And this happened with Steam Guard on? If you answer that with yes, I'd call the police. There is no way a "random" hacker gets through 2FA on steam if your account security is hardened (ie, dev steam doesn't link to [email protected] for example, since a site email, stuff like the login code, can be very easily hax0red with a bit of social engineering if more people have access to the same mail account, obviously)
We are aware of how the attack played out, and have taken steps to prevent it from happening again. Valve was extremely helpful in this, and has provided us with the relevant logs.
Essentially, there was _very_ good social engineering done that resulted in the compromise. However, Valve is aware of the method of the attack and has taken steps to prevent another attack like this from occurring with us, and almost certainly with other people as well.
As for the other concern, no the accounts for Steam are not shared, and we practice giving people the bare minimum permissions that they need.
Am I right to assume this was the goal of the initial social engineering attack?
Yes, we believe that compromising the Steam account was the goal for the attack. Despite this, the attacker was unable to execute the final stages of his plan, and was unable to do anything with the Steam account.
I think this is continuation of the front site deface hax from a few months ago, attackers will often probe 1 target where they had success as deeply as possible because it indicates lacking (or totally absent) security rules and awareness.
We do believe that is the case. I have since gone in and fixed any flaws that we could find. If anyone knows of additional flaws, please send me a PM/email so they can be patched. You can also make a Mantis issue regarding it, but depending on the severity of the flaw that might end up being hidden from public view to prevent anyone from getting any ideas.
Of course, maybe the attackers should not target tech geeks huh. Should be very easy to trace down who tried to access your steam account. There is a login log somewhere in the depths of client settings in the steam client.
Yep, I pulled _all_ of our logs and combed through them looking for any access to Chris' accounts or another Staff Member's accounts. We also got the IP that the attacker used to log in with from Steam.
To conclude, we have done extensive investigating and determined the IP that was used to access each service, when they accessed them, and how they got access.