Valve's Steam service hacked, credit card information obtained

If your information is exposed the breached company is required to contact your card admin(ie visa). they will send you a letter with a new card. If the company doesnt, and people steal your money, companies in similar positions have been held responsible (via class action lawsuit).

I think I should cancel my credit card.

Consumer numbers aren't at risk. They aren't stored. The numbers that ARE at risk are all held by cybercafe owners who have recurring Steam subscriptions to their games. The post really ought to be updated to get this across!

The guy said they were consumer numbers because he's fishing for more attention or clueless.

Jackasses like this tool and Spam companies are the reason we need to start killing these people. And what is this crap about stealing Maddox's name? Can't this punk ass wannabe think up his own name? So to prove how much he hates Steam, he steals CC numbers from Steam's customers. Yeah, that made a lot of frigging sense, idiot. I truly hope he lives in the US or somewhere that has an extradition treaty with the US so the FBI can nab his ass an throw it in the gang rape section of a Federal Prison. Course, how many of you want to bet he's only like 13 years old?

I wonder if this guy knows what he's getting in to. Remember when someone stole the code for HL2?

I am the manager of a cyber-cafe and valve's cafe program is actually cheap as hell. Think about it: buy hours from them in bulk it ends up being about fifty cents an hour. Most LAN centers charge upwards of five dollars an hour. This is over a four dollar mark up, what’s the problem?

"51. Jackasses like this tool and Spam companies are the reason we need to start killing these people. And what is this crap about stealing Maddox's name? Can't this punk ass wannabe think up his own name?"

Ever think the possibility that this has been his net handle / hacker name for years before Maddox started posting his ignorance online? Ever think that maybe they both got the name from the same source? Ever think the possibility that he had never even heard of Maddox before?

No no. Since you love Maddox, he *MUST* have stolen it.

lol, what lame evidence. what a load of BS

Isn't "Maddox" a real last name? I think that prolly existed long before both of those douche bags.

This sucks. This will set digital distribution back because it reassures the fears of the consumer that someone can easily steal their cc info. I personally don't use Steam, but I really think it's an awesome concept.

Valve is deleting any posts to the forums at steampowered.com that ask questions about the breakin. I posted three times with polite questions, and the posts vanished within a minute each time.

After the third post, I was banned for two months.

Banned! For asking if there was any news about stolen customer information!

For a little perspective, MaddoxX hacked the Steam client (along with many other intelligent people) in order for people to get the games free without purchasing them, using special modified clients. Nobody in that scene however has been able to do anything to Steam on their server-side and it's angered and frustrated many because of server-side checks and such. Steam Cafe is an entirely different matter however. It seems that this is NOT a hoax. However, he didn't get regular home-users credit cards, he got CCs of Cyber Cafe owners who pay Valve and use their special Steam Cafe clients. I've noticed a lot of people have shown hatred towards this guy, but it's strange because to me what he has done is very good. Yes, he could've kept the CCs secretive, but he's trying to prove a point.

It would've been much worse if he just kept this a secret and used the security compromise to his advantages. Instead, he has shown that Valve's cafe client program is definitely not secure and needs repair. If he didn't reveal this information, another hacker could've found this out and caused a lot of damage to Cyber Cafes. I hate how there is no open discussion about situations like this because Valve has to keep their mouths shut as FBI investigations and whatnot happen. I certainly hope for a press release sooner or later as they really need to talk to MaddoxX and secure their Cafe system.

This is very unnerving. Valve thoroughly deserve to face consequences for this. Not only does their cafe Steam system log CC numbers, but the security of Steam Cafe systems is obviously very compromised. If someone gets their identity and/or CC stolen by a random hacker, it's not the hacker who is to blame, it is Valve and only Valve. Fortunately, MaddoxX has not caused much damage at all to any parties and hopefully Valve will communicate with him properly and figure out what needs fixing.

For those curious, here's the hack proof package posted by MaddoxX on his forum. Note, that CC numbers are included, but I'm sure nobody on here would actually try to use them; hopefully the owners have called their companies to cancel them if someone has used them. Valve should not be deleting threads about this on their official Steam forums, but instead posting a news item and sending all their Cafes information about this.

Steam Cafe Hack Evidence Archive: http://download.yousendit.com/7003979143FDE214
Mirror: http://www.rogepost.com/n/1779400563

@Illya: Rumor is (and MaddoxX himself has claimed) that his access goes deeper than the Steam Cafe servers. He claims to have root access everywhere - Which means bad things for just about anyone who's ever bought anything off steam... if it is true.

@ Illya

Im sorry but its a criminal act, he could have quite easily contacted Valve without publishing this on the net to let them know of a security breach.

My local corner shop has no security I am going to go rob them to prove a point that they need some because its not a safe area I live in.

Mr Policeman I didnt spend the money I stole so thats OK.

You can spout your naive bullshit all you want about him being a good guy and its all the evil Valve Corporations fault.

The rest of us live in the real world and would like little scumbags like this locked up.

I hate steam with a passion, and while I do use it (HL2, CS:S etc) this is one of many reasons why it shouldn't exist at all. Credit card numbers unencrypted sitting on their servers where some guy can hack right in and steal them. This is why I will never use direct2drive or other services like it where you pay by credit card and then download a game.

This hacker is a douche if he really exposed the credit card information, and I hope they catch him swiftly if he did.

50. @ MrBeejeezus: I think that's a bad example comparing your local corner store to Valve's own Steam Cafe program, with everything that it is; client, servers, financial exchanges etc. A better, but not entirely perfect analogy is a situation with your bank. Let's say you go to your bank one day and you notice they offer a brand new program that allows customers to put a special item or two in a big vault, basically like what we have in our world presently called security deposit boxes. They say it's very secure and that people don't even know anything about what customers have what items in the vault at any time. So, you ask them to put a bond and a diamond in this vault as this service really appeals to you and you feel more secure putting them in there than keeping them in your house in a personal safe. Now imagine that a thief one night uses his expertise and knowledge and skill to find a way into the bank's vault because of their compromised security, and some sort of loophole. He randomly picks items to steal and gets away with your items incidentally. Now, common sense would dictate that you would first and foremost be angry with the bank and their failure to securely hold your items. You would definitely demand reimbursement and possibly go as far as deciding to never have anything to do with the bank after this, even if they improve their security or say so. Now, let's say the thief publicly releases information about his actions and says he will return all items if the bank properly communicates with him and they fix their security problems with his help. How can you want the guy locked up and be very angry with him after this, if the only final result is a good improvement of security and no damages to anyone, aside from maybe temporary worries and stress. I know MaddoxX's actions can be considered worse than the aforementioned situation (as the thief does not cause any damage in the end, unlike MaddoxX posting the CC numbers publicly), but at least it's not a diamond and bonds in a bank we're talking about. However, the ultimate result - as one hopes will be a great security improvement from Valve - is very positive and greatly outweighs his posting of a few CC numbers or breaking the law. On the other hand, if he didn't even do this or post about it, the security hole would probably never even be known about and some hacker could get server access secretly and cause a whole lot of damage before Valve even notices anything is wrong. Finally, my point still stands about the blame almost fully being placed on Valve. They offered the Cyber Cafe service in order to have more business and improve their image in the gamer's point of view, their stock holders did not demand they implement or create such a program, and even if they did; they would not be happy with this security breach and could care less WHO did it or maybe even what happens to them, as long as Valve owns up to it and fixes it and never lets it happen again - meanwhile, I'm sure some stockholders will sell their stock in the corporation and furthermore, this will drive away worried customers and Cyber Cafe owners as well. Anyway, I think that's enough of my writing. I've gotten my point across as I wanted to. As the gaming media and public, we should not be making angry comments towards MaddoxX, but instead putting as much pressure as we can on Valve. Their investigation of this matter has to be as thorough as possible, ending with a press release (something they notoriously (almost) never do about anything negative that happens with their Steam services) and a tightening of security. Hopefully that will happen and MaddoxX will be contacted properly and eventually continue to test the security of Steam services without resorting to posting more damaging information like CC numbers on the web in the entire Excel spreadsheet format.

Oh and here's what MaddoxX told The Register:

The hacker says it's not his intention to steal information. He told us: "I just came accross the login details when I was browsing some stuff. The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to."

"It is just to show how lax they are with their security. I want a full excuse from VALVe on their site that they did NOT inform anyone about this. I've got several e-mails from cafe owners and they said VALVe hasn't even said shit to them...so you can see how they threat their customers."

Should we really expect much from Gabe Newell and co?

Gabe Newell is a fat retard. he used "gaben" as the password to his computer, wow i wonder what "gaben" means?, and as a result the Source code got stolen and HL2 was delayed for months.

@ Illya
What part of stealing credit card numbers and publishing them / giving them out is missing you here? What he did was a crime and he deserves to be jailed for it. Though you may think it’s cute to mess with Valve, the rest of us don't like our credit cards on the net, our identities stolen, or any of the heavy duty crap that comes along with it. That can totally destroy an innocent person’s credit and financial future. Hell, I know of people getting through law school and being told they can’t get admitted to a state bar because their identity was stolen and they can’t prove it wasn’t them ringing up huge bills.

Reality seems to have shot right past you.

Someone called you naive earlier, and I would say that nails it. You should take a moment and be ashamed for encouraging this kind of behavior and for praising someone posting credit cards numbers as some sort of public service.

I'm thinking BS. If he really had hacked Steam and stole CC#s, then Valve would be in serious trouble for not notifying customers of a secruity breach.

