When Valve revealed last night that its Steam online gaming service had been hacked and a database with user login and credit card info gutted, was anyone surprised? Steam harbors over 1,400 games and hosts some 35 million active users. It’s the largest PC games digital distribution platform in the world by titanic margins. To hackers, that translates as “smorgasbord.”
Valve’s forums were “defaced” last Sunday, November 6, at which point Valve took them down and presented passerby with an “undergoing maintenance” message. We’ll probably never know when Valve became aware Steam user info had also been accessed, but like Sony before them, the company says it spent several days investigating before it discovered the intrusion went “beyond the Steam forums.”
“We learned that intruders obtained access to a Steam database in addition to the forums,” wrote Valve bigwig Gabe Newell in a note to Steam users Thursday evening. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
What was actually gleaned from the database? Valve says it doesn’t yet “have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked,” but that it’s “still investigating.”
I can imagine Sony CEO Howard Stringer, as he reads about this, muttering “Welcome to the club, Gabe.”
Sony followed a similar trajectory last April, at first claiming its PlayStation Network was down for maintenance (and implying the trouble was internal and technical), then confessing a few days later that the service had suffered an “external intrusion.” It took Sony until the seventh day to admit hackers had compromised databases containing sensitive personal information—Valve, by contrast, got the word out more quickly, giving us a heads up by the fourth. I used to be a network engineer for a large Fortune 500 company, and can say most well-staffed corporations know whether a breach occurred shortly after it’s happened, but sourcing the perps and running packet-level analyses to verify who went where and what they accessed can take days.
Sony’s online service was down for over a month, including the option to buy or download games, access online third-party services or play against others competitively. Valve’s only had to shutter its user forums, and for the moment, Steam gaming’s in the clear. Valve seems to be reacting faster than Sony did, and they’re taking less punitive measures.
But it raises a serious question: What if Steam had gone down because of the hack? We’d lose online play, of course, but many would also lose the ability to play anything, on or offline. Steam allows offline play, but you have to store your login information locally to do so—a no-no, as far as security “best practices” go. Were Steam to suffer an outage, it’d be game over for anyone observing recommended security measures.
Are we trading away long-term control for short-term convenience with services like Steam? Assuming that companies like Valve are smart enough to stave off dedicated hack attacks, despite an upswing in infiltrations?
It’s a tossup for me at this point. If Steam ever does suffer a catastrophic outage, it’ll be easy to look back and lambaste the service, but when Steam works, it’s a beautiful thing, and what it combats—rampant PC game piracy—may be one of the most important factors keeping PC gaming alive and kicking.