Steam Hacked? (Updated)

No-Steam forum poster MaddoxX claims to have bypassed the security of Valve's digital distribution platform Steam. In a thread entitled "Better read this VALVe! *UPDATE*", the hacker bragged of his exploits, posting a 3.83 MB archive that includes a text file signed by MaddoxX & cIntX, unverified credit card numbers, transaction amounts, Valve's supposed bank balance, and data that reportedly allows the creation of counterfeit cafe certificates. If true, this would permit free access to Valve's Cyber Cafe program, which offers subscribers access to most of the titles available on Steam. Also included in the package was a file named "lolhaxed.jpg", apparently created in MS Paint, featuring a caveman stalking a brontosaurus.

"We also don't want money from VALVe," MaddoxX's message read. "We want a simple message on their site."

Topics relating to the supposed hack were quickly deleted at the official Steam forums. "Please do not re-post that thread. Valve are aware of the issue and are investigating," explained one moderator. "Making threads on the issue will not help."

"As far as I know only the Cyber Cafe owners were hit," the moderator wrote in a later message. "I am not sure though." Cyber Cafe subscribers say they have heard nothing from Valve about a possible security breach.

However, MaddoxX claims to have access to all of Steam's credit card records, as evidenced by his publication of alleged transaction details such as names, credit card numbers, and amounts ranging from $40 and $50 to $860. "I just came accross [sic] the login details when I was browsing some stuff," MaddoxX told The Register. "The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to."

"Happy Easter hahahahah," MaddoxX taunted after posting the information. "I'm waiting for you VALVe."

Requests to Valve for comment have not yet been returned.

Update: According to The Steam Review, Steam itself was not accessed, but rather a Valve file server. Furthermore, the site explains that only the credit cards of Cyber Cafe subscribers were compromised. "The numbers in danger are all held by cybercafe owners, who have recurring subscriptions to their Steam games and have probably all long been informed," the posting reads. "Consumer data are only stored in enough detail to fight mass fraud, not make purchases, and weren't compromised anyway."

Update 2: "There has been no security breach of Steam," Valve director of marketing Doug Lombardi told 1UP. "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Cafe program. This Cyber Cafe billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at"

Chris Faylor was previously a games journalist creating content at Shacknews.

Filed Under
From The Chatty
  • reply
    April 19, 2007 11:57 AM

    So what does this really mean to the average Steam user? Our credit-card info has been compromised?

    • reply
      April 19, 2007 11:59 AM


    • reply
      April 19, 2007 12:01 PM

      No, it seems that only Cyber Cafe servers were hacked. Your CC info is safe.

    • reply
      April 19, 2007 12:17 PM

      They store your cc information? Why?

      • reply
        April 19, 2007 12:57 PM

        internet web 2.0

      • reply
        April 19, 2007 1:54 PM

        I don't know why anybody does. It just creates big red bullseyes on the machines holding them. It almost seems it should be illegal to store that stuff after so many days unless opted-in by the customer.

        • reply
          April 19, 2007 3:47 PM

 keeps cc numbers.

          • reply
            April 19, 2007 3:49 PM

            I don't think they do - they probably store a hash of the information and the last 4 for you to recognize.

            • reply
              April 19, 2007 3:52 PM

              Then how do they charge the CC company?
              They have to send the CC number at some point.

          • reply
            April 19, 2007 4:21 PM

            its similar to the way newegg works.

            You can tell them to save your info for next time or you can manually enter it everytime.

      • reply
        April 19, 2007 2:58 PM

        They don't. Read the update.

    • reply
      April 19, 2007 11:39 PM

      Also, if people are worried that Valve isn't forthcoming with whether you've gotten your CC's stolen (some people seem to think they lie), you can rest assured since a number of states (California, for one) that has laws requiring companies to notify every person who's had their credit card information compromised.

      And I think it's reasonable to assume that even if valve doesn't care about you, they care about not getting the shit sued out of them.

Hello, Meet Lola