Valve boss Gabe Newell says hackers who broke into Steam last year probably made off with an old backup file containing user names, email addresses and encrypted credit card information.
In November 2011, Steam became the latest victim in a string of attacks against game-related websites, as hackers broke into the system, threw up a bunch of inappropriate links, and then stole off into the night. A week after the fact, Valve revealed that the intrusion was worse than originally thought, as the hackers had also gained access to a Steam database containing user information including "hashed and salted passwords" and encrypted credit card info. On the upside, Newell said at the time that "we do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders," and that it would continue to investigate.
Valve now says that the intruders very likely did get away with credit card data, although at this point it appears that the stolen information is old - hopefully too old to be of any value. "Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008," Newell said in the latest update on the situation. "This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords."
"We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised," he continued. "However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well."
Valve is continuing its investigation in conjunction with law enforcement authorities.