Support NeoGAF

[Shenmue]

I just had a strange thought. If MS is really reviving their game service now would be the best time, when trust in valve/steam is at an all time low.

 

[Madchad]

There is no official response so you cant know for sure.
If SteamDB's guess is correct you are probably fine if you haven't accessed any steam related pages while logged in in the past few days.

This seems to be the case for me and my mates.

I have not been on steam for some weeks and they have been on and off it all the time. Both have got emails saying some one trying to login to their accounts but i have not.

I did login to try and remove any payment details that may have been on there today but did not manage to reach it. Have had no emails as of yet saying anything has happened on my account at all.

 

[Relaxed Muscle]

They are unnecessary only in the case you are already logged into paypal, something another person would obviously won't be. You still always have to confirm from paypal.

You can add Steam in the list of aprobed payments in PayPal, so PayPal login is not necessary.

 

[Grief.exe]

OK. Cool.

Thank God. Hopefully that minimised the breach.

I wonder how many total accounts were compromised.

While people were posting account names at the beginning of the leak, I noticed I was seeing similar names to three other users.

 

[ironcreed]

It's Christmas Day. Pretty much the only inconvenient day in the entire year for something like this to happen. I imagine their best IT guys are drunk or on vacation and others are scrambling to get away from their families.

The fact that it is Christmas is also why this is probably not just some malfunction in the junction. And even if it were, it is a pretty god damn big one.

 

[Kenzodielocke]

You know. Shit can always happen.

But the fucking worst is Steams fucking communication on this. That shit is handled very bad.

 

[CHC]

Valve really needs a proper PR person to communicate what the fuck is going on in their Wonka-esque offices. Jesus Christ this is ridiculous.

 

[Green Biker Dude]

I just had a strange thought. If MS is really reviving their game service now would be the best time, when trust in valve/steam is at an all time low.

yes because microsoft has a history of being reliable and positive for pc gaming

 

[ekim]

They are unnecessary only in the case you are already logged into paypal, something another person would obviously won't be. You still always have to confirm from paypal.

Again. This is false. I made a purchase yesterday on my pc and today on my smartphone and I could use the authorized "my PayPal account" payment option without logging in to PayPal again.

 

[Costia]

They are unnecessary only in the case you are already logged into paypal, something another person would obviously don't be. You still always have to confirm from paypal.

Don't think its true. When I authorized steam in my paypal account I remember that i have made a few purchases without going to the paypal site at all. And i don't keep myself logged in to paypal.

 

[JaseC]

It took about an hour

This thread was created almost two-and-a-half hours ago.

 

[GifGafIsTheBestGaf]

Updated the information post demonstrating users were able to access full cell phones and address records. Sent the information along to Valve Time so they wouldn't forward false information to a wide audience.

Wow, I can't believe this shit.

 

[blackdevil]

It's not fixable, the information is already clearly and widely available. All they can do is damage control at this point which includes communicating about the issue.

it`s not like there is a clear list of all names, accounts, emails and so on out there. "Evil minds" would need to manually go through many accounts and it was random what account you can see.

 

[obear]

You know. Shit can always happen.

But what is the fucking worst is Steams fucking communication on this. That shit is handled very bad.

Yup. That's my main thing. Just give people tips to be safe or how we should proceed.

 

[Lazulic]

lucky enough to be at home not in my computer, looks like nothing got through my account on my end. fuckin scary shit.

 

[True Fire]

Again, please stop with the holiday excuse. When you open a store for business you take on the risk of something like this happening.

If Valve didn't want to work over Christmas they shouldn't be open for business.

They absolutely have workers on standby just in case something like this happens (I may be giving Valve too much credit), but it doesn't change the fact that they don't have all of their workers.

 

[Cilla]

The lack of PR is definitely the worst part of this whole mess in my opinion.

 

[The Dear Leader]

I wonder how many total accounts were compromised.

While people were posting account names at the beginning of the leak, I noticed I was seeing similar names to three other users.

Yeah me too, I saw quite a few similar ones and I was getting a cycle of the same usernames when checking the store when it first happened.

