Print 82 comment(s) - last by SquidianLoveGo.. on May 3 at 10:00 PM

Screenshots posted by MaddoxX reveal the extent of the breach
Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:
  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers.  In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:
Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.
MaddoxX does make one thing quite clear in his electronic manifesto:
If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.
It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: What to learn from this...
By AnotherGuy on 4/19/2007 12:21:25 PM , Rating: 2
If he was in US hed get caught by feds... ina a mater of a week if not couple of days...
Every access to a server leaves tracks of who accesed it... I dont think there is a way he can clean up all his tracks... Once they find an IP address... thats it ur done.... they contact ISP... ISP gives street address apt number and time when he is usually home :) and then GoodBye life.

RE: What to learn from this...
By emboss on 4/19/2007 1:30:36 PM , Rating: 2
While Valve almost certainly knows the IP address that carried out the attack, it's next to impossible to walk it backwards from there to a physical person unless he is REALLY stupid. He could be bouncing it through any number of open proxies that litter the internet (many of which would be outide the US, and most of which would do no logging of connections at all), be hacking from an internet cafe (might get a picture of him from security camera footage if they act quick enough, but that's all), be using one of the zillions of unsecured wifi APs, or any combination of the above.

While it's not impossible that he was stupid enough to use his home connection, I'd say the odds are highly stacked against anyone trying to find out his real identity.

Gotta love Valve's "If we delete any posts about it on the forums it didn't happen" approach as well :)

“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki