Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Hacked, Credit Card Numbers Taken

Posted by Zonk on from the waiter-check-please dept.

An anonymous reader writes "DailyTech reports that Valve's Steam content distribution system has been compromised. According to the article a hacker claims to have 'bypassed Valve's security system and accessed a significant chunk of data, including: screenshots of internal Valve web pages, a portion of Valve's Cafe directory, error logs, credit card information of customers, and financial information on Valve.'"

11 of 141 comments (clear)

  1. Figures by HolyCrapSCOsux · · Score: 5, Funny

    This is why I like my valves to be ball, gate, or ECC83 and EL34

    --
    0xB315AA8D852DCD3F3DCA578FD2E0BF88
  2. Another, eh? by EveryNickIsTaken · · Score: 4, Insightful

    At what point are sites that take credit cards going to release they need to keep the CC/customer database offline?

    1. Re:Another, eh? by EveryNickIsTaken · · Score: 4, Funny

      Realize, even. Grammar police, set phasers to stun.

    2. Re:Another, eh? by Anonymous Coward · · Score: 4, Insightful

      I wonder at what point the Credit Card industry will switch to one-time use authorization codes, instead of giving retailers your account number? There's no good reason any online retailer *ever* needs my credit card number. It would be possible, if VISA/MasterCard/Discover actually gave a crap about this, to have the retailer redirect the user to the credit card processor's website along with some kind of identifier code to identify the retailer (and, behind the scenes, the CC processor would send back a transaction identifier - probably a guid of some sort, which the retailer could store in their records for later reference), and the requested dollar amount of the transaction. Once on the Credit Card processor's site, the user could either enter their CC account info, or maybe use some sort of login or smart-card authentication, to authorize the transaction.

      The CC processor could then send back to the retailer the the transaction id along with either an authorized or unauthorized code indicator (maybe even a code to indicate why authorization failed - insufficient funds, user declined, stolen card, etc).

      This could even extend to subscription purchases. Currently, one of the reason's retailers might store CC info is for recurring subscription charges. When requesting the transaction, the retailer could indicate they would like to do a recurring charge, and in that case, the transaction id they receive could be repeatedly billed (but *only* by them, not by other merchants) until the user canceled that subscription. Currently, every retailer individually manages subscriptions, so if you want to cancel a subscription with, say, an online game (or magazine or anything else), you have to go to their website (or use some interface built into the game's client) to cancel the subscription. Wouldn't it be great to just log into your credit card's website and go cancel a subscription from a list of your current subscriptions? The next time the game, magazine, whatever goes to bill you, they simply receive back an authorization failed code indicating that the user cancelled the subscription, and they cancel the account in their system automatically.

      Well, I can hope anyhow. Currently, the CC industry seems to be simply content with the status quo, even if it is pretty stupid. I see no reason why anyone I do business with needs a re-usable account number.

      There is, of course, with this proposal still the possibility of someone setting up a phishing attack. Go to their site, get "re-directed to the CC processor's site", which really isn't, and then you end up putting your info in the phisher's database. That could probably be defeated by something similar in concept to Bank of America's SiteKey system, where the site proves to you that *it* is real by showing you something secret, that a phishing site would never know what to show you.

    3. Re:Another, eh? by Anonymous Coward · · Score: 5, Funny

      You morons! HE WAS CORRECTING HIMSELF!

      Go get some sleep and/or stimulant of your choice.

  3. Credit card information? by Reason58 · · Score: 5, Interesting

    It's interesting that they mention credit card information, as you have to enter your complete billing address and credit card information every single time you make a purchase through Steam. Is this hacker lying, or is Steam collecting and storing credit card information on users for shady reasons?

  4. Steam support is vapid by spyrochaete · · Score: 4, Interesting

    Steam is handling this situation extremely poorly in my books. I emailed Steam Support about 18 hours ago, again 6 hours ago, and have received no reply. I've spent about $200 over Steam and until now have received excellent service. Now I'm royally pissed off.

    Here is my first email to Steam:

    I read a distressing article today claiming that Steam's databases were broken into and credit card information was stolen:
    http://emp.damage-web.net/viewtopic.php?p=62590

    Is this true? Do I need to cancel my credit card? Please advise ASAP!

    And here is my second one, posted this morning:

    Do I really need to tell you that this urgent question is time-sensitive?

    http://digg.com/gaming_news/Valve_Hacked_Your_Info _may_be_at_risk

    As you can see this issue, rumour or otherwise, is public knowledge and widespread. Valve's lack of a statement on this is very conspicuous. Please confirm or deny this story so that I can rest at ease.

    I'm not panicking and I'm not about to cancel my credit card, but I'm furious that Valve will not at least advise me whether or not I should do so. If they don't contact me by midnight I'll never buy through their service again. Furthermore, I'll probably join in on any class action lawsuit.

    1. Re:Steam support is vapid by shaitand · · Score: 4, Insightful

      You aren't canceling your card? Lets see, is that the same user id you use for valve? *searches for that id in his printout*

  5. Re:It's an unconfirmed claim you Irish fools by caramelcarrot · · Score: 5, Informative
    http://forums.steampowered.com/forums/showthread.p hp?t=554840

    "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."
  6. Re:You need to store something for monthly billing by Ford+Prefect · · Score: 5, Informative

    The issue is that the machine doing the billing must NOT be connected to the Internet.

    Who says it was even Valve's machine that was compromised? 1UP.com:

    Doug Lombardi, director of marketing at Valve, says, "There has been no security breach of Steam." However, he does confirm our expert's findings by adding, "The alleged hacker gained access to a third-party site that Valve uses to manage the commercial partners in its Cyber Café program. This Cyber Café billing system is not connected to Steam. We are working with law enforcement agencies on this matter, and encourage anyone with more information to e-mail us at Catch_A_Thief@valvesoftware.com."

    --
    Tedious Bloggy Stuff - hooray?
  7. Here's the full *original* screenshot by TubeSteak · · Score: 4, Informative

    http://i17.tinypic.com/2e0irza.jpg

    The pic in TFA only shows the left half of the picture.

    --
    [Fuck Beta]
    o0t!