Valve's Steam service hacked, credit card information obtained
Valve's Steam content distribution system has apparently been hacked. The culprit allegedly got deep enough into the system to steal credit card information and financial information on Valve. DailyTech reports the hacker known as "MaddoxX" broke in and obtained: - Screenshots of internal Valve web pages
- A portion of Valve's Cafe directory
- Error logs
- Credit card information of customers
- Financial information on Valve
Update: Doug Lombardi, director of marketing for Steam, tells 1UP, "There has been no security breach of Steam ... The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Cafe program. This Cyber Cafe billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief [at] ValveSoftware [dot] com."
[Thanks SteveZ]










Reader Comments (Page 1 of 2)
cheeky @ Apr 19th 2007 1:24AM
rut-roh...
NeverSage @ Apr 19th 2007 1:25AM
Luckily I never bought anything using steam.
me @ Apr 19th 2007 1:28AM
Shiz, I did.
Now to remember which card I used.
DWells55 @ Apr 19th 2007 1:30AM
Wow, the guy who did this is a huge scumbag for exposing the credit card numbers. Especially for continuing to do it after the two letters that he received and published from that CyberCafe guy. Props to whoever wrote that letter, as it was really well written and very calm for someone who just had their personal information stolen and published by a lowlife.
Arturo @ Apr 19th 2007 1:31AM
@2:
Ditto. phew
mayank @ Apr 19th 2007 1:36AM
@1: ruh-roh ^2!
x-(
oh ya @ Apr 19th 2007 1:42AM
that anti-steam website has a lot of free goodies lol
Durrrr @ Apr 19th 2007 2:02AM
That really isn't much money as I was expecting. I mean, you can't even fund a new game with that much anymore.
Uchendu Nwachukwu @ Apr 19th 2007 2:14AM
Thankfully the only thing I ever did with Steam was register my copy of the original Half Life. :shrug:
Trace @ Apr 19th 2007 2:15AM
WOW... I'm really suprised those mirrors still work!
Too bad for VALVe. It's on the internet now. You can't take it back.
I just hope MaddoxX didn't get my CC.
I'm actually quite fond of the Steam platform.
Trace @ Apr 19th 2007 2:18AM
Wow. After reading some of the files in the download, that MaddoxX is a real dick. I feel really sorry for P. Waagenaar, Antonio Del Castillo Caba, Robert L. Ferguson, Richard Lee, and Michael Sokoloff who's credit card numbers I am now in possession of.
Thankfully for them, I'm a decent person, but I imagine far too many others are not.
Trace @ Apr 19th 2007 2:20AM
Also, if the links go down and you want to see, TOO BAD. The files are going nowhere but my Recycle Bin.
Tetranitrocubane @ Apr 19th 2007 2:30AM
Can someone please elaborate the extent of the information compromised? Like, if we've ever made a Steam purchase, should we shred the credit card we used?
kyou @ Apr 19th 2007 2:35AM
HAX!
Grey Fox @ Apr 19th 2007 2:37AM
Christ its attention whore hackers like these that ruin shit for everyone.
Tim @ Apr 19th 2007 2:39AM
Shred? Or Cancel?
Anyway - At least he's not going to class and shooting everyone. He seems like that sort of guy, except he's a way bigger wuss.
Tom90deg @ Apr 19th 2007 2:41AM
I THINK (don't quote me on this) that the only cards are for people who have an account, where it always charges X amount, but i dunno...I never fail to be amused by people online who talk big, "You can contact me here, and you better bring something big unless you want me to release all your info" but when the police come knocking, they transform, magically, into "Please forgive me, i don't want to go to jail..." I don't know what the laws are like in Russia, but it'll be interesting to see what happens. And if nothing does, rest assured that the KGB had him killed.
Tom @ Apr 19th 2007 2:45AM
@Trace
Are those the ONLY names and CC numbers that were exposed? I sure hope so...
Trace @ Apr 19th 2007 2:48AM
Don't shred your card just yet. All he's posted so far are 5 CC numbers (names I mentioned above) and some PHP files from internal sites. Not much use to me, and probably less use to someone who doesn't know PHP. Also, there are a couple screenshots of internal sites, a few hl2 logos in vector format, and a couple of images that say 'LOL PWND'.
Not much IMO. I'm betting this is all he's got.
Seroth @ Apr 19th 2007 3:08AM
I hate Steam, too, but that's ridiculous.
mega @ Apr 19th 2007 3:08AM
the kid proved he had root access, meaning he could get anything he'd like off that server. What isn't clear is what server he had access to, whether it was just the cyber cafe accounts. Unfortunately those credit cards appear to be from users, as they're not business specific cards. So it looks like our little bastard hacker may indeed gained access to all financial information as well as steam itself. The guy could've left a virus to be pushed out in the next update if he really had the desire.
shMerker @ Apr 19th 2007 3:13AM
Maybe I missed something. I can't find any solid evidence that a hacking attack actually occured. Valve has not made any statement to its customers regarding their credit card numbers. No mention is made of the event anywhere on the steam website, including in its forums. Does Valve even store credit card numbers? I found people on their forums saying they don't, but can't find any solid information one way or the other. What I can find is a guy who says he got some information, and some letters he received from people who could be made up.
mike h. @ Apr 19th 2007 3:14AM
Whats the big deal here? I'm sure the involved parties whose C.C. was put on the internet canceled those cards the second they found out what happened. And for the rest of those who have their credit card information stored on the Steam servers - don't most major credit card companies allow you to cancel any purchases that you can prove were un-authorized/not made by you? So yeah, its a big security breach and Valve will definitely have to do some soul-searching and send out some 'Sorry, it won't happen again' emails, but nothing that can't be patched up in a few days time.
fawazr @ Apr 19th 2007 3:15AM
It's easy to blame the hackers here, but the fact remains that Valve fucked over their customers and clients by not giving a shit about security. This is 2007, net security isn't a novelty, it's a necessity. If anyone here is to blame, it's Valve. Unlike the rest of the world, the soul of the internet isn't owned by cigar puffing tycoons, it's owned by hackers. Too bad Valve haven't noticed that yet. Don't they see the ads for ITT tech?
Xian! @ Apr 19th 2007 3:33AM
As this has apparently just happened, I would advise the wait-and-see(-and-call) approach. First thing in the morning (or right now if they offer 24 hour phone service), call the phone number of your credit card company's anti-fraud department (they'll have it plastered all over their website, most likely) and tell them you have reason to believe your number may have been stolen, even though you aren't sure. They'll advise you further and at least red flag the card.
Do NOT assume that if unauthorized purchases appear you can just claim them after the fact. Even if it's that simple, do you really need the hassle of filling out forms and signatures and hours on the telephone explaining how you weren't in Taiwan at 2:00 AM buying ten big screen TVs?
Clay @ Apr 19th 2007 4:15AM
Oh no! They better not steal my maxed out credit card...
Quakeulf @ Apr 19th 2007 4:36AM
First of all, this kid could just be joking. I don't trust his findings, but I really want to stay safe.
Valve's Steam is the first service I've bought game-related software from. It's probably going to be the last if security isn't improving.
I just called my bank and they said nothing was done to my account, but for safety reasons I ordered a new card and my older one shredded.
Yes, I'm that paranoid about this, but at least all I had to do was to make a phone call and sit back and wait. :p
MrBeejeezus @ Apr 19th 2007 4:39AM
Wow that guy seems a right dick.
If this is for real, he is gonna love it in jail.
Bye bye MaddoxX you new cell buddy BUBBA is waiting for you.
James @ Apr 19th 2007 4:50AM
Why are people getting surprised now??? This is almost 2 weeks old.
aformalevent @ Apr 19th 2007 4:56AM
check lolhaxed.blogspot.com
Trace @ Apr 19th 2007 5:06AM
@ Grey Fox (#15) : You're absolutely right.
@ James (#29) : Because it just made Joystiq now, and wasn't announced publicly elsewhere until now, that i've seen.
But you're right. The attention whore kid made the no-steam post on 04/09/07, over a week ago.
ysdarkfact @ Apr 19th 2007 5:38AM
I found this on their forum about their privacy policy.
"Does No-Steam disclose the information it collects from its visitors to outside parties?
No-Steam does not, and never will, sell or trade any personally identifiable information that visitors provide in any registration, purchase, or contest submission on the web site. No-Steam does, from time to time, share data solely in an aggregate form (that will not enable third parties to personally identify individual users, including you) to affiliates for marketing, advertising, or other uses. Notwithstanding the foregoing, the No-Steam reserves the right to disclose any personal information about you to law enforcement or other government officials as the No-Steam, in its sole discretion, believe is necessary or appropriate."
Yeah this is confusing...
