A letter from Valve boss Gabe Newell has revealed that an investigation into the "intrusion" that "defaced" the Steam forums on Sunday, November 6, was worse than the company originally believed.
"We learned that intruders obtained access to a Steam database in addition to the forums," Newell wrote. "This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked."
Newell states that Valve does not have any evidence that credit cards have misused at this time; however, he recommends that users "watch [their] credit card activity and statements closely."
"While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well," he added.
A touch of promising news came from the letter, however, as Newell stated that they company does not know of any compromised Steam accounts. "We are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password," he recommended, before adding, "I am truly sorry this happened, and I apologize for the inconvenience."
Newell says Valve will re-open the Steam forums as soon as they can. The note to users can be found on the front page of the Steam forum page.