I admire the absolute hell out of Valve and have for a long time. Gabe Newell is, for my money, the biggest mensch in tech. Let's take a moment and look at how this was handled:
The message communicates exactly what happened in clear terms that don't try to cover anyone's ass. They explain which data was compromised and the potential implications. No double-talk. This could be an email you got from a friend or colleague.
The message conveys Valve's hope that the credit cards are secure but makes clear that users should be nonetheless vigilant about watching for suspicious activity. Just in case.
The message is signed by the head honcho of the company. Not some communications or PR weasel. It's in your inbox, not on some obscure blog.
Finally, it closes with:
"I am truly sorry this happened, and I apologize for the inconvenience."
Accepting responsibility, acknowledging that it's a fuckup, and showing some empathy for the fact that this completely sucks for their customers.
Sony, Adobe and their ilk could learn a lot from this company.
You are absolutely right, and I really appreciate this from Valve. There is only one thing that would have made it better: even more info. He says passwords were "hashed and salted." This could be anything from the naïve MD5(pass+salt) to the more secure bcrypt or PBKDF2. Now, I have every reason to believe that Valve is smart enough to not use methods like the first, but information is always welcome in a scenario like this. There should be no reason to hide your cryptography method provided that it is secure.
> Sony, Adobe and their ilk could learn a lot from this company.
> There should be no reason to hide your cryptography method provided that it is secure.
I'm totally with you, and I suspect we may see a more technical explanation of the event in the coming days.
That said, this is a tough situation for Valve. They have many sorts of users, many of them who have no idea what MD5 hashing is or why it would be awful to use. You're already delivering bad news, so it may be wise not to make nontechnical users feel further discomfort at confronting terminology they don't understand.
In this, I feel like Valve has banked enough credibility for me to trust for the moment that they can evaluate their security and say "Oh, fuck, this will be cracked and it's only a matter of time," and then communicate that in clear terms in their message.
if they use a weak "hashing and salting" scheme they are more likely to get a mob with pitchforks at their gates than if they are left in the dark hoping it's bcrypt with 200 stretches.
The Use bcrypt rant comes up on HN a lot, but I've actually never seen a website that uses bcrypt or PBKDF2 in the real world. Hell, I rarely encounter developers or admins who even know what it is. I doubt it was more than md5+salt, but maybe.
Edit: I should clarify - there certainly are examples of bcrypt being used, and I know there are tools available. But pick several random websites that have forums or user accounts and the number actually using it will be very small. That has been my experience once exposed to the code/infrastructure anyway.
edit
Let me also add... this is for auth/password hashing, not data encryption. To any people reading this: if you don't understand the difference, and you are responsible for writing web applications, then please read up on it.
The data that Valve was storing (CC info) needs to be encrypted and I'm assuming that data then needs to be unencryptable. They have to store the key because they have to be able to recover the plain text. With password hashing, you will never need to be able to recover the password.
It's what we use at Mozilla as the basis for most of our Django-based stuff, and gets you bcrypt password hashing -- even on older Django releases -- for free, along with some other niceties that probably need to find their way upstream soon :)
Because it adds a few attributes (like 'password') and methods (like 'authenticate') to your model, and you might not really want such things on every one of your models.
Clarification: has_secure_password does NOT mean you choose between secure or non-secure password, it just mean "I want a password on this model, and better make it secure guys!"
Wow, that's probably the first web framework I've seen that is more polished than the server it runs on top of; my experience with mongrel2 is that it's still a bit rough around the edges.
I administer a community news and public affairs site. Early this year, after reading about bcrypt on hacker news, I witched the site authentication to bcrypt from salted md4 hash. http://raisethehammer.org/blog/2084
The statement "I've actually never seen a website that uses bcrypt or PBKDF2 in the real world" doesn't discredit the "Use bcrypt[/PBKDF2]" argument, though.
I think you'll probably find a whole lot of examples if you use a dataset of websites, webapps, and desktop/server apps made in the last decade. I work in business and enterprise application development, from simple webapps to complex systems on massive servers and I've been using and evangelizing bcrypt use around my circle for quite some time. At this point, most of the people I've encountered that are in charge of systems needing some type of encryption for their user data use bcrypt. I think most of the decent developers around the world already know of the perils of using weak encryption algorithms.
The company I am with just moved from plaintext in-database password storage to using bcrypt with their latest product release, FWIW. It was either that or I left, heh.
My curiosity side agrees with you, but my practical side does not.
