Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Steam Hacked, Credit Card Numbers Taken

Zonk posted more than 7 years ago | from the waiter-check-please dept.

Security 141

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

Online game services (3, Funny)

stratjakt (596332) | more than 7 years ago | (#18804631)

WTG.. Next stop, gametap.

Re:Online game services (1)

Jarjarthejedi (996957) | more than 7 years ago | (#18805103)

Times like these make me glad that I rarely pay using a credit card for online things. I bought CS:S from a physical store using physical money and so I'm not at risk at all. Sometimes convenience is less important than security...

Re:Online game services (1)

mctk (840035) | more than 7 years ago | (#18806669)

Meh. They probably had security cameras watching you. I had an illegitimate which I put up for adoption, which I adopted myself under a false name, whom I raised to adolescence which is when I hired him to steal a copy of CS:S from his friend Mikey who also bought CS:S from a store using cash.

Re:Online game services (3, Funny)

CelticWhisper (601755) | more than 7 years ago | (#18807515)

Now THAT's dedication. Did you manually crack the CD-Key algorithm in the garage behind your house a la "A Beautiful Mind?"

Re:Online game services (3, Insightful)

Dachannien (617929) | more than 7 years ago | (#18807297)

Three cheers for virtual credit card numbers.

Re:Online game services (-1, Redundant)

Propaganda13 (312548) | more than 7 years ago | (#18808519)

People complain about using credit cards online, but virtual card numbers and "gift" credit cards limit exposure even more than just the regular policies of the credit card companies.

Re:Online game services (2, Funny)

Anonymous Coward | more than 7 years ago | (#18805811)

I dont know about you guys, but sounds to me like this Hacker found himself a Garbage file - Valve wouldnt have said anything but one of the main Valve admins was planning on sinking 12 virtual oiltankers in the Half-Life fleet using a virus they happened to be storing in that Garbage file - so now they need to catch the kid to find the source, and then silence the Hackers by framing them for the virus!

Jeez, this is like what, a 13 year old dupe? GG editors!

hax0r teh planets (0)

Anonymous Coward | more than 7 years ago | (#18805977)

dude, I hacked the Gibson!

Re:Online game services (3, Funny)

stanmann (602645) | more than 7 years ago | (#18805983)

Dude, the Gibson hacked you.

Figures (5, Funny)

HolyCrapSCOsux (700114) | more than 7 years ago | (#18804635)

This is why I like my valves to be ball, gate, or ECC83 and EL34

Re:Figures (1, Funny)

Anonymous Coward | more than 7 years ago | (#18804871)

Being American, I prefer the good ol' 6L6-GC. And, like the interwebs, they are called "Tubes" not valves.

Re:Figures (1)

Random Destruction (866027) | more than 7 years ago | (#18806001)

They're also called valves. They're electricity valves. It's a pretty common term.

Those that pirated HL2 and other Steam games (1, Troll)

Travoltus (110240) | more than 7 years ago | (#18809343)

and didn't go pay to play it online, are laughing their butts off right now.

Another, eh? (4, Insightful)

EveryNickIsTaken (1054794) | more than 7 years ago | (#18804665)

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

Re:Another, eh? (4, Funny)

EveryNickIsTaken (1054794) | more than 7 years ago | (#18804699)

Realize, even. Grammar police, set phasers to stun.

Re:Another, eh? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18806535)

You are exactly what we need here, one more fucking grammar/spelling nazi. Please go crawl under a rock and die. Slowly. Bring friends and family.

Re:Another, eh? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18807021)

Kindly suck a cock, plz. It's not like he was ripping him up for writing "realise" instead of "realize." He said "release." If you can't deal with that then just jump up your ass and die, fucktard.

Re:Another, eh? (5, Funny)

Anonymous Coward | more than 7 years ago | (#18807797)

You morons! HE WAS CORRECTING HIMSELF!

Go get some sleep and/or stimulant of your choice.

Re:Another, eh? (1)

slyborg (524607) | more than 7 years ago | (#18808291)

AC, stand and be recognized. +1 Funny if I had it for ya.

