Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Hacked, Credit Card Numbers Taken

Posted by Zonk on from the waiter-check-please dept.

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

7 of 141 comments (clear)

  1. Credit card information? by Reason58 · · Score: 5, Interesting

    It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

    1. Re:Credit card information? by tlhIngan · · Score: 3, Interesting

      Who knows where the credit card numbers came from, really. There's no evidence that the ones they got were from Steam purchases (I think?). But I wouldn't be surprised anyway. Valve's security is notoriously bad, and they require the last four digits of your credit card number in order to recover lost Steam accounts, so they're at least storing a portion of it.


      Reports are all over the map - Valve's official statement says it's only cybercafe owners who are affected (Valve has their credit card information for billing purposes - looks like Valve licenses their games by the hour). And they claim it's the third party host that's afflicted who manages the cybercafe program, and that steam itself wasn't hacked.

      Where the whole story lies, is somewhere in-between.

      What I don't get is this:

      It seems that VALVe is being held for ransom. If this is true, VALVe may be in trouble, as California Senate Bill 1386 requires that credit card holders be informed of any breach of their information, and MaddoxX already knows exactly how much money they have available.


      What does a California bill have to do with a company based in Washington? (Valve was formed out of some people from Microsoft). They may have to alert CA residents, I suppose?
  2. This is major news. by imbaczek · · Score: 3, Interesting

    How is this not worthy of showing the whole summary is beyond me.

    Oh and I sincerely hope that this kid gets his share of gulag.

    1. Re:This is major news. by Opportunist · · Score: 2, Interesting

      If he sits there with the dimwit who thought it's a bright idea to store CC info on a publically accessable server, fine with me.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Steam support is vapid by spyrochaete · · Score: 4, Interesting

    Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

    Here is my first email to Steam:

    I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
    http://emp.damage-web.net/viewtopic.php?p=62590

    Is this true? Do I need to cancel my credit card? Please advise ASAP!

    And here is my second one, posted this morning:

    Do I really need to tell you that this urgent question is time-sensitive?

    http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk

    As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.

    I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

  4. Why do online sites need to store CC#s at all? by illegalcortex · · Score: 3, Interesting
    Some people have said that this may inaccurate since Steam requires that you enter a CC# at every purchase. In any case, I have to wonder why we don't have better technology than just storing CC#s. For purchases that happen instantaneously online, this would seem to be avoidable.
    1. You enter your CC# on a company's website
    2. Company sends CC# to credit card validation service
    3. On successful transaction, the CC company uses its private key to encrypt a small message containing the cardholders name, address and CC# along with the billing companies name and address or other account info. It then sends that encrypted result back to the billing company. The billing company throws away the credit card number (except maybe the last four digits for easy identification purposes) and stores only this encrypted form.
    4. Later, when the billing company wants to charge the customer again, it sends that encrypted form to the CC company instead.
    5. The CC company accepts it and decrypts it using the private key, thus allowing payment only to the billing company listed in the file

    Any obvious glaring errors? Any idea if this has already been proposed and shot down in the past? The data is never going to be truly secure. Someone is always going to get hacked. So it seems this might be a good way to minimize the amount of valuables lying around.
  5. Re:Another, eh? by Sigma+7 · · Score: 3, Interesting

    I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? Placing an order online is a 3-step process. Select the items you want, enter your billing information, and place the order - and one of these can be skipped by "remembering" the billing information.

    The proposed system will make it a 4-step process: Select the items, obtain your billing information, enter your billing information, and place the order - and none of these can really by skipped. It's a matter of personal taste on what you prefer, but most people go for convenience rather than security.

    The implementation could easily handle this by having credit card numbers "linked" to a primary account, as there's at least 10 trillion possible combinations for credit cards from a single institution. No information on if it will work in practise, but given that most people aren't good with numbers, it would probably boost CS calls. ...