Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of customers.
A hacker calling himself MaddoxX has trumpeted details of the claimed break-in on his website, and threatened to publish more credit card information if Valve do not "come with something good".
Customers say Valve has known about the alleged security breach since April 8 at the latest.
A customer told us he raised the hacker's claims on Valve's Steampowered.com forums, but a company moderator quickly stepped in to delete it, writing, "Please do not re-post that thread. Valve are aware of the issue and are investigating. Making threads on the issue will not help."
Sources say a dozen threads about the matter have been suppressed on Valve's official forums. In the meantime the firm has made no attempt to contact the thousands of cyber cafe owners potentially affected.
A large file posted on a file sharing site appears to back up the hacker's claims of breaking into the server of Valve's distribution network, Steam. It contains sensitive financial information including Valve's current assets, full details of five credit card transactions from March 12 with the threat of exposing more, and details of how to set up a fake cyber cafe certificate for multiplayer Counter Strike. The 14MB plus directory is essentially a "rip" of the cyber cafe content delivery platform, Steam Cafe, and contains all the files to access Valve's Central Authentication Server.
We contacted MaddoxX via email. He claimed he first gained access to Steam this January, and said that although the cyber cafe customer database is not linked to the standard customer list, he has access to that too. Valve have not contacted him, he said, but have approached his hosting provider to take down the page which announces the hack, so far without success.
The hacker says it's not his intention to steal information. He told us: "I just came accross the login details when I was browsing some stuff. The access to their whole customer database was more like luck, but still a hack because the login details are inside some files. They changed the logins now and made it not possible anymore to get the details from the files. The [credit card] details itself are stored in a MySQL database where I still have access to."
"It is just to show how lax they are with their security. I want a full excuse from VALVe on their site that they did NOT inform anyone about this. I've got several e-mails from cafe owners and they said VALVe hasn't even said shit to them...so you can see how they threat their customers."
One cyber cafe owner contacted by The Register said: "Why has it taken days if not weeks before they told us if there is even the slightest possibility someone has our CC details then we should have been told?"
Valve did not return repeated requests for comment.®