Steam security issue revealed personal info to other users on XMas Day (fixed)

SiegePhalt said:
You know shit is serious when something is trending worldwide.

ku0a1dq.jpg
Click to expand...

Wait, wait, what? "Explotan marcianos en la casa", que demonios? :O
 
This is absolutely nuts.
How does something like this happen? I can't imagine that Valve would have been pushing changes to their infrastructure in the middle of a huge sale, but what do I know. It's just too bad that we probably won't get a dissection of this afterwards, since Valve will surely be as silent as usual.
 
Steamdb just posted a blog

https://steamdb.info/blog/recent-caching-issues-on-steam/

Disclaimer: Steam Database is not affiliated with Valve in any way. We are a community run website.

An hour ago, Steam users started seeing incorrect information on the Steam Store, as if they were signed into someone else's account.

There is no official confirmation from Valve yet, so we can only speculate as to why this issue happened. Valve is known to use Akamai as their CDN and Varnish for caching. Our theory is that a caching misconfiguration in one of these components has caused Steam to incorrectly serve rendered and cached pages intended for a single user only.

This issue means that users’ private information such as email address, billing address, and sometimes credit card details are at risk. As far as we know, this issue is read-only, and no one is able to perform any actions involving your account on your behalf.

To protect yourself, we strongly recommend completely avoiding visiting any Steam store links. This includes visiting the Steam store using the Steam client.

This is not a hack or a DDoS attack. This is highly likely to be a misconfiguration in one of Valve’s caching layers.

At the time of this writing, the Steam store is inaccessible. We can only assume Valve is currently working on fixing the issue.

If you used a PayPal account and had the details saved, you can unlink your account by logging on PayPal.com and going to Settings and Preapproved payments under the Payment options heading.

Going forward, we strongly encourage you not to store your billing information on the Steam store. Valve have proven multiple times that they’re unable to keep their security standards to a high level.
Click to expand...
 
Why would you want to remove the paypal account if it makes you log in with paypal again before a purchase can be finalized?

The only thing is does is protect someone from viewing your paypal e-mail address, which arguably gives a would-be hacker very little ammunition besides a little more social engineering bait. I'd rather just leave my paypal on the account to avoid any issues reattaching it in the coming days of the sale.
 
Grief.exe said:
I didn't see any either, maybe someone browsing caches or /v can confirm.

.
Click to expand...

Far has I could tell, one could see phone numbers and address just from people with credit cards, you could edit the information of the card, change the type like from visa to mastercard and all the blank spaces of addresses and phone number would fill up.
 
Ucchedavāda;190430871 said:
This is absolutely nuts.
How does something like this happen? I can't imagine that Valve would have been pushing changes to their infrastructure in the middle of a huge sale, but what do I know. It's just too bad that we probably won't get a dissection of this afterwards, since Valve will surely be as silent as usual.
Click to expand...

My guess is that if it wasn't an external breach then it was some weird cascade failure scenario (i.e. heavy load leads to components failing in an unusual order). I hope Valve provides at least the general basis of what happened.
 
Costia said:
Looks like GiantWaffle from twitch was able to see somebody else's full address and phone. AFAIK he was using the android steam app and not the PC client or website.
No idea if it is actually true, but worth checking if the andriod/ios apps leaked more information than the website/pc client.
Click to expand...

You could see it from the website and PC client too (the PC client is, after all, just a built-in browser view).
 
Costia said:
Looks like GiantWaffle from twitch was able to see somebody else's full address and phone. AFAIK he was using the android steam app and not the PC client or website.
No idea if it is actually true, but worth checking if the andriod/ios apps leaked more information than the website/pc client.
Click to expand...

Relaxed Muscle said:
http://www.neogaf.com/forum/showpost.php?p=190421358&postcount=221

From this very thread.
Click to expand...

chrominance said:
Phone numbers were absolutely 100% exposed, I saw them with my own eyes. It relied on you having stored your billing address info at one point in Steam (so if you never did this you are definitely okay, and if you removed your billing details you may also be okay if Valve deletes your saved info), but all that info was exposed if you knew where to look.
Click to expand...

Zom said:
Far has I could tell, one could see phone numbers and address just from people with credit cards, you could edit the information of the card, change the type like from visa to mastercard and all the blank spaces of addresses and phone number would fill up.
Click to expand...

Will update my information post.
 
Papilloma said:
Steam stores the three digit code as well as the full credit card number. I've never had to add the CVV number when using a stored card on Steam.
Click to expand...
It doesn't for me and I'm in the US. That may be your bank allowing that. I have to put in my three digit code everywhere but Amazon.
 
AyaisMUsikWhore said:
Well we are talking about money here... Hard earned money that is open to some jerk who wants to purchase stuff because lolz. I don't know if you are compromised or have ever gone through identity theft.. But this is no calm matter at all and it irks me that some people are saying being level headed in a situation which could possibly ruin you for life is recommended... acting like this is some level headed situation. Wtf?