Ramzi @ Apr 19th 2007 5:42AM
I've downloaded the "evidence" and it looks real, Valve has indeed been hacked. I'm worried cause I've bought a lot of stuff on Steam using my Credit Card.
kris @ Apr 19th 2007 6:14AM
So a web site with credit card details got hacked. Is everyone really that surprised??? No matter how secure some one will always find a way in. Remember that welsh kid who hacked into a mahjor credit card company and bought viagra with bill gates credit card just because he could. The fbi tracked him down in the end and he got let off because it was not malicious.
You will all be covered by your cards anti fraud protection so i really don't know why ur all kicking off for anyway.
Chris @ Apr 19th 2007 7:05AM
I hope this guy gets the hunted down by FBI like the last guy who hacked steam. Bubba is wasiting for you ! I just hope that the poor guys who had their information leaked to the rest of the web have already done somehing about this.
hahnchen @ Apr 19th 2007 7:09AM
A few sources are reporting that this hack was perpetrated by disgruntled gamers. This is absolute bullshit, the hack was done to steal credit card information, everything else is smokescreen.
So the hacker may threaten to reveal credit card details, all he actually wants is to advertise that he has them for sale.
MacAoidh @ Apr 19th 2007 7:28AM
What a self-righteous asshole.
If I wasn't about my credit card details I'd be laughing at his post:
"Ever wonder how rich Valve is?
A stunning $ 9,186,722.35"
That's nothing, in terms of the biggest videogame companies. And considering the cost of videogames these days I'm stunned by how low that figure is....
Samiel @ Apr 19th 2007 7:45AM
For fuck sake, I thought this Maddoxx guy just stuck to campaigning against Steam and serving hacked games. Posting people's financial details is hurting the whole Anti-steam movement.
What a shithead.
SnapperDragon @ Apr 19th 2007 8:11AM
First of all, never register your "real" ccard on any website. Use the virtual credit card services from Citi Bank or Bank of America (shop safe).
Either one of these two will allow you to generate a new cc number on the fly and for an amount you specify. Then, register that with whatever site on the net you need to. If that site gets hacked, the card you registered cannot be used by any other vendor, especially if fix the amount to exactly what you bought with it.
Second, if you are worried about someone getting your cc info, all you need to do is call the customer service for that card and say you think it was stolen. They will then generate a new account number for you and send it. I recommend doing this every 6 months or so.
jettoki @ Apr 19th 2007 8:15AM
What an annoying twit. I'm not going to stop using Steam just because some moron stole my credit card information. The cashier at Target could do that.
Enjoy prison, MaddoxX.
Synthetik @ Apr 19th 2007 8:41AM
You guys are all assuming that he lives in the US - what if he resides in a country that doesn't recognize internet hacks as illegal? He may never see jailtime for something like this.
Joseph Villalobos @ Apr 19th 2007 8:44AM
This is not good! This is why I choose to buy retail vs digital distribo
HotShotX @ Apr 19th 2007 8:46AM
Thankfully, I old CC expired when I bought CC:Source a few months back, and I have a newer CC with a new CC#, and Valve doesn't have that.
~HotShotX
intheknow @ Apr 19th 2007 8:48AM
Ummm... Steam doesn't store CC information. I call bogus.
Kizzle @ Apr 19th 2007 8:50AM
I'm almost glad this guy did this. Steam is a fucking cancer on the gaming community, and hopefully this starts the ball rolling on the death of that goddamn atrocity.
Chris @ Apr 19th 2007 8:58AM
@41 the last guy who hacked valve and stole the HL2 source code was tricked by valve and FBI into coming to the US for a security job at valve. When he left that plan seat he was in the hands of FBI ! =D
Kizzle @ Apr 19th 2007 9:01AM
Really - what do you expect from the company that brought you the "gaben/HL2 source code" stolen fiasco. This company is retarded and it is clear they will never learn. What the hell does Valve do with that 9 million bucks? Buy Gabe donuts? They sure didn't use to to beef up their internal security.
Austin @ Apr 19th 2007 9:05AM
If your information is exposed the breached company is required to contact your card admin(ie visa). they will send you a letter with a new card. If the company doesnt, and people steal your money, companies in similar positions have been held responsible (via class action lawsuit).
chenry @ Apr 19th 2007 9:19AM
I think I should cancel my credit card.
Tom Edwards @ Apr 19th 2007 10:49AM
Consumer numbers aren't at risk. They aren't stored. The numbers that ARE at risk are all held by cybercafe owners who have recurring Steam subscriptions to their games. The post really ought to be updated to get this across!
The guy said they were consumer numbers because he's fishing for more attention or clueless.