> He says passwords were "hashed and salted." This could be anything from the naïve MD5(pass+salt) to the more secure bcrypt or PBKDF2. Now, I have every reason to believe that Valve is smart enough to not use methods like the first, but information is always welcome in a scenario like this.
Do these details actually matter to you, a technically savvy user? If they told you they used bcrypt or PBKDF2 for their password hashed and salted passwords would you think to yourself: "oh well, in that case I don't need to change my password" or are you going to take the few moments and change you password anyway? I'd probably just change my password.
For even less savvy users, they're getting technical details that they don't really care about now. Depending on where those details are in the message they might miss important bits of useful information.
I suppose if they said it was MD5(salt:pass) and you used the same password for steam and something else you might have reason to be concerned, but probably not unless they are targeting you specifically.
That said, I think any company should provide a link to a blog that does dig into the important technical details for people that want to know. And keep updating it as new information is found.
Personally, I don't think I'm going to bother to change my password since it's a 64-character or so generated one for their site only and they don't have my credit card info. But I can see some reasons why I would care about the details of their encryption method. If it's MD5(pass+salt) then most people probably need to go change it, along with any other sites they're using that password at, and possibly mess up their evening a bit. If it's something silly but better like sha512(sha512(...(pass)...)) enough times such that it takes a good chunk of time for any password, or even better bcrypt, then most users can relax and change it when they can get around to it.
> Now, I have every reason to believe that Valve is smart enough to not use methods like the first
You'd be surprised.
The Steam Community is (or was when I checked, about a month ago) vulnerable to CSRF everywhere. Valve might hold their own when it comes to games, but I'm not too confident when it comes to the web development side of things.
The issue may be more complex. Steam has been around for awhile now -- there may be an Amazon.com like issue where new passwords are secure, but older passwords are using crypt or something!
I'd say its possible, but unlikely; and you'd hope its not a major factor in practice.
When you assume that the attackers would have, or could get, at least one account which they know the password for, then if the hashing scheme is something they'll be able to crack en masse, then they are probably going to be able to figure out what the hashing scheme is, from their known plaintext.
In general, if you are depending on a secret cryptographic algorithm, then you are doing something wrong. Cryptographic algorithms are horribly complicated, with many attack vectors you need to know, and prevent. Chances are, someone writing their own code isn't going to make a secure system. By using a known, secure system, it doesn't actually matter if people know what it is. A known system has been tested, and deemed to be 'secure'. If knowing the name did mean they could exploit it, then it probably isn't a good system to be using in the first place.
As an example, here is an attack you may not have considered. If you wanted to make an authentication system, you would want to compare a password with a stored password (or hash). Most people would do a byte by byte comparison of the passwords (or hashes). The problem is, a byte by byte comparison takes longer for a correct password (even if you use hashes), as the incorrect answer exits on the first compare failure. This is called a timing attack, and is an example of a side channel. Most people wouldn't even know that such an attack existed. This is why you want to use a known algorithm, because the people who wrote them know these kinds of attacks. So if people know your secure algorithm, they shouldn't be able to exploit that knowledge.
Here are two links posted here recently, which show these concepts very well. The third is an hour talk about cryptography in general, and I highly recommend it.
Not for Steam forums they don't, they're using vBulletin and it doesn't appear to be modified beyond the theme.
That Steam forums requires a separate registration shows that there is unlikely to be any integration between Steam and the forum software.
However their point is that if you used the same username and password on both the Steam forums and Steam itself (with likely the same username) then by virtue of Steam forums being compromised, your main account should be considered compromised.
No offense to your Valve worship fest, but when can I start beating on them for not having notifying me at my registered e-mail address? How many days before I can expect that?
Because while some people have apparently received an e-mail they certainly are not contacting all their customers.
Legally speaking, wouldn't Valve become liable due to a public apology that allows people to say it's Valve's fault when 'bad stuff' happens?
Even though Sony didn't quite apologise, they tried to squash legal action through contract changes(?) and offering a free game download(?) as a form of settlement.
I would say your customers can sue you regardless of what you say in an email or blog post. Using lawyers to hide from your customers seems less than optimal.
I've seen that worry expressed several times, but have never heard about a case where it actually made a difference. Does anyone have a cite? It sounds like FUD spread by a lawyer to drum up more work.
I absolutely agree. I would rather be told the bad news with all the facts than a sugar-coated "oh-we-were-hacked-but-its-not-our-fault-and-you-customers-are-screwed" response.
Valve handled it well but something like this shouldn't even happen in the first place. Valve saw what happened to PSN so Valve should have improved its security after such an incident. Since Valve holds people's CC numbers and passwords, they should have put in a lot more care to something so fundamental like security. Customer shouldn't have to check their bank statements at all.
Sorry but real mensch in tech never has its database compromised.
> Sorry but real mensch in tech never has its database compromised.
It's nice to imagine but that's not really how the world works. Perfection is impossible after any system reaches a certain level of complexity. The technical security implementation might have been airtight, but then a human factor compromised things in the end. Tough to say. Nonetheless, "be perfect" is not a reasonable strategy – or expectation.
> Valve should have improved its security after such an incident.
You've typed words here without really saying anything. Improved it how? Who's to say they didn't? Until and unless Valve gives us a post-mortem, we'll have no idea what the cause of the breach is. Nonetheless, it may include factors they never thought to consider.
I highly doubt Valve's database is more complex than Apple's or Amazon's database. You never hear about theirs being compromised to the same extent as Valve's.
Given Apple's propensity to stomp on any negative publicity, they could have had a dozen similar issues and never disclosed them. Hardly a fair comparison.
That's one thing I'm slightly confused about. I always untick the 'store my credit card details to make future purchases easier' box - so were my card details in their database, or not?
It's a proper way content-wise but why didn't I get this announcement in my email? Was this sent within a Steam system? If so, it's not enough. I use only Steam now and then.
The title seems to be very misleading. There is a big difference between losing a user database (all user info gone, no backups, can't log in, etc) and database information being compromised (information leaked, fraudulent activity, etc).
Agreed. Assumed this was going to be a story of data loss, and how they have good backups and managed to restore with no problems. This is unfortunately much graver.
I'm a Steam user, Steam forums user, and Valve customer and have received no email or notification. This story may not be as all-encompassing as it appears.
Fortunately, I have my account registered with a spamtrap email address, a username/password that I have never used elsewhere, and a very low limit credit card. Yeah, I'm glad I know better than to use a debit card.
I'll be watching to see if anyone starts spamming me, because that spamtrap email is unique to my Steam account and has not been published elsewhere.
Fortunately, I have my account registered with a spamtrap email address, a username/password that I have never used elsewhere, and a very low limit credit card.
Same here. But I am a bit sad that my paranoia has been confirmed yet again.
It's a matter of perspective. To most others, this still appears are paranoia. But I wouldn't be doing it if my experience didn't say that such problems occur far too often.
I haven't gotten the email either, but if the user database, including your email address and personal information has been stolen I would be _highly_ suspicious of any email I receive from Steam
Another "me too" to the haven't received notice of this yet, however a link over at r/gaming on Reddit points to this screenshot of the standard Steam Update News splash that pops up every time you login to the Steam Client.
NB: This email is in the works, it didn't mean it was already sent out. The audience reading this is full of Steam users, so part of the point of the article is forewarning before that email is sent out. But yes, the message is displayed on the front page of Steam as well.
Luckily I also don't have my CC number on my account since I use PayPal. I also enabled authentication via email a while ago so it sends me a code to log in.
I guess it's a good idea to change your password and check CC statements either way.
For the last 7 years or so of making payments online I've had an iron clad rule which I have yet to break: only use one time credit card numbers with a low spending limit which are provided on demand by my bank. It's a service tailored specifically for working around the problem of having your CC details stored indefinitely on poorly secured databases of every two-bit company out there.
And with each major (and minor) data breach I'm more happy I use it.
It is too bad that more and more banks and credit cards companies are removing the ability to create one time credit card numbers because users are not using it. The only one of my credit cards that I have that allows it is my Bank of America Visa card.
Have you ever investigated in depth how much security one-time credit card numbers give you? I ask because my Paypal account was compromised last month. I cancelled my credit card, but Paypal was still able to refund money to my card even though the number was no longer valid. Also, I had pre-ordered but not paid for an iPod touch. When the touch shipped, my credit card was billed even though the old number had been cancelled, and the new one had not been activated yet.
I have used the one time numbers that my Bank of America card creates and have had to retire a few due to breaches and after they were retired I got a call asking me if I had authorised another charge to that now defunct account number, and I said no, so they didn't let the charge through.
I know for example that credit cards with expiration dates can still be charged for a couple of months after the expiration so that users who have not had the chance to update recurring services have more time to do so. Also, it is entirely possible that Apple had placed a hold on your account for the money and when it finally shipped it went from a hold to actual transaction and that is why it was still allowed through.
I had an amex that was compromised, cancelled, and beyond its original expiration date, and AMEX continued to charge Netflix charges to the old expired cancelled/compromised number ... flowing the charges through to my new account number. To their credit, they removed all of the charges once I caught it, but just helps to know that a cancelled number isn't always a cancelled number even when you've already reported the number compromised.
It's a cancelled number, but what happens (this happened to me on xbox live) is that they continue to charge it because they've got an active pre-authorisation. So when they're charging you, they're actually charging that pre-authorisation. If a different merchant were to try the card, it would fail.
Microsoft charged me for two years after the card's expiration date until I noticed.
What kind of one-time credit card number was that? Are you sure you are even talking about a one-time number? "old number had been cancelled, and the new one had not been activated"? With one time numbers there is no such concept of old and new numbers.
No, not one purchase. But yes one merchant. So even if the number is lost and the dollar limit still allows transactions a 3rd party can not charge it.
The details of a temporary CC number vary a lot by the issuing bank. Some services offer numbers that are are truly single use for a single transaction. Some are time limited to 30 days or some such. Some are limited to one merchant (my Discover does this.) Some have a dollar limit. There's also combinations of the above.
I gather that issuing banks are converging on limiting to one merchant and are phasing out other options for that. Remember that the banks are acting in their interest, not the consumers'. A merchant lock keeps you safe from a stolen number, and avoids most fraud scenarios; the banks do care about that since they're legally liable (in US law) for fraudulent charges. But this approach allows the single merchant to make recurring charges (which some customers want protection from); the banks of course have a vested interest in keeping a stream of transactions coming.
seems like a lot of effort.
I don't really care if my CC details appear in some IRC channel on EFNet, as I'm not liable for fraudulent use... a simple phone call to my card provider and they'll issue a chargeback...
> "While there is no evidence that passwords and credit card information have been compromised, with the state of encryption cracking, it should only be a matter of time (and horsepower)."
Um. What? Assuming that a PCI-compliant level of encryption was used, "matter of time" is "heat death of the universe" if you don't have the encryption keys.
PCI-compliance really isn't a standard anyone should be shooting for. Use good security measures, not compliant ones. PCI is for enterprise and government agencies who keep wondering why they get compromised by 14 year-olds running metasploit. Yes, you have to be compliant. No, you should not think 'compliant' is in any way synonymous with 'secure'.
Exactly. When we last went through our PCI compliance rigamarole, they told us if anyone ever told us their CC number over the phone we were to open a text editor on our machines, type it without saving and then close it without saving when done. Apparently our writing on a physical notepad and destroying the piece of paper when done with it was not secure enough, so we had to introduce the possibility of keyloggers to our process.
Don't you have to type in the number anyway? It sounds like a keylogger would just get it a little later if you wrote it down on paper first.
One potential reason it's preferable to use an innocuous, generic text editor is the potential supposition by an attacker that they only need to infect and/or monitor the card processing application. If someone spreads a malicious update that has a built-in keylogger only for that application, for instance, copy+paste from the non-infected program would stop it from recording the data.
Though I think that's stretching it a bit. Maybe your auditors encountered something similar previously?
We had a front desk that would take calls and pass info along to the appropriate staff (on a different, largely segregated network). We don't want people emailing CC numbers or any customer data, really, internally, so it would be passed along via a note. But these cases rarely ever came up. We work with transaction numbers and 99% of staff has zero reason to know any credit card information.
It was something the auditors just brought up on their own, so yeah, I'm assuming they'd run into it before.
The no paper rule isn't protecting against outside hackers, but from your own employees. Many call centers now have a strict no paper/no cellphones policy because the employees liked stealing CC numbers.
You don't just "break the encryption algorithm". If the people holding the database can get through AES-256 or 128-bit triple DES, the internet as a whole has far bigger problems than Steam's database being compromised.
This isn't CSI. You don't just throw encrypted text at an implausibly attractive IT guy and wait for him to furrow his brow, declare that it's military-grade encryption that will take him a little while, and then have him decrypt it by the end of the next commercial break. PCI-compliant encryption is the sort of thing that, barring incredible leaps in technology or the discovery of a significant algorithmic weakness, will never be crackable in our lifetime.