Re:Another, eh? (2, Insightful)

ichigo 2.0 (900288) | more than 7 years ago | (#18804773)

I'm wondering when they will realize (zap) that they shouldn't be storing CC data at all.

You need to store something for monthly billing. (1)

khasim (1285) | more than 7 years ago | (#18804857)

The issue is that the machine doing the billing must NOT be connected to the Internet.

Yes, I know. Some of the notifications go out over email. So? Dump the necessary email info to a USB stick and WALK that over to a different computer.

Re:You need to store something for monthly billing (5, Informative)

Ford Prefect (8777) | more than 7 years ago | (#18805093)

The issue is that the machine doing the billing must NOT be connected to the Internet.

Who says it was even Valve's machine that was compromised? 1UP.com [1up.com] :

Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Re:You need to store something for monthly billing (1, Informative)

Anonymous Coward | more than 7 years ago | (#18805779)

That's not even needed, really. Put a nice, hardened firewall (ala IPCop) between the computers on a network and let the information be passed out but not in. If that makes sense.

Internet-->Firewall-->Processingserver-->Firewall- ->Firewall-->"Billing" Server

The only open INCOMING port on "Billing" is the port that records billing information; the only outgoing port is the one that tells the processing server to send mail to such and such.

Also, use end-to-end encryption!

Re:You need to store something for monthly billing (1)

Falladir (1026636) | more than 7 years ago | (#18808771)

Under the present system, you need the CC numbers for billing, but wouldn't it be better if the consumer instructed the CC company to periodically make a payment to a certain account, rather than the consumer providing the vendor with the information needed to extract money?

There's no reason for vendors and service providers to deal so directly with the CC company.

Re:Another, eh? (2, Insightful)

I'll Provide The War (1045190) | more than 7 years ago | (#18804891)

Isn't this the same company that got their game code stolen because they placed it on a machine connected to the Internet?

Re:Another, eh? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#18805287)

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

Re:Another, eh? (3, Interesting)

Sigma 7 (266129) | more than 7 years ago | (#18807705)

I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number?
Placing an order online is a 3-step process. Select the items you want, enter your billing information, and place the order - and one of these can be skipped by "remembering" the billing information.

The proposed system will make it a 4-step process: Select the items, obtain your billing information, enter your billing information, and place the order - and none of these can really by skipped. It's a matter of personal taste on what you prefer, but most people go for convenience rather than security.

The implementation could easily handle this by having credit card numbers "linked" to a primary account, as there's at least 10 trillion possible combinations for credit cards from a single institution. No information on if it will work in practise, but given that most people aren't good with numbers, it would probably boost CS calls. ...

Re:Another, eh? (1)

vux984 (928602) | more than 7 years ago | (#18808855)

3 step? 4 step? No thank you. I want one-click! Why doesn't someone figure that out and patent it, he could make millions!

Re:Another, eh? (0)

Anonymous Coward | more than 7 years ago | (#18805597)

At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?


You do realise that they surely did?

Sure, it is good policy to keep the db on the LAN only, but if you put the database on a machine that is not connected to any other machine at all, then all transactions would have to be done manually via sneakernet - which is not going to happen, your online business would flop instantly.

There are other much more effective and practical ways to fully secure a database server on the LAN that is accessed by a web server that serves the public internet.

You are familiar with the use of multiple network interface cards on a single machine each connected to a different physical network or different subnets on the same network, right?

Sheesh, an "offline" database - what's the good of that? I already have one of those, its called a filing cabinet, complete with the latest administrative assistant dictaphone interface.

Credit card information? (5, Interesting)

Reason58 (775044) | more than 7 years ago | (#18804667)

It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

Re:Credit card information? (1)

BAILOPAN (694545) | more than 7 years ago | (#18804905)

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.

That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve games without Steam (it's pretty horrible software), but I totally disagree with outright pirating their games. These guys go a step further and brag about it. Our HL community [amxmodx.org] has a very anti-"no steam" policy; you simply won't get support if you're running it.

