Cybercafe card details stolen

No danger to other customers :: April 19th, 2007 :: Events, Valve :: 136 Responses

You may by now have heard that “Steam” was broken into a week and a half ago and “consumer” credit card details stolen. As the quote marks suggest the breach has been played up by those behind it, whose exaggerations have been somewhat naively passed on by a number of big sites today. In actuality:

Steam was not compromised, only a regular Valve file server. In fact according to Valve it was a “third-party site” — though what sort of third party stores the sum in their corporate account I don’t know.
Consumer credit card information has not been stolen. The numbers in danger are all held by cybercafe owners, who have recurring subscriptions to their Steam games and have probably all long been informed (or not?). Consumer data are only stored in enough detail to fight mass fraud, not make purchases, and weren’t compromised anyway. Paying at a cafe does not put your card at risk.

All this will certainly make sure that when consumer subscriptions do arrive (as they will with Pirates of the Burning Sea) they’ll be properly secured, but given that it isn’t really a Steam issue there’s not much more for me to talk about. If you see anyone worrying, send them here!

Update: Valve’s statement, from 1UP:

There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at catch_a_thief@valvesoftware.com.

Tags: big stories, purchasing, security

136 Responses to this post:

31 Comments

April 19th, 2007 at 4:25 pm :: Quote
Krosserdog Says:

Thanks, this makes me feel a bunch better. I’ve only made on purchase on Steam and I can’t remember if it was with my (currently expired) old creditcard or with my new one (which I also got around the time of purchase).
April 19th, 2007 at 4:31 pm :: Quote
Zips Says:

That’s rather absurd you’re going ahead and posting these as facts without so much as a source cited or a link.
April 19th, 2007 at 4:40 pm :: Quote
some one Says:

Zip you cant talk.You posted your own article over at csnation.. Digg is a reliable source now is it?

Think not.
April 19th, 2007 at 5:54 pm :: Quote
freddy bob Says:

zips, more fact than you can ever pull out of your ass
April 19th, 2007 at 6:00 pm :: Quote
Zips Says:

Zip you cant talk.You posted your own article over at csnation.. Digg is a reliable source now is it?

Think not.

The Digg article at least linked to something far more tangible than this junk. Come on Varsity, where’s your source? Hm?

Freddy Bob: Sorry you feel that way, but as it stands, I’ve had far more fact in my reporting of this than Varsity has. There are at least SOURCES for mine. Until Varsity comes up with something, he’s got nothing.
April 19th, 2007 at 6:20 pm :: Quote
freddy bob Says:

You are playing a game of the lesser of two evils, you deem Varsity’s report to be factless yet you personally have barely any more information. One digg article doesn’t make your csnation article justified in any way.
April 19th, 2007 at 6:27 pm :: Quote
Zips Says:

You are playing a game of the lesser of two evils, you deem Varsity’s report to be factless yet you personally have barely any more information. One digg article doesn’t make your csnation article justified in any way.

The Digg article links directly to the site in question that has all of the information posted. I’d say that’s quite justified compared to a non-source news post like this.
April 19th, 2007 at 6:31 pm :: Quote
someone else Says:

Since Valve hasn’t made a comment on this quite yet, and since the only first-hand information we have is from the hacker, who is likely to serve his own interests through embellishment and misinformation, and since attacking another web journalist’s methods when your own methods suffer an equal amount, how ’bout we discontinue the derailment of this post and simply acknowledge that not all of the facts of this matter are currently verifiable.
April 19th, 2007 at 7:51 pm :: Quote
chickie pie Says:

The Digg article links directly to the site in question that has all of the information posted. I’d say that’s quite justified compared to a non-source news post like this.

yes ok but you say in your news posting that you wont link to the site in question, you say here that the site in question is the source you’re pointing people to.

===============================================
According to at least one website, it seems as though Valve may have been the victim of a hack attempt. This hacking, if this is indeed all true, came away with information regarding Valve’s financial records, Cyber Cafe account information, the multi-core tech demos, and the real kicker, customer’s credit card information.

I’ve been unable to get a reply back about this from Valve to verify the validity of any of this, and I honestly doubt most website will hear back about this sort of matter. So, for the time being, take this news with a grain of salt. The originating link of the site this news comes from will not be linked here for several reasons. However, I learned of this through a submission on Digg if you want to take a look around there. If you feel the need to comment on this, I ask that you do not link to the site in any of your comments.
=============================================

evenif if it is a valid source the csnation news item reads like “valve may have been hacked, we dont know if its true, we dont know what really happened either so for the time being take this information with a grain of salt” and if thats how news should be reported then god help us all

but yes i agree with u if ur not going to back up what ur saying in a post here then why say anything at all
April 19th, 2007 at 8:25 pm :: Quote
Tom Edwards Says:

Come on Varsity, where’s your source? Hm?

