I got a disturbing message on my Steam account, today:
…intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
I’m unimpressed. Credit card data was in the same database as user data, purchase history, billing address, etc? To me, that means either: 1)They kept a whole bunch of information in a PCI-DSS secured vault at great expense as getting data into and out of such a vault is difficult by design, or 2) They were storing credit card data outside of a PCI-DSS vault in direct violation of the guidelines set forth by Visa, MasterCard, etc.
I’m also disturbed by the cagey language. “We do not have evidence that … credit card numbers … were taken by the intruders.” Given that it apparently took them 4 days from the forum defacement until the general announcement, I’m insufficiently impressed with their reported forensics to think that their lack of evidence for some activity means an absence of that activity. Who knows how long they were in breach even before the forum defacement that caused them to stumble over the broader breach? I’m also curious what algorithm was used for the credit card encryption. And where was the encryption key kept? Was it potentially exposed as well?
Of course, I’m also sympathetic. When I was with Linden Lab, we suffered a database breach as well. We ended up forcing a change to everyone’s passwords, pulling an all-nighter to implement new password recovery measures, manning the telephones to personally talk with affected customers and help them validate their accounts and change their passwords. Credit card data, however, was never exposed, nor at risk at the level of penetration the attacker reached.
Ironically, I had a conversation with Valve nearly a year ago. I’d heard they were looking for some international payment expertise and I got in touch. They ended up not thinking that I was what they needed, but at least I was able to put them in touch with the great people at Envoy. They apparently didn’t connect either. I wish they’d gotten someone in though, and that someone had taken a good, hard look at their credit card processing and storage. They’d have been able to write a much less embarrassing letter. The full text of the note follows the break, but it ends with “I am truly sorry this happened, and I apologize for the inconvenience.” I believe they’re sorry it happened, but this is still such a milk toast apology. If I had to write that letter it would say something a little stronger, something like: “I’m deeply disappointed that we failed to maintain the trust you put in us when you shared your personal information with us, and we’re going to do everything we can to redouble our security efforts to ensure this sort of thing never happens again and to earn back your trust and loyalty as our most valued resource – our customer.”
In the meanwhile, if you have a Steam account, do yourself a favor:
Change your Steam password
Change your password anywhere else you used the Steam password (you know you did)
Remove your payment information from Steam until they can demonstrate they can be trusted with it
Read the rest of this entry »