Over the weekend, Valve’s consumer-class cloud-based game delivery service, Steam had an announcement about the hack that affected their service in November 2011. Gabe Newell, CEO of Steam, told users that while hackers had not accessed Steam passwords, they did get personal and financial information from a backup database.

Gamers who use the Steam service can still rest relatively easy as Valve is not spring chicken when it comes to online security: unlike other hacks we’ve seen the company acknowledges that it encrypted billing addresses and credit card information.

Here’s the salient portion of the statement, but you can also read it here,

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

Encryption is not the end-all-be-all defense against losing information, but it’s certainly a best-practice. Most hackers hitting consumer databases are looking for the lowest hanging fruit they can possibly grab; if something is encrypted it means days or even possibly months of computer crunching to attempt to break it. With enterprise level encryption on the market and smart choices, it could make the data next-to-worthless. Especially if the information is already 4 years out of date.

Also, Steam deserves credit here for keeping their customers in the loop as they discover more about the hack that struck them. If we saw more of this during the PlayStation Network outage debacle, it might have gone over a lot better for Sony.

Hacks are a fact-of-life for people who live part of their lives in the cloud now. Due to all this personal information being stored on servers outside of our control, it’s important to remain aware of what information is out there and what the people who have it have done to protect it. While certain elements of our lives are our responsibility to protect (cancelling credit cards, watching statements, etc.) if a service wants personal information from us they had better show that they can also be responsible with it.

Perhaps the encryption on Steam’s databases and their relative age has led to exactly why we haven’t seen further news—outside of Steam keeping us in the loop—of anything happening to it.

This is the ideal case whenever anything happens to a database of customer information.

If any group from 2011 has taught us how fraught with danger lax security has been, it’s LulzSec and their rampant leaks of customer data and personal information. After all, they said it best when pointing out at least now we know it’s been leaked; whereas if an actual hacker took it, they’d be able to do numerous nefarious things with it without anyone knowing until it was too late.