 

[Plum]

Valve really needs a proper PR person to communicate what the fuck is going on in their Wonka-esque offices. Jesus Christ this is ridiculous.

They did but then they saw the "how can we make this year's sale even worse" section and decided to move there. The one guy working on Half Life 3 will be relegated to the janitor's closet after this I'm sure of it.

 

[Sharkiller]

Unacceptable. I demand Half-Life 3 as compensation.

 

[Relaxed Muscle]

I wonder how many total accounts were compromised.

While people were posting account names at the beginning of the leak, I noticed I was seeing similar names to three other users.

I can imagine the number of people checking their account is not large, specially if the new config gor into affect around the same time. But the number of people buying games, and getting cache'ed in every step of the confirmation process is much higher.

 

[AaronMT86]

This is exactly why I don't like the all eggs in one basket approach. I welcome other services like Origin.

 

[Lady Siara]

As has been stated, the best thing to do right now is if you're logged on, stay idle and don't open any pages (store, account, etc.) and if you're not, stay logged off.

The only truly safe step one can take at the moment seems to be unlinking your Paypal off site. Anything else may expose you.

The repercussions of this could be huge for Valve. I can't see them not offering credit monitoring (or more) if this is as bad as it seems. Fingers crossed it's only an unfortunate few and not every single user at risk.

 

[DeaviL]

Again. This is false. I made a purchase yesterday on my pc and today on my smartphone and I could use the authorized "my PayPal account" payment option without logging in to PayPal again.

If you don't have a paypal purchase receipt in your e-mail you're safe.

 

[lifa-cobex]

Unacceptable. I demand Half-Life 3 as compensation.

I don't see any other alternative tbh

 

[Enter the Dragon Punch]

What we know so far

• Most likely an error in the way Steam caches pages.
• People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
• Full addresses and phone numbers were able to be accessed.
• No changes can be made to the effected account, no purchases can be made. Any evidence to the contrary is, as of yet, unsubstantiated.
• It's been advised to not access Steam URLs, including the client, until we have more information.
• Do not post account names you see, huge security risk.
• Do not log into Steam to unlink your Paypal. If you feel the need, can be done from the actual Paypal website.
• Reminder: Steamdb is not affiliated with Valve in any way.

I'll update this post with more information going forward.

remove the username in the top right corner of the phone number example.

 

[DeathPeak]

Looks like someone may have used my card. I see something was purchased on my card online that I don't remember buying and have no record of buying. Goddammit. I don't recall having my credit card info on Steam though. Unless I'm mistaking it for the Dishonored 2 pre-order at Target? Would my account show a pending transaction for a pre-order at Target?

 

[Mechazawa]

Its classic valve. They can do what the fuck they want though. Give it 2 days and everyone will be saying how much they hate services they've never used, like origin and uplay and much prefer steam.

Uplay is legit trash. Anyone who's ever had to patch Blacklist through that client knows that well. Let's not trying doing any revisionist history here.

 

[Cody_D165]

man usually I stay off the grid for most of the day on Xmas but I bought a shitload of stuff for my close friends last night/this morning so I'm gonna be paranoid about this for a while

I delinked my paypal using the paypal site and changed all of my information

just gonna have to wait it out I guess =/

 

[Reebot]

They absolutely have workers on standby just in case something like this happens (I may be giving Valve too much credit), but it doesn't change the fact that they don't have all of their workers.

Yeah, but that's irrelevant. When you run a store you need to provide enough staff to cover emergencies.

And when you run an always online digital store, that includes staff capable of shutting down a major catastrophe like this. Valve took on the risk voluntarily, we can't just say "oh well its Christmas" and excuse their completely inept handling of the situation.

 

[Deleted member 125677]

I just had a strange thought. If MS is really reviving their game service now would be the best time, when trust in valve/steam is at an all time low.

Great thinking!

It's also a great time for Nintendo to be selling 3DS without chargers, and Sony to cancel Last Guardian because right now no one gives a fuck

 

[The Elite]

I have a 3 card booster pack in my inventory that wasn't there before. No purchases as far as I can tell.