Re:Credit card information? (1)

megamerican (1073936) | more than 7 years ago | (#18805271)

How could they require the last four digits of a credit card number to recover lost steam accounts when you don't need a CC to use steam? You can activate a new steam account without purchasing something through steam. One only needs a valid CD-Key and e-mail address. I have always been under the impression that Steam wasn't keeping peoples CC numbers. I thought they received a receipt of the purchase from the CC company. On a related note, I had to have a steam accounts password reset because someone I let use it changed the password and I couldn't get ahold of them. I only had to give them the e-mail address and the password was reset. I don't know how Valve could find someones lost account. It would leave a lot of people who never used a CC out to dry (it is hard to believe that people lose all the info of their steam account in the first place). I think that either the hacker is lying about the credit card information or this is some sort of hoax.

Re:Credit card information? (3, Interesting)

tlhIngan (30335) | more than 7 years ago | (#18805329)

Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.


Reports are all over the map - Valve's official statement says it's only cybercafe owners who are affected (Valve has their credit card information for billing purposes - looks like Valve licenses their games by the hour). And they claim it's the third party host that's afflicted who manages the cybercafe program, and that steam itself wasn't hacked.

Where the whole story lies, is somewhere in-between.

What I don't get is this:

It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.


What does a California bill have to do with a company based in Washington? (Valve was formed out of some people from Microsoft). They may have to alert CA residents, I suppose?

I dont excuse them, but no-steam has a point... (1)

sethstorm (512897) | more than 7 years ago | (#18805887)


That said, this hack looked like it was done by a no-steam group, and I honestly have no respect for them. It's fine if you want to run old Valve games without Steam (it's pretty horrible software)... These guys go a step further and brag about it. Our HL community has a very anti-"no steam" policy; you simply won't get support if you're running it.

By the looks of things, keeping these people in the cold isn't exactly going to help much either. Not every place has a regular connection that runs these games, and is seen as spyware to some - exclusion in the modding community isn't going to help.

The only bad action in this case is this compromise and all the things with it.

Re:I dont excuse them, but no-steam has a point... (1)

BAILOPAN (694545) | more than 7 years ago | (#18807875)

Supporting pirated game copies is a violation of the SDK license Valve gives us. At best, it's simply unprofessional to cater to people who haven't paid for the game and expect equal support on outdated/cracked versions.

Interview with the "HACKER" (2, Informative)

ToasterMonkey (467067) | more than 7 years ago | (#18806897)

The way "hacker" is used in the media and on slashdot always makes me laugh. This "hacker" seems to be affiliated with the Free Nation Foundation group in some way. Maybe the interview is a hoax too, lets face it, you can believe everything or nothing you read on the internet. Either way, I feel there are some very troubled and delusional kids out there that need help getting away from their computers for a while to play baseball or do something constructive. Read the interview, then go to the forums at FNF. Read the bits about the rights to name unclaimed islands they found on google maps, or the fiberglass huts and shipping containers they plan on living in. If this garbage makes it on slashdot, you have to wonder... how many articles read here everyday are instigated by lonely, frustrated teens with a blog and a need to feel important?

The source? [fpsbanana.com]
The interview [freenationfoundation.org]
Please, read the forums at freenationfoundation.org so you all get an idea what goes on in these "hacker's" minds.
They really need your help.

-SJ

Re:Credit card information? (1)

nbehary (140745) | more than 7 years ago | (#18807843)

I was wondering about that.....was going to reply to an earlier post that Steam should do like Nintendo does with the VC, you enter everything every time. Then I remembered Steam does do that. It's easy to forget tho.....steam doesn't fail to connect in the middle of a transaction often. It's a good thing, but annoys the hell out of me with the VC sometimes.

(and Steam and the VC are the only online CC purchases i've made in years.....i usually avoid it.)

 

My CC details were "leaked" by Steam (1)

Contact (109819) | more than 7 years ago | (#18809033)

Coincidentally, I'm currently fighting a running battle with Steam support to reclaim a hacked Steam account. After about five messages back and forth, it has finally emerged that the person actually stole my account by "reclaiming" it from Steam, after providing my steam account number, and my credit card details.

I don't have any spyware on this machine - I checked with SpyBot and Ad-Aware. I surf using Opera, I read mail using Eudora, and internet security is part of my job. I am at a loss as to how anyone could have got both my Steam account number and my credit card details by hacking a third party, however, unless that third party was Steam. (Yes, I could be an idiot, riddled with spyware that I have no idea is there.)

Full article (-1, Redundant)

matt me (850665) | more than 7 years ago | (#18804713)

Cafe owners are in trouble, and users who made online purchases may be next

VALVe's STEAM content distribution system has been the target of no small share of bad press since it was created, with complaints ranging from apathetic customer service to the inability to play legitimately purchased games online. Some users have had their accounts locked, deleted, or hijacked - but a hacker known only as "MaddoxX" has just opened a rather sizeable can of worms.

According to a posting made on an anti-STEAM website, MaddoxX has bypassed VALVe's security system and accessed a significant chunk of data, including:

        * Screenshots of internal VALVe web pages
        * A portion of VALVe's Cafe directory
        * Error logs
        * Credit card information of customers
        * Financial information on VALVe

While only the Cafe owners appear to be in immediate danger, MaddoxX claims to "have shell access everywhere" and has posted a list of login details for accounts on the VALVe servers, and private certificates for "People with a little bit (sic) experience ... create their own 'fake' but working cafe / certificate."

It's not currently known how far-reaching the credit card breach is, but STEAM users who have purchased products online for electronic delivery would do well to keep an eye on their credit card statements for the next while, especially if MaddoxX makes good on a promise to release a "spreadsheet."

STEAM cafe owners worldwide are more than a little upset with the information already leaked. MaddoxX has posted emails received from cafe owners and operators:

        Believe me, nobody wants to 'stick it to Valve' more than those currently in the cafe program. We're rubbing pennies together trying to make it from month to month, while Valve is making millions off of us ... All I ask is that you make some effort to edit cafe numerical details from any future release.

        Please don't release the CC information, for the sake of the centers who are less informed.

MaddoxX does make one thing quite clear in his electronic manifesto:

        If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information.

It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.

Full montey (0)

Anonymous Coward | more than 7 years ago | (#18804777)

Economic terrorism coming to a customer near you.

Re:Full article (0)

Anonymous Coward | more than 7 years ago | (#18805805)

We're rubbing pennies together trying to make it from month to month

At first glance I read "rubbing penises together". Must reduce pr0n intake.

This is major news. (3, Interesting)

imbaczek (690596) | more than 7 years ago | (#18804723)

How is this not worthy of showing the whole summary is beyond me.

Oh and I sincerely hope that this kid gets his share of gulag.

Re:This is major news. (2, Interesting)

Opportunist (166417) | more than 7 years ago | (#18805273)

If he sits there with the dimwit who thought it's a bright idea to store CC info on a publically accessable server, fine with me.

Awesome! (1)

MrP- (45616) | more than 7 years ago | (#18804741)

Just as I reinstalled Steam like 2 weeks ago after not using it for a year+

Check your credit cards (3, Informative)

Cerberus7 (66071) | more than 7 years ago | (#18804755)

I got a call today from Discover that the card I used to purchase some Steam games was used in several stores in the last two days, racking up over $1500 in charges. I've been trying to figure out how they got my number, and this seems a possible candidate. If you're a Steam customer, beware!

Re:Check your credit cards (0)

Anonymous Coward | more than 7 years ago | (#18805043)

Yeah, I just called Discover had my account number changed. :-(. Fortunately there were no suspicious charges. The account rep mentioned that Discover had no idea about the breach, and was going to pass the info up. I guess it just takes awhile for information to travel through channels.

Re:Check your credit cards (1)

casings (257363) | more than 7 years ago | (#18805051)

the hacker claims not to be doing this to gain access to credit card information, but rather to bring valve into bad light.

at least thats what he says here: http://emp.damage-web.net/viewtopic.php?p=62590 [damage-web.net]

Re:Check your credit cards (2, Insightful)

statusbar (314703) | more than 7 years ago | (#18805147)

And how do we know that he is the one and only who did hack it? Or is it just someone who said he did?

--jeffk++

Re:Check your credit cards (1)

casings (257363) | more than 7 years ago | (#18805193)

he's the one taking responsibility for it, as well as providing the proof. Who can be certain? I was just referring to direct quotes from the guy.

