"Our Steam forums were defaced on the evening of Sunday, Nov. 6," said Gabe Newell, co-founder and managing director of Steam parent company Valve, in a statement on the company's website. "We began investigating and found that the intrusion goes beyond the Steam forums.
"We learned that intruders obtained access to a Steam database in addition to the forums," Newell wrote. "This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information."
Valve can't say for sure whether the hackers got away with any personally identifying information, but it did say the credit card numbers were encrypted.
"We are still investigating," the statement says. "We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
Only "a few forum accounts" have been compromised, according to Newell, but all forum users will be required to change their passwords. "We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords, which are separate from forum passwords," the statement says. "However, it wouldn’t be a bad idea to change that as well."
Steam will reopen its forums "as soon as we can," the statement says.
"Gaming companies are the new gold mine of consumer identity information for hackers," says Wasim Ahmad, data protection expert and vice president at security vendor Voltage Security. "Few of them have thought about security the way that, say, financial services companies do.
"Truth is, hackers always find a way to get to the data, so securing data itself is a main priority," Ahmad says. "Looking for evidence of tampering or trying to keep intruders out is not a sufficient security strategy.”
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.