Valve's Steam service hacked, credit card information obtained

by Alexander Sliwinski on Apr 19th 2007 1:20AM

Valve's Steam content distribution system has apparently been hacked. The culprit allegedly got deep enough into the system to steal credit card information and financial information on Valve. DailyTech reports the hacker known as "MaddoxX" broke in and obtained:

Screenshots of internal Valve web pages
A portion of Valve's Cafe directory
Error logs
Credit card information of customers
Financial information on Valve

MaddoxX posted the information he obtained on an anti-Steam website. He has also threatened to release a spreadsheet of the credit card information. We've contacted Valve for a statement on this alleged breach in security.

Update: Doug Lombardi, director of marketing for Steam, tells 1UP, "There has been no security breach of Steam ... The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Cafe program. This Cyber Cafe billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief [at] ValveSoftware [dot] com."

[Thanks SteveZ]

Source

Tags: credit cards, hack, PC, steam, valve

Reader Comments (76)

rut-roh...

Luckily I never bought anything using steam.

Shiz, I did.
Now to remember which card I used.

Wow, the guy who did this is a huge scumbag for exposing the credit card numbers. Especially for continuing to do it after the two letters that he received and published from that CyberCafe guy. Props to whoever wrote that letter, as it was really well written and very calm for someone who just had their personal information stolen and published by a lowlife.

@2:

Ditto. phew

@1: ruh-roh ^2!
x-(

that anti-steam website has a lot of free goodies lol

That really isn't much money as I was expecting. I mean, you can't even fund a new game with that much anymore.

WOW... I'm really suprised those mirrors still work!
Too bad for VALVe. It's on the internet now. You can't take it back.

I just hope MaddoxX didn't get my CC.
I'm actually quite fond of the Steam platform.

Thankfully the only thing I ever did with Steam was register my copy of the original Half Life. :shrug:

Wow. After reading some of the files in the download, that MaddoxX is a real dick. I feel really sorry for P. Waagenaar, Antonio Del Castillo Caba, Robert L. Ferguson, Richard Lee, and Michael Sokoloff who's credit card numbers I am now in possession of.

Thankfully for them, I'm a decent person, but I imagine far too many others are not.

Also, if the links go down and you want to see, TOO BAD. The files are going nowhere but my Recycle Bin.

Oh man, Ive bought a ton of stuff off Steam... Another thing for me to worry about...

Can someone please elaborate the extent of the information compromised? Like, if we've ever made a Steam purchase, should we shred the credit card we used?

HAX!

Christ its attention whore hackers like these that ruin shit for everyone.

Shred? Or Cancel?

Anyway - At least he's not going to class and shooting everyone. He seems like that sort of guy, except he's a way bigger wuss.

I THINK (don't quote me on this) that the only cards are for people who have an account, where it always charges X amount, but i dunno...I never fail to be amused by people online who talk big, "You can contact me here, and you better bring something big unless you want me to release all your info" but when the police come knocking, they transform, magically, into "Please forgive me, i don't want to go to jail..." I don't know what the laws are like in Russia, but it'll be interesting to see what happens. And if nothing does, rest assured that the KGB had him killed.

@Trace

Are those the ONLY names and CC numbers that were exposed? I sure hope so...

Don't shred your card just yet. All he's posted so far are 5 CC numbers (names I mentioned above) and some PHP files from internal sites. Not much use to me, and probably less use to someone who doesn't know PHP. Also, there are a couple screenshots of internal sites, a few hl2 logos in vector format, and a couple of images that say 'LOL PWND'.

Not much IMO. I'm betting this is all he's got.

Maybe I missed something. I can't find any solid evidence that a hacking attack actually occured. Valve has not made any statement to its customers regarding their credit card numbers. No mention is made of the event anywhere on the steam website, including in its forums. Does Valve even store credit card numbers? I found people on their forums saying they don't, but can't find any solid information one way or the other. What I can find is a guy who says he got some information, and some letters he received from people who could be made up.

the kid proved he had root access, meaning he could get anything he'd like off that server. What isn't clear is what server he had access to, whether it was just the cyber cafe accounts. Unfortunately those credit cards appear to be from users, as they're not business specific cards. So it looks like our little bastard hacker may indeed gained access to all financial information as well as steam itself. The guy could've left a virus to be pushed out in the next update if he really had the desire.

I hate Steam, too, but that's ridiculous.

Whats the big deal here? I'm sure the involved parties whose C.C. was put on the internet canceled those cards the second they found out what happened. And for the rest of those who have their credit card information stored on the Steam servers - don't most major credit card companies allow you to cancel any purchases that you can prove were un-authorized/not made by you? So yeah, its a big security breach and Valve will definitely have to do some soul-searching and send out some 'Sorry, it won't happen again' emails, but nothing that can't be patched up in a few days time.

It's easy to blame the hackers here, but the fact remains that Valve fucked over their customers and clients by not giving a shit about security. This is 2007, net security isn't a novelty, it's a necessity. If anyone here is to blame, it's Valve. Unlike the rest of the world, the soul of the internet isn't owned by cigar puffing tycoons, it's owned by hackers. Too bad Valve haven't noticed that yet. Don't they see the ads for ITT tech?