Keep in mind he was referring to credit card information, not the credit card number. He mentions this here: "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked." By credit card information, he's referring to address and name, for example, which, at last check (earlier this year) didn't necessarily require encryption.
That the information had encryption is a good sign.
How could they get to the [salted|hashed|whatever] payment data from hacking the forum? Why is the payment data even remotely linked to the forum software?
Ok, the forum may need data from the account for validation, display name or else. You can still implement it securely.
This is a big human oversight over what seems to be an insecure implementation. I just can't believe this.
I would have guessed they learned the lesson from when Gabe was hacked through an Outlook vulnerability (with the HL2 code leak afterwards). It should have made a paranoid out of him.
I think having chosen Paypal as a payment method was perhaps helpful for me.
PS: I do own a lot of games and I very much like the platform. I definitely don't have anything against them. They presented a good notice, their high level of responsibility over this incident is irrefutable.
Also, props for them for having an encryption for their preloaded games that wasn't broken so far.
Forum accounts are not linked to Steam accounts at all. The fact that the first sign of the intrusion was in the forum software doesn't necessarily mean it originated there. It's certainly possible that their entry point was the forum software, but simply compromising a forum account wouldn't be enough to compromise a Steam account.
This seems to be the first fair response. Sure, they handled it quite well, the letter is well written, but they still seem to have handled the data very poorly. Just because one is a huge fan of the brilliant service(which I certainly am), doesn't mean their poor security should be overlooked. Given the huge problem Sony has had recently, I would have thought other games companies would have been re-evaluating their data's security.
I don't think they are related. To me, it sounds like Steam was hacked on a number of vectors by people going after it specifically, the same way Sony was gone after.
One technique is to store another string (a pepper) outside of the database (assuming the salt is stored with the records) which is used along with the salt to encrypt each password. This way, if only the database is compromised, and not the config file or env variable holding the pepper you're in better shape.
Although they theoretically could have, a lot of these hacks are done via SQL Injection, which is a step below having direct access to the machines. You can often leverage SQL injection further to do just that, but it takes more work/luck/skill than just dumping the DB. So it's not a given that they got filesystem access, but we shouldn't assume that they didn't either.
The keys generally aren't kept anywhere. In fact, the encryption keys for a company valve's size should be split among multiple key company officials. The idea being, you should be able to steal the box that contains the credit card data and/or the machine that does the actual encryption and not have access to the keys (which, technically, aren't stored anywhere).
I could be missing something obvious here, but bcrypt, although mentioning the word "crypt" and using cryptography, is only a hashing algorithm. [1]
I believe the point of storing CC data would be to retrieve it (impossible, typically, by the nature of hashing) to enable the user to purchase goods using this information stored without having to fetch their CC details.
I get the impression that credit card information is stored in the same database as login information etc.
Why?
My first thought is that it should be stored on, and never leave, a completely separate system where you have a very limited number of interactions available (reducing the attack vector and making it much easier to spot suspicious activity).
I.e. Charge customer x with y for game z. Refund customer for purchase i (only valid within the refund-period). Add(overwrite)/delete customer data. Where all interactions must be signed.
And nothing more.
Anything less than that and I'm skeptical as to whether you could be considered careful of you customers data. Storing credit card information in the same database as all other user data for a service like steam should be a crime and if it's closely coupled with the forum it's even worse (not that I know if that's the case).
Disclaimer: I don't know any details about this incident more than that Valve seems to be open about it taking place (great!).
Our architecture has a front-end database and a billing database. The credit card number is stored in the billing database, and the details such as the billing address, expiration, etc are stored in the front-end database, since they need to be readable/updatable by the website. I imagine they're similar.
Just yesterday I received a notification from Facebook that my account had been accessed from a suspicious location and was locked as a security precaution. I had no idea how this could have happened, but I did have the same email address + password for Steam and Facebook. Hardly proof, but certainly a plausible theory.
http://keepass.info/ - It is easy to have unique, complex passwords for each and every service. And with Dropbox (or kin) you can sync to iPhone, Android, Mac, Linux or Windows. Plus plugins for browsers to make easier.
I use splashid. Not free but it works and they have an iPhone version. I also believe an older version of keepass was ported to Mac with the name KeePassX.
Salting a password doesn't make it uncrackable, it just makes it impervious to rainbow tables and other parallel attacks because it forces the attacker to recalculate the hash for every guess for every user account. You can certainly still run a mangled dictionary attack on a salted database, it will just take a lot longer.
I've spent the last half hour trying to find my billing information on the Steam site. I just can't find it.
It's great that Steam is letting me know that their database has been hacked. It's not so great when I can't even see if my billing information or credit card number (I obviously only want the last four digits) that Steam currently has on file for me. If I knew which credit card I had used with Steam, I could probably watch out for fraudulent charges. As it stands, there is no way for me to figure out what information I've given to Steam in the past.
Go to steampowered.com and log in. Click the drop-down (Usernames' account) in the upper right corner and then Account details. The last four digits of your CC should be listed under "Your Steam Account" on the right.
If it bothers you too much you can always buy a super cheap $1 game and see which card the charge hits. The pending charge should hit within a day and you don't need to worry too much after that.
It's worth noting that as far as I know Steam Guard is active for any user who didn't disable it. Meaning, if someone tries to log in to your Steam account on a device that isn't yours (both via the client and on the website) he'll get a prompt to enter a 4 char long code which is sent to your authorized email address.
So your Steam account is save. Your email address probably isn't a secret anyway. The password is changed in a second.
Which leaves your payment (encrypted) and billing info. Personally I use Click&Buy which requires a separate authorization from me and I'm actually not sure if I have any billing address associated with Steam. So for me this whole thing is just a minor annoyance in changing my password.
Obviously I might treat the obtained user data different from other people.
If you are a Steam user I would recommend using the two-step verification process they have. It uses a password sent to your email to verify you when logging in using a new computer. Hopefully you're Steam and associated email passwords are not the same.
This is, of course, no replacement to changing your password - you should definitely do that - but allows us to relax a bit in case something similar happens again.
"While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login."
I am assuming here that this means certain passwords were cracked at that point - does this mean that the nonce/salt in their password storage was discovered? And how long until they have a cracked user/password file?
One nice thing about the Steam client software (and store website) is that it uses two factor authentication. The first time you log in on an unfamiliar machine, you have to input a code which is emailed to you.
Even if your Steam client and forum passwords were the same, your client account still secure as long as your email password is different.
It wouldn't have been a big issue, but they should have never ever save the credit card informations on a db. I don't know what makes people so confident they can save others credit card on a db.
I would rather prefer to repost the needed details for every purchase.
What you SHOULD do is set up two-factor authentication for your Google account. It's annoying, but not nearly as annoying as having a keylogger in a hotel lobby computer steal your password.
As long as we routinely use dozens of services that rely on "memorable" data to authenticate us, this is as inevitable as people who try to use different passwords for everything writing them down.
Password stores are one possible improvement, but most people don't know enough to use one, and they are probably far too fiddly for most people anyway. And of course, ultimately you're still talking about using a single set of credentials to authorise everything in that case, it's just a different target (which if ever compromised will undermine your entire identity).
Multi-factor authentication is a much better solution, but the technology to make it ubiquitous in a way that is neither excessively expensive nor creepy on privacy grounds isn't there yet.
There are some problems in security that we know how to solve, at least to the extent that no-one has any idea how to crack them directly today and the effort to brute force them is effectively infinite. I'm really hoping that one of these days, the combination of mobile technology and the Internet will provide us with an easily portable device that can integrate with everything and render obsolete the current mess of hundreds of on-line identities, "memorable data" to authenticate for every financial service I use, etc.
A lot of users tend to use same password for various accounts. So, if the hacker gets one password, it means he can gain access to other accounts owned by the user.
This took me a while to figure out. You have to open the Steam client, go to Settings (in Windows) or Preferences (in Mac OS X) and click the change password button in there under the Account tab.
Has the site been secured yet? Would it be wise to change your password before there is confirmation that steam's site is safe? Instead I would change the password on any other accounts that use the same password as your steam account.
The message communicates exactly what happened in clear terms that don't try to cover anyone's ass. They explain which data was compromised and the potential implications. No double-talk. This could be an email you got from a friend or colleague.
The message conveys Valve's hope that the credit cards are secure but makes clear that users should be nonetheless vigilant about watching for suspicious activity. Just in case.
The message is signed by the head honcho of the company. Not some communications or PR weasel. It's in your inbox, not on some obscure blog.
Finally, it closes with:
"I am truly sorry this happened, and I apologize for the inconvenience."
Accepting responsibility, acknowledging that it's a fuckup, and showing some empathy for the fact that this completely sucks for their customers.
Sony, Adobe and their ilk could learn a lot from this company.