Besides, I could swear there was an option to not save my CC info after purchasing a game. Maybe not, but I don't remember seeing anything about Valve saving my CC info.

Plus, you can check your statements, and if you see unusual activity, report it.

@ NATO_Duke: Speaking of reality and being naive. My father actually had two occasions of fraud occur to him which I was very concerned about and informed of during the time which they happened and the investigations that followed. Once, his identity was stolen and another time more recently, some young broad behind the jewelery store counter stole the information of his credit card and foolishly bought a bunch of purses online that night. Neither incident was the effect of my dad's own mistakes, but he checks his bank and credit card transactions usually online every day so in both cases, everything was fine in the end. What I'm trying to get at is that only a stupid, ignorant business owner would not be checking his credit and bank account transactions (online) at least a few times a week. Furthermore, I'm guessing MaddoxX contacted the guys whose CC numbers he posted as he's kept in touch with many a Cyber Cafe owner via e-mail since (and possibly even just before) he made the hack public. All the proof is there anyway of their CC numbers being stole and publicized if they do have to prove to their bank and credit card company that they did not make any weird transactions they didn't authorize. It's not a big deal at all and in my opinion, he should not go to jail for it and he most probably won't. Remember that he holds very important information right now and still has root access to Cafe servers and possibly even more significant Valve servers. If he was ever to become deeply involved in discussion with Valve or lawful investigators, he would probably stay anonymous and simply cut a deal with them; they post about their own security faults via a press release and he tells them how he did it - end of story. So once again, I am being realistic, although also optimistic. Far more damage to innocent individuals (Cyber Cafe owners mainly) would have been inflicted if MaddoxX did not make this hack public and used the stolen financial information for his own negative, illegal means. One final point, if you ask MaddoxX, almost all Cyber Cafe customers of Valve who have been in contact with him have not been angry, but civil and very concerned. Some have asked he please not reveal anymore sensitive information publicly and others have said they truly hope Valve will contact him and solve this matter privately and inform all parties concerned publicly. Moreover, many have been angry with Valve and not MaddoxX because Valve and their Steam representatives are saying absolutely nothing about the issue (although SOMEwhat understandably given the investigative procedures that have to occur in these situations), but have even closed all discussion remotely related to this hack and security compromise on their forums and have not contacted any Cyber Cafe owners to help them cope with this situation in any way. Call me naive if you want, but all information (whether fact or hearsay) in this case points to innocent individuals suffering far greater due to Valve's insecurity and lack of communication than MaddoxX's actions (thus far). And I think this issue needs no further comment on my part. I've said my share.

Ok, after checking out the stuff the hacker released, he just may have done it, but it wasn't info on gamers. Just crap from Cyber Cafe owners.

ANd if it's been 2 weeks since this happened, I'm suprised there isn't a class action lawsuit against Valve for not informing the Cafe owners and stuff. Can't Valve CEO be jailed for not notifying the authorities of the breach?

Yes Illya Zubaryev, You have, and without using the enter key.

Now your statement, "Furthermore, I'm guessing MaddoxX contacted the guys whose CC numbers he posted as he's kept in touch with many a Cyber Cafe owner..." shows you don't know what he has done. You are looking for ways to excuse him. He committed a crime. Whether you think it’s a big deal or not, it is a big deal for those going through it. Beyond that it is a black and white crime to do this kind of action.

You said, "It's not a big deal at all and in my opinion..." It’s not your credit card, so of course it’s no biggie to you. No matter what your Dad went through, it wasn’t you, and you obviously have little sense when it comes to the security and privacy of one’s finances.

"...he should not go to jail for it and he most probably won't. Remember that he holds very important information right now and still has root access to Cafe servers and possibly even more significant Valve servers." Now, that sounds to me like you are talking about him using some blackmail to get out of this. Guess what, that’s a crime too.

Seriously, if many people share your lack of concern for people's personal finances, and commission of crimes, then we have a serious problem around here.

He is a thief plain and simple, no amount of excuses can hide that fact.

Be it robbing a local convience store or hacking into valve and stealing cc's. He is not a modern day Robin Hood.

If he wanted to be seen in a positive light he should have informed valve as soon as he found the backdoor and NOT gone in for a nose around.

You are naive to think this is anything other than a crime.

Haha, http://emp.damage-web.net/viewtopic.php?p=62590 and the web domain is down. No more "No-Steam" forums. I think Valve is at work, undercover.

Way to go Valve! They are trying to make gaming the way it used to be. Fun.

Back in the day, I don't remember Doom being sold in a multi-million dollar gaming industry. Now days these companies need to protect their games because this world has become so corrupted.

Come off it, my home server is more secure than Valve's, and im 16. It is completely messed up, and if they do store credit card numbers even though they say they dont, they are breaching laws here in the UK as well as the US.

I want a credit number!