Everyone seems to be forgetting here, this is the second time Valve has been hacked. The first time the hacker was only after game content, and he stole a huge chunk of HL2's source code before its release. Valve supposedly stepped up security, but here we are again.

Ummm... Steam doesn't store CC information. I call bogus.

As this has apparently just happened, I would advise the wait-and-see(-and-call) approach. First thing in the morning (or right now if they offer 24 hour phone service), call the phone number of your credit card company's anti-fraud department (they'll have it plastered all over their website, most likely) and tell them you have reason to believe your number may have been stolen, even though you aren't sure. They'll advise you further and at least red flag the card.

Do NOT assume that if unauthorized purchases appear you can just claim them after the fact. Even if it's that simple, do you really need the hassle of filling out forms and signatures and hours on the telephone explaining how you weren't in Taiwan at 2:00 AM buying ten big screen TVs?

Oh no! They better not steal my maxed out credit card...

First of all, this kid could just be joking. I don't trust his findings, but I really want to stay safe.

Valve's Steam is the first service I've bought game-related software from. It's probably going to be the last if security isn't improving.

I just called my bank and they said nothing was done to my account, but for safety reasons I ordered a new card and my older one shredded.

Yes, I'm that paranoid about this, but at least all I had to do was to make a phone call and sit back and wait. :p

check lolhaxed.blogspot.com

Wow that guy seems a right dick.
If this is for real, he is gonna love it in jail.

Bye bye MaddoxX you new cell buddy BUBBA is waiting for you.

Why are people getting surprised now??? This is almost 2 weeks old.

@ Grey Fox (#15) : You're absolutely right.
@ James (#29) : Because it just made Joystiq now, and wasn't announced publicly elsewhere until now, that i've seen.

But you're right. The attention whore kid made the no-steam post on 04/09/07, over a week ago.

I've downloaded the "evidence" and it looks real, Valve has indeed been hacked. I'm worried cause I've bought a lot of stuff on Steam using my Credit Card.

I found this on their forum about their privacy policy.

"Does No-Steam disclose the information it collects from its visitors to outside parties?
No-Steam does not, and never will, sell or trade any personally identifiable information that visitors provide in any registration, purchase, or contest submission on the web site. No-Steam does, from time to time, share data solely in an aggregate form (that will not enable third parties to personally identify individual users, including you) to affiliates for marketing, advertising, or other uses. Notwithstanding the foregoing, the No-Steam reserves the right to disclose any personal information about you to law enforcement or other government officials as the No-Steam, in its sole discretion, believe is necessary or appropriate."

Yeah this is confusing...

So a web site with credit card details got hacked. Is everyone really that surprised??? No matter how secure some one will always find a way in. Remember that welsh kid who hacked into a mahjor credit card company and bought viagra with bill gates credit card just because he could. The fbi tracked him down in the end and he got let off because it was not malicious.

You will all be covered by your cards anti fraud protection so i really don't know why ur all kicking off for anyway.

I hope this guy gets the hunted down by FBI like the last guy who hacked steam. Bubba is wasiting for you ! I just hope that the poor guys who had their information leaked to the rest of the web have already done somehing about this.

A few sources are reporting that this hack was perpetrated by disgruntled gamers. This is absolute bullshit, the hack was done to steal credit card information, everything else is smokescreen.

So the hacker may threaten to reveal credit card details, all he actually wants is to advertise that he has them for sale.

What a self-righteous asshole.

If I wasn't about my credit card details I'd be laughing at his post:
"Ever wonder how rich Valve is?
A stunning $ 9,186,722.35"

That's nothing, in terms of the biggest videogame companies. And considering the cost of videogames these days I'm stunned by how low that figure is....

For fuck sake, I thought this Maddoxx guy just stuck to campaigning against Steam and serving hacked games. Posting people's financial details is hurting the whole Anti-steam movement.

What a shithead.

First of all, never register your "real" ccard on any website. Use the virtual credit card services from Citi Bank or Bank of America (shop safe).

Either one of these two will allow you to generate a new cc number on the fly and for an amount you specify. Then, register that with whatever site on the net you need to. If that site gets hacked, the card you registered cannot be used by any other vendor, especially if fix the amount to exactly what you bought with it.

Second, if you are worried about someone getting your cc info, all you need to do is call the customer service for that card and say you think it was stolen. They will then generate a new account number for you and send it. I recommend doing this every 6 months or so.

What an annoying twit. I'm not going to stop using Steam just because some moron stole my credit card information. The cashier at Target could do that.

Enjoy prison, MaddoxX.

You guys are all assuming that he lives in the US - what if he resides in a country that doesn't recognize internet hacks as illegal? He may never see jailtime for something like this.

Thankfully, I old CC expired when I bought CC:Source a few months back, and I have a newer CC with a new CC#, and Valve doesn't have that.

~HotShotX

This is not good! This is why I choose to buy retail vs digital distribo

I'm almost glad this guy did this. Steam is a fucking cancer on the gaming community, and hopefully this starts the ball rolling on the death of that goddamn atrocity.

