Steam Hacked? (Updated)

No-Steam forum poster MaddoxX claims to have bypassed the security of Valve's digital distribution platform Steam. In a thread entitled "Better read this VALVe! *UPDATE*", the hacker bragged of his exploits, posting a 3.83 MB archive that includes a text file signed by MaddoxX & cIntX, unverified credit card numbers, transaction amounts, Valve's supposed bank balance, and data that reportedly allows the creation of counterfeit cafe certificates. If true, this would permit free access to Valve's Cyber Cafe program, which offers subscribers access to most of the titles available on Steam. Also included in the package was a file named "lolhaxed.jpg", apparently created in MS Paint, featuring a caveman stalking a brontosaurus.

"We also don't want money from VALVe," MaddoxX's message read. "We want a simple message on their site."

Topics relating to the supposed hack were quickly deleted at the official Steam forums. "Please do not re-post that thread. Valve are aware of the issue and are investigating," explained one moderator. "Making threads on the issue will not help."

"As far as I know only the Cyber Cafe owners were hit," the moderator wrote in a later message. "I am not sure though." Cyber Cafe subscribers say they have heard nothing from Valve about a possible security breach.

However, MaddoxX claims to have access to all of Steam's credit card records, as evidenced by his publication of alleged transaction details such as names, credit card numbers, and amounts ranging from $40 and $50 to $860. "I just came accross [sic] the login details when I was browsing some stuff," MaddoxX told The Register. "The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to."

"Happy Easter hahahahah," MaddoxX taunted after posting the information. "I'm waiting for you VALVe."

Requests to Valve for comment have not yet been returned.

Update: According to The Steam Review, Steam itself was not accessed, but rather a Valve file server. Furthermore, the site explains that only the credit cards of Cyber Cafe subscribers were compromised. "The numbers in danger are all held by cybercafe owners, who have recurring subscriptions to their Steam games and have probably all long been informed," the posting reads. "Consumer data are only stored in enough detail to fight mass fraud, not make purchases, and weren't compromised anyway."

Update 2: "There has been no security breach of Steam," Valve director of marketing Doug Lombardi told 1UP. "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Cafe program. This Cyber Cafe billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."