I’m not linking to the thing. If I was going to do that I may as well have posted this ten days ago when I and others started getting e-mails about it — and I didn’t then because just as now attention only encourages these people. The link would have contained confidential data too (edit: as I see you already understand).

If you’ve looked at the package or even just its a list of its contents, and apply a bit of logic, this stuff is all pretty obvious.
April 19th, 2007 at 9:05 pm :: Quote
Ryno5660 Says:

Well…I used a card to by gmod 10 in early ‘07…Are they telling me that i’ve been fucked over because their wall just isn’t high enough?
April 19th, 2007 at 9:29 pm :: Quote
hahnchen Says:

This guy is not going to get caught unless someone sells him out. I doubt he’ll fall for the same honeytrap as the HL2 source code guy.
April 19th, 2007 at 10:48 pm :: Quote
Zips Says:

I’m not linking to the thing. If I was going to do that I may as well have posted this ten days ago when I and others started getting e-mails about it — and I didn’t then because just as now attention only encourages these people. The link would have contained confidential data too (edit: as I see you already understand).

If you’ve looked at the package or even just its a list of its contents, and apply a bit of logic, this stuff is all pretty obvious.

I’ve seen the list of contents, it’s only displayed everywhere on the Internet now, but nowhere do any of those lists say the scope limitation of “customer’s credit card” information, now does it? No. Certainly not unless you downloaded the content yourself, right?

As I had no intentions of doing that, though you seem like you might have, I was going based on what was clearly read from the originating site and other “similar” sites along the same vein.

And no, attention to something of this nature leads to the actual truth being revealed, which Valve did in talking to 1up, not hiding it and pretending like it doesn’t happen while user’s private information is at stake. Quite amazing how long it took Valve to actually come forth with some statement, no? I think so, especially after this went very public.

Oh, and for future reference, I applaud you on not actually linking to your source that contains all of this information, however in the future you may want to mention what your source type is instead of making it look like you pulled your information out of thin air.
April 19th, 2007 at 11:06 pm :: Quote
Joe Says:

Protecting the confidentiality of sources that may not wish to be named is a standard journalistic practice, so stop getting all Holier-than-thou about it.
April 19th, 2007 at 11:31 pm :: Quote
Zips Says:

Protecting the confidentiality of sources that may not wish to be named is a standard journalistic practice, so stop getting all Holier-than-thou about it.

I wasn’t asking for specifics. Read next time.
April 20th, 2007 at 12:06 am :: Quote
someone else Says:

He was right about the holier-than-thou part though. Next time you want to rebuke a fellow web-journalist, perhaps doing it privately will make you look less pompous and self-aggrandizing.
April 20th, 2007 at 12:06 am :: Quote
Starblazer Says:

They did not inform us until we pressured them into telling us what happened.

This coming from someone who has paid VALVe for 4 years. (That’s $19,200) to allow my customers to play STEAM and any CS game legally.
April 20th, 2007 at 12:39 am :: Quote
hahnchen Says:

Linking to digg = Pulled out of thin air = Heard off a scouser in a pub

Let’s not even pretend that it isn’t. Although you could have done the *RUMOUR* warning thing which seems to be the de-facto blog standard.

Still it’s all pretty moot now being that Valve has croaked.
April 20th, 2007 at 2:49 am :: Quote
JerRatt Computers Says:

We are a cyber cafe member of valve. I can verify this theft as well as also make some corrections. The account information was stolen many weeks ago, in late March. It wasn’t until Easter that the hacker contacted some of the cafe owners to show them and released the information. Also, Valve has NOT made any attempt to contact the cafe owners affected and continual has been caught with contradicting responses when questioned by us.

Valve chose not to contact those at risk and still has yet to do so. The cafe owners who are a part of igames.org (a popular cyber cafe ownership program) found out about this and we are furious. I contacted Doug at Valve myself and was told “We aren’t required by law to inform you of your information being stolen”.
April 20th, 2007 at 3:47 am :: Quote
Status Quo Says:

Well,

Regardless of the scope and impact of this issue, questions surrounding who’s been informed/not informed and we’re it all goes from here; this exercise has demonstrated one clear and consistent stand out.

Zips, you always were – and remain to be a bullying, abusive fuckwit.
April 20th, 2007 at 4:38 am :: Quote
Krintin Says:

Protecting the confidentiality of sources that may not wish to be named is a standard journalistic practice, so stop getting all Holier-than-thou about it.