You can't be sure that this is real, supposedly this happened two weeks ago, if that is true VALVe would have immediately responded. I say this guyis desperate and all he has is what he's given. Besides VALVe doesn't store any information once you buy it, it registers to an account and is deleted from the temporary storage.

@41 the last guy who hacked valve and stole the HL2 source code was tricked by valve and FBI into coming to the US for a security job at valve. When he left that plan seat he was in the hands of FBI ! =D

Really - what do you expect from the company that brought you the "gaben/HL2 source code" stolen fiasco. This company is retarded and it is clear they will never learn. What the hell does Valve do with that 9 million bucks? Buy Gabe donuts? They sure didn't use to to beef up their internal security.

| 1 | 2 | Most Recent | Next 50 Comments

Sorry, you must be logged in to leave a comment.

Breaking News

The most popular posts
in the last 7 days

Vita 'UMD Passport' won't be offered in US 220 comments
Kingdoms of Amalur: Reckoning review: A tempting fate 153 comments
David Jaffe leaves Eat Sleep Play, layoffs hit developer [Update] 107 comments
Don't call it a remake: Final Fantasy X is a 'remaster,' to be clear 95 comments
Battleship movie adapted into FPS by Double Helix 93 comments

Valve's Steam service hacked, credit card information obtained

Reader Comments (76)

Posted: Apr 19th 2007 1:24AM cheekymunky said

Posted: Apr 19th 2007 1:25AM (Unverified) said

Posted: Apr 19th 2007 1:28AM (Unverified) said

Posted: Apr 19th 2007 1:30AM DWells55 said

Posted: Apr 19th 2007 1:31AM QuePasa87 said

Posted: Apr 19th 2007 1:36AM (Unverified) said

Posted: Apr 19th 2007 1:42AM (Unverified) said

Posted: Apr 19th 2007 2:02AM Pipp said

Posted: Apr 19th 2007 2:15AM (Unverified) said

Posted: Apr 19th 2007 2:14AM UnnDunn said

Posted: Apr 19th 2007 2:18AM (Unverified) said

Posted: Apr 19th 2007 2:20AM (Unverified) said

Posted: Apr 20th 2007 8:22PM (Unverified) said

Posted: Apr 19th 2007 2:30AM (Unverified) said

Posted: Apr 19th 2007 2:35AM (Unverified) said

Posted: Apr 19th 2007 2:37AM (Unverified) said

Posted: Apr 19th 2007 2:39AM 6vx said

Posted: Apr 19th 2007 2:41AM (Unverified) said

Posted: Apr 19th 2007 2:45AM In A World said

Posted: Apr 19th 2007 2:48AM (Unverified) said

Posted: Apr 19th 2007 3:13AM (Unverified) said

Posted: Apr 19th 2007 3:08AM (Unverified) said

Posted: Apr 19th 2007 3:08AM Seroth said

Posted: Apr 19th 2007 3:14AM (Unverified) said

Posted: Apr 19th 2007 3:15AM (Unverified) said

Posted: Apr 19th 2007 11:11AM (Unverified) said

Posted: Apr 19th 2007 8:48AM (Unverified) said

Posted: Apr 19th 2007 3:33AM (Unverified) said

Posted: Apr 19th 2007 4:15AM (Unverified) said

Posted: Apr 19th 2007 4:36AM (Unverified) said

Posted: Apr 19th 2007 4:56AM (Unverified) said

Posted: Apr 19th 2007 4:39AM (Unverified) said

Posted: Apr 19th 2007 4:50AM (Unverified) said

Posted: Apr 19th 2007 5:06AM (Unverified) said

Posted: Apr 19th 2007 5:42AM (Unverified) said

Posted: Apr 19th 2007 5:38AM ysdarkfact said

Posted: Apr 19th 2007 6:14AM (Unverified) said

Posted: Apr 19th 2007 7:05AM (Unverified) said

Posted: Apr 19th 2007 7:09AM hahnchen said

Posted: Apr 19th 2007 7:28AM (Unverified) said

Posted: Apr 19th 2007 7:45AM (Unverified) said

Posted: Apr 19th 2007 8:11AM (Unverified) said

Posted: Apr 19th 2007 8:15AM (Unverified) said

Posted: Apr 19th 2007 8:41AM (Unverified) said

Posted: Apr 19th 2007 8:46AM (Unverified) said

Posted: Apr 19th 2007 8:44AM joevill said

Posted: Apr 19th 2007 8:50AM KaneRobot said

Posted: Apr 19th 2007 10:11PM (Unverified) said

Posted: Apr 19th 2007 8:58AM (Unverified) said

Posted: Apr 19th 2007 9:01AM KaneRobot said

Info

Description

MSRP

Release Date

Genre

Developer

Publisher

Rating

Breaking News

Double Fine Kickstarter passes $1 million in under 24 hours, breaking yet another record

Featured Stories

The Joystiq Show - 024: Kingdoms of Double Fine

Shank 2 review: Refined brutality

Ghost Recon: Future Soldier brings information warfare to the front

The most popular postsin the last 7 days

Engadget

TUAW

Massively

WoW

The most popular posts
in the last 7 days