Wii points? (1)

lpangelrob (714473) | more than 7 years ago | (#18804757)

So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers? (Important note: I don't have a Wii yet, so I'm not sure of the technical details of how Wii Points work.)

Re:Wii points? (0)

Anonymous Coward | more than 7 years ago | (#18804875)

You can purchase Wii Points online via the Wii itself. It's basically just a Wii gift card. It's handy for young people that might not have credit cards, but do have cash.

Re:Wii points? (1)

Ahnteis (746045) | more than 7 years ago | (#18805791)

No. Wii points can be purchased online with the Wii itself. Wii points (and xbox live points, etc) are just a way of guaranteeing that you will spend a minimum of X dollars at a certain store, AND that you will want to buy MORE points to use up the "left over" points you likely have.

Re:Wii points? (1)

grumbel (592662) | more than 7 years ago | (#18805979)

### So is it because of risks like this that people have to purchase "Wii Points" cards at other retailers?

I think the main reasons for "Wii Points" and similar systems are that one can do micro payment that way easily and that in some countries credit cards aren't very widespread, especially when it comes to younger audiences, so using only credit cards would lock a lot of users out of the system. Then there is of course the evil reason: You can spend your "Wii Points"-money on XBoxLive, while you could do so with real money.

Re:Wii points? (3, Informative)

VertigoAce (257771) | more than 7 years ago | (#18806789)

I think there are two main motivations for the point systems. The first is that credit card companies have a per transaction fee that is around $0.25 - $0.35. This is really significant when you want to have multiple transactions around $1 - $2 each. By having you purchase points in increments of at least $5, they only pay the transaction fee once for a series of transactions. Apple does something similar with iTunes: they collect somewhere between one and three days worth of purchases and submit them together as a single transaction, hoping you buy more than just a single $0.99 track (I've never used iTunes, so this is a summary of what I've read about its behavior).

The other reason for the points system is to be able to set a single global price for content. I can post a piece of content for 800 points and tell people about that without having to convert it to a whole bunch of other currencies. Microsoft then sells points at some constant exchange rate for each country. This keeps content prices from fluctuating everywhere outside the US (compared to making the content $10 USD and having the exchange rate vary).

Steam support is vapid (4, Interesting)

spyrochaete (707033) | more than 7 years ago | (#18804761)

Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

Here is my first email to Steam:

I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
http://emp.damage-web.net/viewtopic.php?p=62590 [damage-web.net]

Is this true? Do I need to cancel my credit card? Please advise ASAP!


And here is my second one, posted this morning:

Do I really need to tell you that this urgent question is time-sensitive?

http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk [digg.com]

As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.


I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

Re:Steam support is vapid (4, Insightful)

shaitand (626655) | more than 7 years ago | (#18805211)

You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

Re:Steam support is vapid (1)

spyrochaete (707033) | more than 7 years ago | (#18805259)

Different login name, and I've been checking my CC online invoice often since hearing of this incident. Plus my bank put my card on hold when I bought a CD and then made a charitable donation online in rapid succession, until they called me 30 minutes later to verify I had made those purchases. I have faith in my bank.

If you are emailing Steam support.. (2, Insightful)

RealityThreek (534082) | more than 7 years ago | (#18807225)

... don't you think everyone else is too? Is it really all that surprising that they are backlogged?

Re:If you are emailing Steam support.. (1)

spyrochaete (707033) | more than 7 years ago | (#18807575)

That's what public statements are for. Regardless, the least they could have done was reply saying "We are currently investigating and will get back to you."

Re:If you are emailing Steam support.. (0)

Anonymous Coward | more than 7 years ago | (#18809051)

You mean like the one Valve had, saying there was no breach of CC numbers?

Re:Steam support is vapid (1)

Omeger (939765) | more than 7 years ago | (#18809035)

You should only worry if you're a person who has a Cyber Cafe, because those are the numbers that were lost and they were already informed of this.

It's an unconfirmed claim you Irish fools (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18804819)

"B-b-b-but the source is a pseudonymous hacker with an axe to grind! Why would he lie?"