Like please don't.
Click to expand...
Because some of us have first hand experience with having our cc actually stolen. I posted before that if you have a good bank they will take care of you. Monitor your bank account. Look for any charges you haven't made. Change your debit or cc by canceling and ordering a new one if it gives you peace of mind. Banks will contest fraudulent charges.
 
kevm3 said:
Just a hypothetical... but say that Steam goes out of business. All your games go up in smoke with it, correct?
Click to expand...

no, they have a plan in place for that.

if i remember correct, something about you being able to download them for like a few months, and them then working without steam being operational.
 
I can't remember if I ever used my CC directly with Steam, but all my details would get automatically filled in whenever I made a purchase with Paypal and I also set up that security thing via your phone recently

I didn't get any emails from Steam, hope everything is okay
 
RhyDin said:
Why would you want to remove the paypal account if it makes you log in with paypal again before a purchase can be finalized?

The only thing is does is protect someone from viewing your paypal e-mail address, which arguably gives a would-be hacker very little ammunition besides a little more social engineering bait. I'd rather just leave my paypal on the account to avoid any issues reattaching it in the coming days of the sale.
Click to expand...

I think there's a way where you can just click Purchase and it does it all automatically with no additional login.

If there isn't I have no idea why either.
 
Grief.exe said:
The only reason I'm still not quite confirming them is it's possible they bought something in previous days and their financial institution is just logging the charge. No need to fear monger until we have absolute concrete proof.
Click to expand...

My sale purchases from yesterday still don't show on my CC statement on my bank's website. I've never had a need to check this info so immediately before, so I'm surprised it takes this long.
 
benny_a said:
Why would my local cache have the address information of some random dude?

If I saw my own account information on Steam that wouldn't be relevant to this privacy breach.
Click to expand...

So Steam then.
I thought you were talking about when you were adding a new CC in.
 
ViciousDS said:
I don't even know what the hell that means TBH. Maybe you don't have a bank account tied to your paypal or need to verify an email address on your account?
Click to expand...

I've removed the bank accounts but I can't remove the cards. I've delinked Steam from it so it should be fine anyway.

Hopefully.
 
Stumpokapow said:
My guess is that if it wasn't an external breach then it was some weird cascade failure scenario (i.e. heavy load leads to components failing in an unusual order). I hope Valve provides at least the general basis of what happened.
Click to expand...

Just out of curiosity, since we know your account was one of the ones effected, were you logged in or out when it happened?
 
So how do we reconcile the different information from those speculating about the nature of the breach/caching problem maintaining that no action should have been possible on the read-only account info with the reports of people having their accounts cleared out/posting financial statements showing they've been charged?


chinaismine said:
SteamDB has no affiliation with Valve, they're just guessing at what happened. I don't understand why people keep linking to them...
Click to expand...
Even if it's not an official statement, I think it's helpful to post consolidated information about what is known (and not known) from people who are more knowledgeable about this stuff than your average concerned user.

You're obviously free to ignore it, but I don't think it's hurting anyone.
 
Grief.exe said:
Guide to unlink Valve from Paypal.

  1. Log in
  2. Access your settings through the cog in the upper right hand corner
  3. Click Preapproved payments
  4. Click Valve, corp
  5. Select cancel option
Click to expand...

Thanks. I guess I can sleep a bit better tonight now. Well, safe for fear of losing the 0,42€ I had in my steam wallet.

The (non-)communication about this on Valves part is completely awful and inexcusable though.
 
The only reason I kept my Cc info there was because I thought I was safe with the 2-steps verification. Fucking Valve had to create a new Fucking way of exposing user data. Shit.
 
The silence is really making me nervous...

All they had to do is post a short message on Twitter or their site or Facebook or whatever... anything really, not being silent.
 
I noticed earlier today I had Outlast, and it's DLC in my cart again after I had bought them both last night, and that was like the first sign I noticed something was up. This whole mess with Valve being silent is ridiculous though.
 
Papilloma said:
Steam stores the three digit code as well as the full credit card number. I've never had to add the CVV number when using a stored card on Steam.
Click to expand...

The CVV actually isn't necessary to do purchases, afaik it's up to the business to decide whether to require the CVV and when to require it. The reason for that is because if fraudulent purchases go through their system, it's the business that pays for it ultimately, so from that perspective the card issuers leave it up to the businesses. Steam does request the CVV depending on certain criteria even if it's a CC that has already been stored and used in the past many times. I get prompted every so often for it, but in your situation it just may be the case that the conditions to prompt for the CVV have never been met. Many merchants do this, Amazon for instance, so them not asking you for the CVV doesn't mean they are storing it.

IIRC it is also not permissible for merchants to store the CVV anyway, only until the authorisation has been completed.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
151
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
92
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom