backtop


Print 82 comment(s) - last by SquidianLoveGo.. on May 3 at 10:00 PM



Screenshots posted by MaddoxX reveal the extent of the breach
Cafe owners are in trouble, and users who made online purchases may be next

Valve's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed Valve's security system and accessed a significant chunk of data, including:
  • Screenshots of internal Valve web pages
  • A portion of Valve's Cafe directory
  • Error logs
  • Credit card information of customers
  • Financial information on Valve
While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere," and has posted a list of login details for accounts on the Valve servers.  In addition, Maddox also reveals that private certificates for "People with a little bit of (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:
Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

Please don't release the CC information, for the sake of the centers who are less informed.
MaddoxX does make one thing quite clear in his electronic manifesto:
If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.
It seems that Valve is being held for ransom. If this is true, Valve may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Update 04/19/2007: Doug Lombardi, director of marketing at Valve, contacted DailyTech with the following statement:
There has been no security breach of Steam. The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Valve Still have their thumbs up their butts?
By sciss0rz on 4/20/2007 2:05:17 AM , Rating: 2
There won't be a warning to the Steam users since there was no breach. I would assume Cafe owners have been alerted already. Unless Cafe subscribers haven't been alerted, then Valve has screwed up.


By emboss on 4/20/2007 2:22:05 PM , Rating: 3
Cafe owners were not notified (and still have not been directly notified by Valve - the only notification has been a short announcement on the Steam forums). Some have contacted Valve to ask why not, and have been told that they were not notified because Valve were not legally required to do so. This could be interesting given the California bill mentioned above. As is usual with Valve, it's not the initial incident that gets people annoyed, it's how Valve handles it - covering it up, lying, ignoring support requests, etc etc.

What should have happened is a week ago (I'm being kind here - they potentially knew of it as early as late March, but there's only concrete proof of their knowledge going back a week or two) when Valve were contacted about the leak they should have notified the cafe owners (assuming of course that Valve is in fact telling the truth for once and it's only the cafe customers that have been affected). If it became public like it is now, they should have quickly posted an announcement on the Steam website and/or forums saying it was limited to the cafes to avoid panic.

Instead, they don't tell the cafe owners who in the end find out through Anadtech, Digg, etc. The rumor becomes that all Steam purchases are potentially affected, so people post on the Steam forums and lodge support tickets about it. The Steam threads are deleted and the posters banned, and the support tickets go unanswered. It takes over 36 hours until an announcement appears on the Steam forums, and even then it doesn't directly answer many of the questions. Threads pertaining to the issue continue to be deleted and posters continue to be banned. In the meantime, people have (quite validly) prepared for the worst and cancelled cards, notified banks, etc etc.

This is becoming a typical Valve pattern whenever something goes wrong:
1) Say nothing and keep any trace of the issue off the Steam forums.
2) If the issue becomes widely published, post a short statement downplaying the issue or claiming that it doesn't exist.
3) Once overwhelming evidence shows that the statement in step 2 was a complete lie, mumble something in a quick press statement and then never discuss the issue again (and continue to censor the forums as well, of course).

In addition to hiring some people with a clue about security, Valve really need to hire a few people with PR training to stop screwing up like this.


"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer











botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki