I'll post a source when I'm feeling less lazy, but sounds like Steam was hacked and encrypted password, credit card, and account info was stolen.

Change your passwords, yo.

Here ya go: http://www.rockpapershotgun.com/2011/11/10/steam-hacked/

I don't even know what my password is to get in and change it. Fortunately though after the whole PSN fiasco I got my debit card renewed so my Steam details are out of date anyway now.

If you're not already using Steam Guard, use it. It pings your email with a confirmation code whenever you (or someone else) tries to logon Steam from a different computer. In fact, Steam Guard actually kicked in when I first tried to use Steam after installing a different motherboard in my PC, so it definitely works.

I don't remember the exact procedure to set it up, but you can find it in the Steam client in View > Settings > Account.

All sensitive information like passwords, cards and so on were encrypted, "hashed and salted"* so in theory it should be fine. Going to keep an eye on my debit card statement over the next few days regardless.





*Insert Gaben Fat Joke Here

From what it looks like, only the Forum was affected? But somehow they also got credit card info?

I can't even remember my Steam password, but I'm pretty sure it's unique to Steam, at least.

Edit: Though, this does make me happy about never storing credit card data with anyone. I hate it when things automatically save it, since I then have to go in and clear it out. For the slight convenience of not having to type stuff in, it's not worth the risk.

From what it looks like, only the Forum was affected? But somehow they also got credit card info?

"We learned that intruders obtained access to a Steam database in addition to the forums."

I note there's an option to "Deautherize all other computers", so I got that selected for now.

I note there's an option to "Deautherize all other computers", so I got that selected for now.

Glad to hear about this. I'm kind of annoyed that all these ancillary services I hardly ever use are getting hacked. I forget what the last one was, another one of these things, pretty recently...

Hm. I haven't bought anything from Steam with a credit card in at least a year, maybe longer. Do you suppose my credit card number is still on file there?

Is there any way to change account settings through the actual website and not the steam client? My steam client will not connect properly, and when I got into my account on the website I can't for the life of me figure out where you change things like your password.

Changed my Steam password already. Credit card hasn't shown anything strange yet but I'm keeping an eye on it all the same.

Hm. I haven't bought anything from Steam with a credit card in at least a year, maybe longer. Do you suppose my credit card number is still on file there?

If you saved your credit card information with them, I imagine it is still there regardless of how much time has passed. I imagine unsaved credit card information isn't kept there, but with hacking, not even a computer wizard would know!

it's not worth the risk.

The risk that you might, one day, have to politely request a new credit and/or debit card?

Hack sucks. Not as bad as say the PSN fiasco, at least so far. Since the hack happened within the forums, the exploit is in the forums and not steam itself, so that will be the thing that is down for awhile. Also it seems that valve already had measures in place to protect our info, instead of say Sony putting everything on text files. I changed my password just to be sure, but even then I am pretty sure steam guard will block anyone trying to get in.

The risk that you might, one day, have to politely request a new credit and/or debit card?

Well pretty much everyone who has had their identity stolen says it's a total nightmare to get the charges on the card reversed, the damage to your credit reversed, etc. Like a nightmarish merry-go-round of suckage. So yeah I tend not to store my credit card info on these websites either. I buy things so infrequently that typing in a 12 digit number every order doesn't seem like that big of a hassle.

Like insofar as I'm annoyed my password might be compromised (because like a dummy I tend to use the same one on more than one online website), I'm at least pretty much assured I don't have to worry about my credit card info getting stolen because I never stored it on Steam's server.

It's a good thing that I used my oldest password in the Steam forums. I only use that password in those sites where I'm too lazy to set up anything else.

Still no charges on my credit card, but I have had to rest my password a few times apparently due to bad login attempts (this is with US Bank for clarification). It's a hassle but it seems to be a sign that they don't have enough info about me to get any further than this. I still wish I knew what else I could do to improve my security there. I've also altered my Steam settings to deregister any computer but my main (which really only meant the laptop) and not to save my account credentials.

Changed my password and I'm keeping an eye on my debit card. Also, everyone should immediately activate steamguard and use the "deauthorize all other computers" option to make sure that intruders are locked out.

Bummer to hear that hacking is getting more rampant. Thanks for the heads up.

EDIT: Fortunately it looks like steam flushed any saved credit card info for added safety. I'm glad that they're on top of this.

I will say that Valve seems to have been handling the situation quite well, at least compared to the shitstorms that blew up around Sony and the PSN network. Have we heard anything yet about who did it and if they posted the info somewhere?

Yeah like I gotta get my password changed still and all but there's comfort in knowing that it's Valve dealing with this and not "durr let's store passwords on our server in plaintext durr a durr gnur hurrr blur wagurr hurr durr" PSN

Well that, and they're telling everyone right away instead of waiting a week or so before letting people know their credit card info might've been stolen.

Deatherize all other computers would have been a somewhat better option.

Well that, and they're telling everyone right away instead of waiting a week or so before letting people know their credit card info might've been stolen.

Well, they're not really. I haven't gotten an email about it or anything.

Deatherize all other computers would have been a somewhat better option.

I don't know if they automatically did that or not, I just manually did it for mine. At least they're doing a good job of recovery.

Also, everyone should immediately activate steamguard and use the "deauthorize all other computers" option to make sure that intruders are locked out. I'm trying to find this option. Where is it?

Go to Settings, then Steam Guard Account Security macallit (it's the top rectangle option thingy on the first tab). Then select the "deauthorize all other computers now" option and go to the next page of that window, it will then take you through the very quick process of it.

Ooohhh, I see the problem. I hadn't verified my email address in forever so I didn't have the option until I did that. Or I just overlooked it. That's totally an option too. Thanks!

fortunately I believe I made all my steam purchases through paypal so no information was stored with steam. Still changing password just to be safe.