> series: anatomy_of_a_breach —— part: 035 —— target: steam_valve —— accounts: 35,000,000 —— data: credentials_payment_info<span class="cursor-blink">_</span>_
On 10 November 2011, Valve Corporation's Gabe Newell posted a message to the Steam community forums disclosing that hackers had breached the Steam platform and gained access to a database containing the personal information of approximately 35 million registered users. The compromised data included usernames, hashed and salted passwords, email addresses, billing addresses, and encrypted credit card information. The breach was discovered during the investigation of a separate DDoS attack on the Steam forums.
While Valve stated that the password hashing and credit card encryption should protect users from immediate exploitation, the company advised all users to change their passwords and monitor their credit card statements for suspicious activity. The breach followed the devastating Sony PlayStation Network hack by seven months, establishing that gaming platforms — with their enormous user bases, stored payment details, and valuable digital assets — were firmly in the crosshairs of attackers.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallUnlike Sony (which stored passwords with inadequate hashing) and Sony Pictures (which stored passwords in plaintext), Valve had hashed and salted user passwords and encrypted credit card data. This meant that while the database was exfiltrated, the data was not immediately usable by the attackers. Proper password storage and payment data encryption are exactly the controls our web application testing verifies — and the controls whose absence made the Sony breaches so catastrophic.
Post-breach, Valve introduced Steam Guard — an email-based and later mobile-based two-factor authentication system — establishing MFA as a gaming industry standard. For organisations handling large user bases and stored credentials, our penetration testing verifies password storage security, our PCI DSS assessments evaluate payment data protection, and SOC in a Box monitors for credential theft and account takeover attempts. UK Cyber Defence provides incident response when a platform breach is discovered.
Our <a href="/penetration-testing/web-application">web application testing</a> assesses password storage, payment data protection, and platform security. <a href="/cyber-essentials">Cyber Essentials</a> establishes baseline authentication controls. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for credential theft.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call