Valve's Steam service hacked, credit card info obtained

Looks like its time to cancel another card...Valve is still not responding to this as of yet, how wonderful.

Valve's Steam content distribution system has apparently been hacked. The culprit allegedly got deep enough into the system to steal credit card information and financial information on Valve. DailyTech reports the hacker known as "MaddoxX" broke in and obtained:

  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
MaddoxX posted the information he obtained on an anti-Steam website. He has also threatened to release a spreadsheet of the credit card information. We've contacted Valve for a statement on this alleged breach in security.

News source: Joystiq
View: Hackers site

Report a problem with article
Previous Story

Windows Vista Ultimate and WSUS

Next Story

Halo 2 Vista gold, in stores May 8th

11 Comments

Nah...

Anyone else think this daft hacker has just added the last 2 bullets to make this release more interesting? The top 3 can be obtained through other means.

I think this is crap.. but we shall see.

Ok so....screenshots couldn't have been leaked from an employee? Valves cafe directory doesn't contain data that could have been compiled quite easily? Error logs aren't easy to create?

More importantly, where does Steam actually log your credit card? It DOESNT!! It asks you to enter it each time you make a purchase, and should, unless Valve are breaking every data protection act going, be sent straight to the card processor - Valve shouldn't be logging any CC details, and I doubt do.

Financial information for a incorporated company such as valve is simply to get hold of.

Still worried?

I think this is a load of rubbish. Some kid scaremongoring.

For a little perspective, MaddoxX hacked the Steam client (along with many other intelligent people) in order for people to get the games free without purchasing them, using special modified clients. Nobody in that scene however has been able to do anything to Steam on their server-side and it's angered and frustrated many because of server-side checks and such. Steam Cafe is an entirely different matter however. It seems that this is NOT a hoax. However, he didn't get regular home-users credit cards, he got CCs of Cyber Cafe owners who pay Valve and use their special Steam Cafe clients. I've noticed a lot of people have shown hatred towards this guy, but it's strange because to me what he has done is very good. Yes, he could've kept the CCs secretive, but he's trying to prove a point.

It would've been much worse if he just kept this a secret and used the security compromise to his advantages. Instead, he has shown that Valve's cafe client program is definitely not secure and needs repair. If he didn't reveal this information, another hacker could've found this out and caused a lot of damage to Cyber Cafes. I hate how there is no open discussion about situations like this because Valve has to keep their mouths shut as FBI investigations and whatnot happen. I certainly hope for a press release sooner or later as they really need to talk to MaddoxX and secure their Cafe system.

This is very unnerving. It's not a joke it seems. Valve thoroughly deserve to face consequences for this. Not only does their cafe Steam system log CC numbers, but the security of Steam Cafe systems is obviously very compromised. If someone gets their identity and/or CC stolen by a random hacker, it's not the hacker who is to blame, it is Valve and only Valve. Fortunately, MaddoxX has not caused much damage at all to any parties and hopefully Valve will communicate with him properly and figure out what needs fixing.

For those curious, here's the hack proof package posted by MaddoxX on his forum. Note, that CC numbers are included, but I'm sure nobody on here would actually try to use them; hopefully the owners have called their companies to cancel them if someone has used them. Valve should not be deleting threads about this on their official Steam forums, but instead posting a news item and sending all their Cafes information about this.

Steam Cafe Hack Evidence Archive: http://download.yousendit.com/7003979143FDE214
Mirror: http://www.rogepost.com/n/1779400563

You can easily find MaddoxX and his forum through Google, if you want to leave him a message. Valve hasn't been able to censor that yet.

Fortunately, MaddoxX has not caused much damage at all to any parties

Yeah right, making a list of credit card numbers available to all on the 'net is not "[causing] much damage at all to any parties." I see where you're coming from in the previous post, that he could be doing cyber cafes a favour by publicly alerting Valve of their flawed system. However, going public with credit numbers and making them freely available for jackass fraudsters to take advantage of before the cafes quickly cancel their numbers - that's something else.

At least the post on the thread was deleted. But please, for the sake of these cafes, delete those links.

From that joystiq link:

Wow, the guy who did this is a huge scumbag for exposing the credit card numbers. Especially for continuing to do it after the two letters that he received and published from that CyberCafe guy. Props to whoever wrote that letter, as it was really well written and very calm for someone who just had their personal information stolen and published by a lowlife.

And I wholeheartedly agree with that post.

(I don't work for Steam however it's logical to conclude the following points)

1: Personal credit information is usually stored on the Client-side and is only sent to steam when a purchases is agree upon. I'm guessing that the credit information is then only stored temporarily(cached) until it's moved to their billing department at which point it's probably purged from anywhere connected by a normal internet connection.

2: Information is also usually stored in an encrypted format, the only time it is usually readable is when someone human is dealing with accounts like over viewing billing.

3: True businesses often use an Invoicing method which usually means a paper trail in regards to product/service purchase. In most cases Services are usually placed onto a Direct Debit method of payment to a business account where both the person in control of the bank account and Steam agree on the terms of a Direct Debit. The only information that's usually housed in databases in regards to this is the persons name, their bank account number and the amount being billed (as well as of course tracking the billing).

4: Should any companies database be openly compromised, they have to(if not should) inform the banks in regards to the accounts that were stored within such a database. This causes the banks to flag all credit transactions from that time period up until new cards and security numbers are dispatched.

5: It's known that in the advent of Valve's Halflife 2 certain files were previously hacked and made available on the internet. It wouldn't be prudent for a company to allow the same mistake (or equally catastrophic mistakes) to happen twice. I wouldn't be suprised if the hack in question stumbled into a honey pot like some thieving ant.

I've seen a previous "Hacker" that claimed to do something with a particular messenger service using a freely available tool, So a bunch of unwitting people downloaded this tool and often complained or questioned how the tool did the job it supposedly was made to do. The reality was that the tool was in fact a trojan, and the things that couldn't be done in reality to the server-side of the messaging service were actually being done on their own computers. Their activities, logs, e-mails, messages etc were all being sent to an IRC server and the "Hacker" was merely quoting back to them references from what was stolen from them ith some photoshoped images to make it look like he'd breached the messenger server security.

Commenting is disabled on this article.