*head explodes*

Re:It's an unconfirmed claim you Irish fools (0)

Alphager (957739) | more than 7 years ago | (#18804897)

"B-b-b-but the source is a pseudonymous hacker with an axe to grind! Why would he lie?"

*head explodes*
The source is a pseudonymous hacker with an axe to grind who released Account-data, certificates and several internal listings. Of course, he could have faked those listings, but they seem extremely accurate.

Re:It's an unconfirmed claim you Irish fools (5, Informative)

caramelcarrot (778148) | more than 7 years ago | (#18805081)

http://forums.steampowered.com/forums/showthread.p hp?t=554840 [steampowered.com]

"There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

Like Coder, Like Game (0, Troll)

DrRevotron (994894) | more than 7 years ago | (#18804923)

Counter-Strike, IMO, is known for rampant hacking and cheating... if they can't keep up security for their own games, why would we expect otherwise of their business practices?

Re:Like Coder, Like Game (1)

caramelcarrot (778148) | more than 7 years ago | (#18805113)

Fully securing a game is very hard without DRM built in to the hardware or moving all the computation to the server side (expensive). It's unfair to compare client security (impossible) with server security (possible)

Re:Like Coder, Like Game (1)

DrRevotron (994894) | more than 7 years ago | (#18808675)

Oh, come on. TROLL? I've seen comments like "FUCK DA POLICE!" get modded higher than that one! Metamods, step it up.

overdrawn, lol. (3, Funny)

iPodUser (879598) | more than 7 years ago | (#18805105)

My account that I used to buy the game is overdrawn, the joke's on him!

(That and I just switched banks so the account will be inactive in a matter of days)

Call me old-fashioned... (1, Offtopic)

313373_bot (766001) | more than 7 years ago | (#18805125)

...but I never liked the concept behind "Steam", "X-Box Live", or any other "service" you have to subscribe (i.e., submit your credit card information and pay over and over) in order to enjoy the games (or any other software) you have already purchased.

Re:Call me old-fashioned... (1)

the linux geek (799780) | more than 7 years ago | (#18805257)

You realize Steam is free, right?

Re:Call me old-fashioned... (0)

Anonymous Coward | more than 7 years ago | (#18805405)

> You realize Steam is free, right?

How so?

The game he purchased isn't free as in beer.
Steam, being the DRM technology that encumbers the game, sure as hell ain't free as in speech either.

Why is it suddenly cool for Valve to do with Steam, what Microsoft is doing with WGA?

Re:Call me old-fashioned... (1)

hansamurai (907719) | more than 7 years ago | (#18805803)

Because Steam has relatively unobtrusive DRM, compared to WGA which regularly accuses you of pirating Windows. But DRM is DRM, so I understand your point.

Re:Call me old-fashioned... (1)

heinousjay (683506) | more than 7 years ago | (#18808631)

Steam is free as in you don't pay for it. That's how so.

Re:Call me old-fashioned... (1)

MrP- (45616) | more than 7 years ago | (#18805345)

Steam isn't like xbox live.. Steam is just a way to buy games. You purchase your game through the store inside the software, then it downloads it and lets you play it.

You can easily reinstall Steam at a later date, sign in, and download the same games again (without paying again).

Re:Call me old-fashioned... (1)

313373_bot (766001) | more than 7 years ago | (#18805911)

Thanks for the information, I wasn't aware that there isn't a monthly fee. Nevertheless they are keeping some information then, at least to (re-)activate the games, and perhaps to sell you additional stuff. Do you have to log on the service each time you want to play, or just to reinstall? In any case, as another poster said, it feels a lot like WGA.

Re:Call me old-fashioned... (1)

Ahnteis (746045) | more than 7 years ago | (#18805989)

There's an offline mode I believe, but generally you just stay logged in to the service and play your games. I much prefer it to dealing with swapping CD/DVDs every time I want to play, and I don't have to deal with things like Starforce, or hacked .exe files from people I have no reason to trust.

Re:Call me old-fashioned... (1)

Ahnteis (746045) | more than 7 years ago | (#18805947)

There are no subscriptions that I'm aware of on Steam currently. You pay once, download as many times as needed.
(Unless you want a new game, then you have to pay a whole new price!)

Here's the full *original* screenshot (4, Informative)

TubeSteak (669689) | more than 7 years ago | (#18805269)

http://i17.tinypic.com/2e0irza.jpg [tinypic.com]

The pic in TFA only shows the left half of the picture.

Re:Here's the full *original* screenshot (1)

cgenman (325138) | more than 7 years ago | (#18806075)

Valve has "a stunning" 9 million dollars in the bank? Stunning? That's suprisingly low for a company that has made two of the most successful (or at least hyped) games of all time. That's probably about 1 year of operating capital for them.

This hacker isn't earning himself much respect.

Remember, he's at:

Maddoxx@no-steam.org

All I can say is (1)

Lord Kano (13027) | more than 7 years ago | (#18805363)

pwn3d

I have always had serious issues with giving my credit card number to any high profile service like Steam primarily because I don't like "virtual" purchases, I like to have physical tangible objects in return for my money but this is just another reason for me.

LK

Re:All I can say is (0)

Anonymous Coward | more than 7 years ago | (#18807349)

I have always had serious issues with giving my credit card number to any high profile service like Steam primarily because I don't like "virtual" purchases, I like to have physical tangible objects in return for my money but this is just another reason for me.
So does this mean you avoid e-tickets or sending out flash greeting cards?

Re:All I can say is (0, Offtopic)

Lord Kano (13027) | more than 7 years ago | (#18807481)

So does this mean you avoid e-tickets or sending out flash greeting cards?

I have sent flash greeting cards, free ones. I have never bought an e-ticket.

LK

Another day in CC paradise (1)

Opportunist (166417) | more than 7 years ago | (#18805407)

Yes, I know, the CC companies will prolly cover it. But why is this necessary?

I see that the companies need the CC info for billing. That's ok. Why, though, does this info have to reside on a server that is accessable through the 'net? Of course, you have to register online. Ok. How about transfering that data once a day to a server which is usually NOT accessable from anything connected through the net save those 5 minutes the transfer takes, and only from the machine that has to dump the info? Banks use a similar system to access their vaults, where you need the combination and have to be there at a very specific time.

The only info the server really needs is whether the payment went ok or whether the card is overdrawn. This, too, can be updated once a day. The user doesn't need to see his CC info. He knows it. If anything, he needs to see a few parts of the card info to verify which card he used.

So the question stands, why is this possible at all?

Re:Another day in CC paradise (1)

Detritus (11846) | more than 7 years ago | (#18805913)

You don't have to fall back to off-line batch processing. Another approach is to install an intermediate system that only allows the passage of messages in very limited and strictly defined formats. Anything else gets logged, discarded and triggers an alarm.

Yet another reason... (1)

anlprb (130123) | more than 7 years ago | (#18805437)

You should not run your corporate networks over people's private computers. You are giving them the door and the location, it is a matter of time before they have the key. There is a reason that the telephone polls are on the public right of way. It makes it a crime to tamper with it. Once you put something on my land without a legal easement, it is mine to do with as I please. Even with a legal easement, I can still cause damage, I may just have to pay for it. You still lost service. Note to load "sharing" companies, stay off computers you don't have control over, you are just asking for trouble.

Domestic Terrorism? (1)

malevolentjelly (1057140) | more than 7 years ago | (#18805531)

I would be really worried if I were that kid. If he's in any country with an extradition treaty, I'm pretty sure he'll get nailed by the authorities. Our post 9/11-government is pretty sensitive to electronic criminals like this.

I know being a l33t h4x0r is all about bragging about your crap, but honestly-- even claiming to have done this is very dangerous if you're not in the third world.

