Valve’s response to being hacked

2 minute read

… was very, very disappointing. I’m somewhat befuddled by the extremely low key response to the incident.

Visibility

On logging into the steam client this evening, there is no mention of the breach. I’ve seen a few people on the forum disagreeing with my assertion, so I can only assume their announcements strategy is bugged or flawed. I have announcements turned off, but in this case, the announcement should be prominently displayed. Being told you may have had your credit card / password details stolen is not something I ever want to opt-out of.

There is no mention on the steam website.

There is no mention on the steam forums except for a tiny security announcement across the top of each individual forum. It is tucked away out of sight – it’s not splashed across the main index or anything of that ilk. I was asked to change my password when I tried to log in; that is all. No reason was provided as to why I had to do this, either before or after.

Finally, I didn’t receive an email about it. Emails were only sent to those registered on the forums.

Breached

A company’s security is only as strong as its weakest link, and once inside a machine, it is hard to say where an attack started and ended - particularly when you take human factors into account. Not to be mean to Gabe, but Gabe’s HL2 fan site forum account was hacked years ago and they found his password was “gaben”. Nobody is perfect, even when they’re taking preventative measures.

Even if the machine is totally isolated from the rest of Valve’s network, all it takes is one sloppy admin to re-use a password elsewhere, and you have major problems.

History tells us that companies often cling to information when something goes wrong, and that what is eventually admitted (either due to information control in the early moments of the investigation, ignorance or both) can be far worse than the initial assessment. In a situation like this, I believe that the only safe thing to do is to warn all of your customers about the potential breach so that they can take preventative measures.

Furthermore, as it happens, I do have a forum account, but it was tied to an old email address. Who’s to say that my steam account username & password don’t match my forum username & password? It is a common thing to do (note: I didn’t, but it wasn’t far off as, like most people, I am forgetful and a touch disorganised).

In my opinion, there should be a general email going out to all steam customers via their login emails, plus unavoidable notifications on the steam client, website & forums.

So how did I find out? http://www.rockpapershotgun.com/ was the messenger for me, not Valve itself. Perhaps I am the exception, but I somehow doubt it.