This is Gabe’s second, and newest statement regarding the attack, sent to us via e-mail, and sent to all Steam users through the Update News feature:
Dear Steam Users and Steam Forum Users,
We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.
Sounds good. Let’s hope the culprits are discovered eventually. Remember, it took over half a year before Axel Gembe (the hacker that broke into Valve’s network in 2003 and made off with a woefully unfinished HL2 and Source’s source code) was arrested in Germany (ironically, it was a seven-hour trial). And even then, he had practically given himself up. So, it could take a while before we find out who was behind this thing.
Still, I’m really, really happy with the way Valve is handling this. Unlike other companies that have suffered attacks of this kind, they know exactly what’s at risk and what isn’t, and they’re keeping us posted regarding everything they find. For now, it seems like all is well in Steamland.