 

[JGLS]

Again. This is false. I made a purchase yesterday on my pc and today on my smartphone and I could use the authorized "my PayPal account" payment option without logging in to PayPal again.

Is it? When I purchase something from Steam using Paypal it always prompts me to log in.

 

[Mr. Enigma]

It's been over three hours since people started noticing issues. In this era of be being able to Tweet while I'm taking a shit, Valve's lack of communication is completely heinous.

 

[Grief.exe]

remove the username in the top right corner of the phone number example.

Shit.

 

[GHG]

I tried to log in to the mobile client before reading the thread properly.

I fucked up didn't I?

 

[Ricerocket]

I just had a strange thought. If MS is really reviving their game service now would be the best time, when trust in valve/steam is at an all time low.

I still wouldn't use their windows app store. They aren't going to replicate all that steam accomplished.

 

[Gemüsepizza]

Yeah this is the final straw, I'm going full on pre-paid cards from here on in and I will be limiting my purchases on Steam to its absolute minimum (thankfully boxed PC games still exist).

Just remember that with prepaid cards you can only get a refund to your Steam wallet. With Paypal you can get a refund to your Paypal account!

 

[DeaviL]

Since when do user names equal login names?

 

[scitek]

I just had a strange thought. If MS is really reviving their game service now would be the best time, when trust in valve/steam is at an all time low.

If I can't trust Valve, I sure as shit don't think I can trust Microsoft.

 

[Disaster Nebraska]

I'm highly doubtful this is a "caching issue". This sounds like a problem on Steam's end.

For starters, you don't cache everything at the CDN and information that's supposed to be encrypted is still encrypted. If Steam is caching all of this at Akamai they're idiots and it's still on them.

So even if it is "caching problem" it means that Stema has been caching unencrypted, raw account info at Akamai, though again, I'm very doubtful this is due to an issue there.

What seems more likely is that someone made an oopsie with the customer information database (drop a few key rows and suddenly info is showing up where it shouldn't have) or a straight-up hack.

Others are free to weigh in on this. I work in the webhosting industry and deal with CDNs on a fairly regular basis. Our company uses Akamai as well.

 

[Par Score]

I can't understand the people defending the total lack of communication from Valve during this, it's mind-boggling.

I love Steam, and Valve have made probably 5 of my top 10 games of all time, but this colossal fuck-up is being compounded by an utterly inexcusable failure to communicate on their part.

With a data breach like this, all potentially affected customers (and that's all of them, until you're sure it isn't) need to be notified ASAP, we are now several hours beyond that and still nothing.

 

[Costia]

If you don't have a paypal purchase receipt in your e-mail you're safe.

You should add a "*" to safe. Probably safe from being charged for things you didn't buy on steam, but the leaked personal information can be used for other types of scams.

 

[FloatingDivider]

This is exactly why I don't like the all eggs in one basket approach. I welcome other services like Origin.

That'd be a sensible approach if publishers weren't assholes and required separate purchase for different clients.

 

[spons]

it`s not like there is a clear list of all names, accounts, emails and so on out there. "Evil minds" would need to manually go through many accounts and it was random what account you can see.

You can easily script this and make a bot to manually "hit F5 on the account page" so to speak in almost any simple programming language. Any programmer could have abused this during the hour that the leak was happening and could have gotten many, many profile details.

 

[ekim]

If you don't have a paypal purchase receipt in your e-mail you're safe.

I deauthorized valve on the PayPal site already and email so far just to be sure.

Looking at the behavior I don't think people can accidentally buy something from other people's accounts. And even if so, the games won't be transferred to any other account. Additionally I only think it affects a small set of people that visited one specific site at one specific moment.

 

[Aselith]

I tried to log in to the mobile client before reading the thread properly.

I fucked up didn't I?

Nah, Steam is down now so you're aight.

 

[Cilla]

I haven't even logged in yet. Though I don't have anything linked to my account. I am just curious.

 

[LiquidMetal14]

So don't log in no matter what? I was just going to change pass but at least I have 2 step verification enabled with Steam Guard.

 

[VisceralBowl]

Since when do user names equal login names?

On Steam a username is a login name. It cannot be changed.

The display name is what everybody generally sees.