Starting around 9/11 of this year, someone other than me was accessing my email account. This has been determined by looking at traffic on our email server versus my travel schedule.
Shortly afterwards my machine started acting weird (right-clicking on executables would crash explorer). I was unable to find a virus or trojan on my machine, I reformatted my hard drive, and reinstalled.
For the next week, there appears to have been suspicious activity on my webmail account.
Around 9/19 someone made a copy of the HL-2 source tree.
At some point, keystroke recorders got installed on several machines at Valve. Our speculation is that these were done via a buffer overflow in Outlook's preview pane. This recorder is apparently a customized version of RemoteAnywhere created to infect Valve (at least it hasn't been seen anywhere else, and isn't detected by normal virus scanning tools).
Periodically for the last year we've been the subject of a variety of denial of service attacks targetted at our webservers and at Steam. We don't know if these are related or independent.
Well, this sucks.
I think most, if not all, people can agree with Gabe there. To have source code leaked is a crushing blow for any developer, especially when it includes clues to your other projects that have been kept secret for years.
Gabe would now like everybody's help:
What I'd appreciate is the assistance of the community in tracking this down. I have a special email address for people to send information to, firstname.lastname@example.org. If you have information about the denial of service attacks or the infiltration of our network, please send the details. There are some pretty obvious places to start with the posts and records in IRC, so if you can point us in the right direction, that would be great.
We at Valve have always thought of ourselves as being part of a community, and I can't imagine a better group of people to help us take care of these problems than this community.
Here's hoping that this does not set back the release of Half-Life 2 even further, and if you happen to see the source code available to download, either ignore it, or email that address with details so that they can have it removed. Having 5 years worth of work leaked onto the net is not fun.
Update: An email transcript dated the 27th of September (that I won't link to) highlights security flaws in Valve's operations, and mentions that some members of Valve were pushing for a peer-to-peer distribution method for Half-Life 2, in the hope of not crippling the direct download servers.
In the email, the owner of a Half-Life 2 fan site tricked another Valve employee into thinking he was someone else, and then got confidential information from him. Significantly, the Valve employee stated that they - at the time - had no email verification software, and so emails could be faked by a skilful hacker. Presumably security has now been tightened.
More articles about Half-Life 2