Why do online sites need to store CC#s at all? (3, Interesting)

illegalcortex (1007791) | more than 7 years ago | (#18805867)

Some people have said that this may inaccurate since Steam requires that you enter a CC# at every purchase. In any case, I have to wonder why we don't have better technology than just storing CC#s. For purchases that happen instantaneously online, this would seem to be avoidable.
  1. You enter your CC# on a company's website
  2. Company sends CC# to credit card validation service
  3. On successful transaction, the CC company uses its private key to encrypt a small message containing the cardholders name, address and CC# along with the billing companies name and address or other account info. It then sends that encrypted result back to the billing company. The billing company throws away the credit card number (except maybe the last four digits for easy identification purposes) and stores only this encrypted form.
  4. Later, when the billing company wants to charge the customer again, it sends that encrypted form to the CC company instead.
  5. The CC company accepts it and decrypts it using the private key, thus allowing payment only to the billing company listed in the file

Any obvious glaring errors? Any idea if this has already been proposed and shot down in the past? The data is never going to be truly secure. Someone is always going to get hacked. So it seems this might be a good way to minimize the amount of valuables lying around.

Re:Why do online sites need to store CC#s at all? (1)

spyrochaete (707033) | more than 7 years ago | (#18806775)

If the company providing the goods or service to the end user gets broken into, wouldn't it be possible for the malicious party to charge huge fees to the victims' authenticated credit cards using valid private keys?

Re:Why do online sites need to store CC#s at all? (0)

Anonymous Coward | more than 7 years ago | (#18806795)

That's (more or less) the way it's supposed to be done. Where I work we only store the full name, address, last four digits and the expiration date in the DB. The rest gets tossed into the bit bucket when the CC processor authorizes the charge.

What about the little guys? (1)

Vacardo (1048640) | more than 7 years ago | (#18806073)

All I've ever bought over Steam is Garry's Mod - is how much money you spend a factor or will I slip under the radar?

Funny, never thought I'd be worried about my uber-secure Steam which will NEVER let pirated games be permitted but will turn a blind eye to a serious compromise... bad customer service IMHO.

1337 (3, Funny)

kbox (980541) | more than 7 years ago | (#18806159)

The 'hacker' uses windows and IE... As if being a scummy theif wasn't bad enough.

Good (1)

Trogre (513942) | more than 7 years ago | (#18806857)

Well, not good for the people who had their credit card numbers taken, but the sooner these web-based DRM schemes are exposed and discredited the better. Valve made a *big* mistake by making HL2 require an open connection to Steam before letting you play. Sure, they've tacked on a bit of content delivery but that's not its main purpose.

Re:Good (1)

Broken scope (973885) | more than 7 years ago | (#18807819)

Actually you only need it on their once. Offline mode has been working rather well for a while now.

Re:Good (1)

Broken scope (973885) | more than 7 years ago | (#18807839)

FUCK I used their wrong. That should be there.

Re:Good (0)

Anonymous Coward | more than 7 years ago | (#18808643)

Offline mode has been working rather well for a while now.
mmm nope, still takes a while to load compared to cracked half life 2.

Typical /. sensationalism... (1)

Jarn_Firebrand (845277) | more than 7 years ago | (#18806941)

It's not Steam that was hacked, but a "third-party site that Valve uses" to manage "Cyber Cafe".

Use Shopsafe to avoid this problem (0)

Anonymous Coward | more than 7 years ago | (#18807677)

There is an easy way to avoid this. Get a credit card that has Shopsafe. This is a method where you can create your own credit card number on their web site and it is linked to your credit card. When you create a new credit card you can give a limit on the card and an expiration date. The credit card is only good at one vendor. This way even if a site gets hacked, the credit card information they get is useless. I know of two banks that have it, MBNA, and Band of America are two.

Turns out... (1)

PixelScuba (686633) | more than 7 years ago | (#18807803)

The password was gaben.

Hummm (1)

A_Non_Moose (413034) | more than 7 years ago | (#18808361)

Is Gabe using Outlook, again? Shame, shame, shame, figured he'd learn the first time.

I guess HL3 will be delayed again because of hackers. Damn those hackers!

Makes you wonder if Valve has a S.T.A.L.K.E.R.

Looks like the "hacker" is full of crap (2, Informative)

Talgrath (1061686) | more than 7 years ago | (#18808843)

He hacked into a website, but it wasn't Steam itself but a third party site (the article linked itself has this correction at the bottom); at least that's the official line from Valve.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>