Steam Attack Puts Users at Risk of Spear Phishing

Tuesday, November 15, 2011

Josh Shaul


Steam Database Attack Puts Users At Risk Of Spear Phishing Scams

Last week it was announced that attackers gained access to Steam, an online video gaming platform run by parent company, Valve.

According to the information posted on Steam’s website, the first phase of this massive attack was the insertion of targeted malicious ads or “malvertising” offering to sell cheat codes for online games to users of the Steam forums.

Initially, the company thought that only its forums had been infiltrated, until late last week when it was announced that its database housing personal information of its 35 MILLION customers had also been compromised.

This database housed…

“information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.”

While the company has made a statement saying it doesn’t have evidence of credit card numbers or PII being taken by intruders, they have not made any statement to the contrary (something along the lines of “our database monitoring logs don’t show any unusual access to customer data”).

Couple their vague statement with the typical lax state of database security in today’s corporate world, and it’s a fair bet that there was no security system in place to monitor access to the sensitive customer information stored in Valve’s databases. They may not have any evidence that credit cards or PII were taken because they may not have any evidence of what was taken at all.

The system’s attackers gained access to a treasure trove of sensitive data. This includes names, addresses, purchase history, emails, passwords and credit card numbers. The most obviously sensitive stuff, the passwords and credit card numbers, did have some potentially powerful protections. The passwords were salted and hashed.

A good implementation of salting before hashing can yield very secure results – however weak implementations that used fixed salt are not all that unusual, and those are quite easy to break. The stored credit card numbers were encrypted. It’s likely that these will be difficult to extract although that, too, depends on the method of encryption and whether the attacker was able to gain access to the encryption keys.

Let’s assume that the passwords and credit card numbers both got wrapped up with strong crypto implementations and they are safe and secure. Even without this data, the bad guys still got some really valuable stuff. Email addresses, street addresses and purchase history.

Armed with this customer data obtained from the databases, the attackers can execute a targeted campaign of malvertising and spear phishing against Steam users. Knowing which games each user is playing is a powerful tool in a thief’s hands. It provides the ability to create very tailored phishing emails to users, and significantly ups the chances of users clicking malicious links or falling for the scam offered to them.

This incident illustrates that attackers are focused on the large caches of personal information that can be leveraged for profit. Gaming companies make a prime target with their vast communities of paying and attentive users.

I’m sure many CISOs in the gaming industry feel like they have a bulls eye tattooed on their chest. But this is no social action against the gamers. This is pure hack-for-profit.

Anyone who stores vast quantities of customer data could be the next target. Here are some tips for protecting critical data to avoid scenarios such as this:

Cross-posted from

Possibly Related Articles:
Information Security
Encryption Hash Personally Identifiable Information spear-phishing breach TeamSHATTER Malvertising Steam
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.