Valve to actually come forth with some statement, no? I think so, especially after this went very public.

somthing not quite right…..why did valve choose Darren Gladstone from 1up to go public(if you could count that as going public)…and if the above is correct then they are too gutless to publish it on their own page(if they have they’ve done a good job of hiding it)….somthing would be good in their “STEAM NEWS” section….obvoiusly this isnt steam news….hmmmmm I wonder why?
Mabie the in-game ad’s concept may have sparked some rage with the hacker….it would be good if that was the reason cuz mabie they’d think twice about selling out….goodbye Counter Strike, its been fun.
April 20th, 2007 at 7:40 am :: Quote
valvercheatersandliers Says:

somthing not quite right…..why did valve choose Darren Gladstone from 1up to go public(if you could count that as going public)…and if the above is correct then they are too gutless to publish it on their own page(if they have they’ve done a good job of hiding it)….somthing would be good in their “STEAM NEWS” section….obvoiusly this isnt steam news….hmmmmm I wonder why?
Mabie the in-game ad’s concept may have sparked some rage with the hacker….it would be good if that was the reason cuz mabie they’d think twice about selling out….goodbye Counter Strike, its been fun.

lol yeah your right they are gutless and whats so special about 1UP
The release of “Infernal” on steam seems to be bigger news at the moment.
Would anyone buy it now knowing one of their servers has been hacked?
If Maddoxx has gotten into 1 of them its possable he can get into all of their servers or already has.

He’s obviously got more info and done more than what he says he has but not telling the public so he can just take them up the back without anyone knowing.

9million$, thats probebly just one of their 9 million bank accounts.or just the one dedicated to the bosses weekly pay check

well no more steam for me especially if we’re gonna be getting the ads in the game
April 20th, 2007 at 9:29 am :: Quote
loldudes Says:

I bet they aint going to do shit against this hacker.. he has been around for more then 3 years and pirated all their games so far.. this time he pushed them… valve doesnt even have info on this guy they setup an email to gather information LOL thats just pathetic I mean come on.. I find 1000+ people with the same nickname MaddoxX or Maddox
April 20th, 2007 at 12:05 pm :: Quote
Tom Edwards Says:

nowhere do any of those lists say the scope limitation of “customer’s credit card” information, now does it? No.

It says nothing, which is why we must use a bit of intuition instead. Are you going to argue against my reasoning?

And no, I haven’t downloaded it.

If Maddoxx has gotten into 1 of them its possable he can get into all of their servers or already has.

It doesn’t work like that.

I mean come on.. I find 1000+ people with the same nickname MaddoxX or Maddox

Nor like that.
April 20th, 2007 at 12:23 pm :: Quote
Tom Edwards Says:

Hahahah!
April 20th, 2007 at 2:45 pm :: Quote
nikomo Says:

Sigh, like I didn’t see this coming ages ago, if it’s connected to Internet, it’s not safe.

Also Zips, unban me at steampowered, rawr.
April 23rd, 2007 at 6:37 am :: Quote
george_bush_fr Says:

is there people who thinks that the hacker is “inside” valve corp ?
my idea is : one gained access to the “main pc” from the valve intranet . as steam has a lot of traffic with a huge number of ips : servers and players [ 1 mn stat for steam page_stats ] , same personn from valve hacked emporio website to declare the ccard … , nice try to fool the “police” on the bad road 8] ……..
May 6th, 2007 at 1:38 am :: Quote
Al3xand3r Says:

Dur, even if you don’t know the exact content of the files it is very clear that they were aquired illegally and that the public isn’t meant to have them as they were provided as proof of the hack. Therefor, it was the smart thing to do, not providing a link to places that offer illegal content. On the other hand, it was also the smart thing to do, to inform people of the potential breach. I did the same thing on my site, though I explained myself thinking there may be people like you around Zips:
http://www.mod-hq.com/index.php?page=news&article=370

Also, I later found out they didn’t “pick 1UP” to unveil this, the message was posted on the steampowered forums, I only credited 1UP because it was the right thing to do as I saw it there first.

Sorry for being late to respond to this crap with my view, I love this site, I just don’t have that much time these days.
July 11th, 2008 at 11:41 am :: Quote
Loyst Says:

I have buy game on steam. Is my credit card details stolen. Please pm to my email steam.
February 2nd, 2009 at 7:33 pm :: Quote
Mike Says:

Thanks for the Info. Never looked at my cc
March 20th, 2009 at 5:51 pm :: Quote
Tona Says:

Haha ^^ nice, is there a section to follow the RSS feed