit: Also, as far as I know this is a standard regulation set down by the government. It's part of the opt-in/opt-out overdraw legislature.
Posted on Reply
#7
stinger608
Dedicated TPU Cruncher & Folder
And that is why I only use my PayPal account for Steam, Amazon, NewEgg, etc...

PayPal is a PITA and many will flame the hell out someone using their services, however none of your credit card/debit card information is forwarded to online retailers.
Posted on Reply
#8
DRDNA
Hmmm...I wonder why I never received the email warning from steam? I just double triple checked too.:confused:
Posted on Reply
#9
nickbaldwin86
reason why I never put a debit/credit card on file at Steam... Paypal FTW! :rockout:
Posted on Reply
#10
Disruptor4
The details from my billing address are default to a non existent address and billing details are not in there AFAIK.
Posted on Reply
#11
RejZoR
Interesting, i never got any e-mail notification from Valve regarding this matter. I only found out about all this on various forums.
Posted on Reply
#12
theJesus
by: stinger608
And that is why I only use my PayPal account for Steam, Amazon, NewEgg, etc...

PayPal is a PITA and many will flame the hell out someone using their services, however none of your credit card/debit card information is forwarded to online retailers.
Amazon doesn't accept PayPal . . .
Posted on Reply
#13
Mussels
Moderprator
by: DRDNA
Hmmm...I wonder why I never received the email warning from steam? I just double triple checked too.:confused:
i didnt get it either. maybe they only sent it to the region who's files got hacked?
Posted on Reply
#14
RejZoR
Are you sure? I've ordered some stuff from Amazon UK and i think my sister paid with PayPal. Or do they store credit card info like Steam does?
Posted on Reply
#15
theJesus
by: Mussels
i didnt get it either. maybe they only sent it to the region who's files got hacked?
I think it's just for people registered on the forums.
by: RejZoR
Are you sure? I've ordered some stuff from Amazon UK and i think my sister paid with PayPal. Or do they store credit card info like Steam does?
They store CC info.
Posted on Reply
#16
cadaveca
My name is Dave
by: theJesus
I think it's just for people registered on the forums.
Nope, forum member, no email here.


I don't use CC or paypal for STEAM, so I don't care, nothing to be lost. But checking billing statements is always a good idea.


I get charged by the utility company for bloody rainfall, in land drainage charges, for example. Talking to my neighbours, very few even knew that was a charge.
Posted on Reply
#17
Bjorn_Of_Iceland
by: nickbaldwin86
reason why I never put a debit/credit card on file at Steam... Paypal FTW! :rockout:
But then you placed your debit/credit card detail on paypal so.. your back to square one.;)
Posted on Reply
#18
BlackOmega
by: mrw1986
Here's something most people don't know about that feature...

The only kind of purchase that won't overdraw your account is if it's swiped physically. Making purchases online and EFT's will still overdraw your account. How do I know? I accidentally overdrew my account with an online purchase even though I used my debit card. They refunded me the charge because of a misunderstanding, but the new regulation clearly states it only prevents overdraws from an actual swipe of the card.

Edit: Also, as far as I know this is a standard regulation set down by the government. It's part of the opt-in/opt-out overdraw legislature.
That depends on the bank. I have my account set up the same as you, however, my bank will not allow it to get overdrawn regardless of whether iys physically swiped oe used online. Only caveat, any auto payments will still go through. Auto payments such as a recurring bill that comes out that you specifically setup through the bank. Steam and paypal do not apply to the autopay definition..
Posted on Reply
#19
AsRock
TPU addict
by: cadaveca
Nope, forum member, no email here.


I don't use CC or paypal for STEAM, so I don't care, nothing to be lost. But checking billing statements is always a good idea.


I get charged by the utility company for bloody rainfall, in land drainage charges, for example. Talking to my neighbours, very few even knew that was a charge.
LMAO, we live in a house which has be devided into 2 places and there is one drainage system but both get charged.

Now you going have people putting plastic sheets over there houses and yard when it rains loool.


O yeah no email here either. Which if true they only sent them to who might of been had id stolen would mean there not telling the whole truth.
Posted on Reply
#20
Mussels
Moderprator
by: AsRock

O yeah no email here either. Which if true they only sent them to who might of been had id stolen would mean there not telling the whole truth.
no it doesnt. it means they're emailing the small percentage who were at risk.


american server but australian customer - why send me an email?
Posted on Reply
#21
RejZoR
Well, crooks don't really care if you're american, australian, slovenian or an alien. If you have a credit card that they can charge, they will.
Posted on Reply
#22
RejZoR
It turned out the message is not delivered through e-mail but through Steam when you login. Got it like an hour ago.
Posted on Reply
#23
ypsylon
Who the hell in the right frame of mind using $team anyway? Bloody trojan and spyware in disguise.
Posted on Reply
#24
RejZoR
I'm not sure where you're pulling this nonsense from, but Steam is nothing like trojan or spyware.
Posted on Reply
#25
horik
well i did buy From Dust some days ago on Steam with CC,they did not send me email
Posted on Reply
Add your own comment