VALVE customer info compromised?

[shred_dog]

Most of you know I am loathe to use the word "hacker" to describe someone who criminally circumvents network security for malevolent reasons... and maybe to justify my own nefarious deeds performed during the foolishness of my teenage years... but anyway... interesting forum post by a russian script kiddie claiming to have gained root on some of VALVE's boxes and stolen customer CC info and corporate financial info.

I can't seem to find any news item on it outside of digg.com, and any inquiries to VALVE seem to direct customers to page. does anyone else know anything?? I'm curious to find out more details.

[Dunceantix]

It seems to be true, but supposidly it's only the Cyber Cafe part that was comprimised...

Quote:

Originally Posted by Some News Site

VALVe's security was recently shown for what it really is; no exsistant. A hacker known as MaddoxX recently infiltrated
VALVe's web servers, exposing, what should be confidential information, to the public. The hacker managed to gain root
access to the server, meaning they could view anything they wanted (Including Customer Credit Card details, and even
VALVe's current assets). The hacker then ripped the site and created a "Release"
in an attempt to grab VALVe's attention (Who are renouned for poor security). Included in the release are all CAS/CAC
files (Including certificates), proving once again that their Cafe program is not as secure as they thought.
Valve has yet to fix the exploit the hacker used, and has not yet even replied to him. It has also failed to
reveal to it's customers that this event even occured, even though they're private details have been exposed. Please
help us to inform the public and VALVe customers of this important news.

Quote:

Originally Posted by Steam Forum Moderator

Actually mate....as far as I know only the Cyber Cafe owners were hit.
I am not sure though...but there is no need to panic at this time.

So we will have to wait and see if they release an official statement

[Fooicus]

Yeah I was on a public yesterday and some chap was on claiming that it was true, and that he'd talked to the hacker himself.

Of course he can claim all he wants, but it is indeed interesting that a kid may have compromised some of valves security measures?

[Karsh]

We have been getting claims from our Public Servers too lol, This is just the time for the kids to come out and play. I will wait for an reply from the VALVE Staff.

[zhardoum]

Hmm, as one of the cyber cafes affected I can give you some inside info on this. yesterday morning one of our members (igames usa) discovered the hackers webpage.. he in turn posted it on the cafe owners forums..

At first he believed it was a hoax, I looked and unfortunately it wasnt.

I then cancelled my credit card and in turn informed other owners who inturn informed other owners and with a couple of hours everyman and his dog who ran a cyber cafe knew about it.

Now here is where it gets juicy, the hacker posted the info on the 8th of April, yet the details of the Credit cards says 12th of march, digging deeper on the hackers website revealed the hack may have taken place as far back as january and continued since then, although the hacker admits by march valve were "onto" him.

the thing that is really setting the owners alight is this, valve didnt tell anyone, even though they knew owners personal details and credit card details are freely available on the internet, and kept it quiet for a minimum of 10 days if not, 3 months.

The reason valve gave us is that because of working with the police they were unable to tell people, however californian law requires that the company on immediate suspicion of a hack MUST inform their clients.

The hacker goes onto claim that he doesnt just have Cyber cafe owner details but ALL valve user details, but unless he provides proof, its just rumour.

Still, right now a heated debate is going on and for the moment its rather heated, I would expect though that its only a matter of time before one of the american cafes who have been exposed realise that there is a lot of money to be made by suing valve for breaching the californian law.

I'll let you know how this pans out but from the owners perspective, valve have really behaved appallingly..

Edit:
One of our members just got off the phone with Doug valentine a second ago, a press statement will be issued later today.

[Karsh]

It is good to hear a point of view from someone who has experienced this issue, Of course when we got a problem like this so many different formats get posted. From the looks of it, it is a major issue as personal information such as full credit card information and addresses got access to by this "hacker". It does need addressing and also vast measures need to be implemented as soon as possible. Hopefully peoples lives will not be affected by this, If not then i am happy as in my point of view that is the most important aspect of this.

[Dunceantix]

This is why companies should NOT be storing card information on their systems... Just like TK Maxx shouldn't not have done so...

A large number of companies systems are just not full proof enough to contain this sort of information and to protect themselves they shouldn't store it...
Most companies pass the information onto the merchant they use to process the transaction which is done and then no details of card numbers are kept by the company. This is how they should all ideally operate...

*sigh*

[Afty]

Quote:

Originally Posted by Dunceantix

This is why companies should NOT be storing card information on their systems... Just like TK Maxx shouldn't not have done so...

Problem is, if they want to offer multiple services through repeat billing, or have some independence from payment service merchants, they can't do this.

The whole credit card system is ridiculously flawed and desparetely needs bringing into the 20th century. Or preferably, 21st.

[Dunceantix]

Quote:

Originally Posted by afty

Problem is, if they want to offer multiple services through repeat billing, or have some independence from payment service merchants, they can't do this.

The whole credit card system is ridiculously flawed and desparetely needs bringing into the 20th century. Or preferably, 21st.

i would rather have to enter my card details again than have the risk of them being stolen. If Multiplay can do it, and continue to charge your card each money by refering to the last transaction why can't other companies..

Buy yes i agree, the whole system needs a proper overhaul...

[Limi]

Quote:

Originally Posted by shred_dog

I can't seem to find any news item on it outside of digg.com

El Reg had something about it...

http://www.theregister.co.uk/2007/04...ve_steam_hack/

[Zenith]

Quote:

Originally Posted by Dunceantix

This is why companies should NOT be storing card information on their systems... Just like TK Maxx shouldn't not have done so...

A large number of companies systems are just not full proof enough to contain this sort of information and to protect themselves they shouldn't store it...
Most companies pass the information onto the merchant they use to process the transaction which is done and then no details of card numbers are kept by the company. This is how they should all ideally operate...

*sigh*

Since TK Maxx is one of the store chains that I support, I have a different perspective. If the company is larger than a certain size then they conduct their own credit banking directly with the card companies and not through a bank's merchant services. A company like that has to have an audit trail of their credit transactions for a period of time (I don't know how long) so they are required to hold onto credit card info.

That said, I'd be surprised if there were British card transactions in the 47million as all the data is warehoused at their head office in Watford.

[Dunceantix]

Quote:

Originally Posted by Zenith

Since TK Maxx is one of the store chains that I support, I have a different perspective. If the company is larger than a certain size then they conduct their own credit banking directly with the card companies and not through a bank's merchant services. A company like that has to have an audit trail of their credit transactions for a period of time (I don't know how long) so they are required to hold onto credit card info.

That said, I'd be surprised if there were British card transactions in the 47million as all the data is warehoused at their head office in Watford.

I see your point... but stilll this and the hack into TK Maxx's systems shows that there should be a better system for storing this sort of data, because it certinally seems just storing it in your own database is not secure enough...

[FiRe]

Quote:

Originally Posted by http://www.hardocp.com/

Steam “Hacked” Update

Shacknews has an update to the story about Valve “getting hacked” almost two weeks ago. I know people are trying to make this sound like it just happened but, other than this update from Shacknews, this is weeks old and your account info is safe.

According to The Steam Review, Steam itself was not accessed, but rather a Valve file server. Furthermore, the site explains that only the credit cards of Cyber Cafe subscribers were compromised. "The numbers in danger are all held by cybercafe owners, who have recurring subscriptions to their Steam games and have probably all long been informed," the posting reads. "Consumer data are only stored in enough detail to fight mass fraud, not make purchases, and weren't compromised anyway."

[Afty]

Quote:

Originally Posted by Dunceantix

i would rather have to enter my card details again than have the risk of them being stolen.

The choice is not that black and white though - the convenience factor is a DEFINITE, the risk of being stolen absolutely miniscule - and your exposure is almost nothing as you can get any fraudulent payments refunded by the card company.

Ultimately, it's trading definite convenience now for possible inconvenience in the future...

[Karsh]

I am with Dunce on the credit card process. In a million years i would rather re-enter my card information to make a order than them store it.

[Afty]

Quote:

Originally Posted by Karsh

I am with Dunce on the credit card process. In a million years i would rather re-enter my card information to make a order than them store it.

Your logic is flawed and your words show this.

The whole idea of convenience is to save you time. You've just claimed that you'd rather spend several lifetimes keying in information into a computer terminal, than suffer the VERY miniscule risk of having to make a phone call to rectify a fraud issue.

I find this hard to believe.

[Karsh]

Quote:

Originally Posted by afty

Your logic is flawed and your words show this.

The whole idea of convenience is to save you time. You've just claimed that you'd rather spend several lifetimes keying in information into a computer terminal, than suffer the VERY miniscule risk of having to make a phone call to rectify a fraud issue.

I find this hard to believe.

This is my personal preference, So no idea why you would claime it is flawed.

[Afty]

Quote:

Originally Posted by Karsh

This is my personal preference, So no idea why you would claime it is flawed.

Because I don't believe you are telling the truth when you say you would rather spend every minute of your life until you die typing on a keyboard instead of making just a single phone call...

[TheDon]

I'm with afty, if I had to reenter credit card details montlhy or even weekly for everything that I have repeat billed to my card then I'd be a VERY pissed off customer.
I have a credit card because it offers protection against fraud, if someone hacks into a site I use and steals my credit card number then I don't really care too much, it gives me a bit of hassle in getting a new one, but compared to the hassle I'd have dealing with paying for things if I couldn't repeat bill it's infinitely small, and when compared with the risk it'll happen is insignificant.
There is no way that I believe anyone who has to more than 1 or 2 repeat billings would be willing to manually deal with them every month. Maybe they would for the first few months, until they go on holiday or forget and then their service gets cancelled.

[Dunceantix]

Quote:

Originally Posted by Neowin

It would appear that a hacker’s proclamation (and proof via screenshots) that he had gained access to all of Valve's internal files has been uncovered as false. In reality, he reportedly hacked a third-party site that deals with Valve's Cyber Café billing program, which nearly eliminates the fear Valve’s customers had about their private information finding its way into unwanted hands. Valve marketing director Doug Lombardi told TG Daily, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter."

Sounds better now