Support NeoGAF

[epmode]

I have a linked PayPal account. Remotely deauthorized all logins via paypal.com and confirmed that there were no new purchases. That's good, I guess.

 

[Wallach]

I tried to log in to the mobile client before reading the thread properly.

I fucked up didn't I?

I don't think anyone knows for sure.

 

[Reebot]

Since when do user names equal login names?

Why are you so desperate to downplay this?

 

[YianGaruga]

went to watch a random speedrun stream on twitch, everyone talking about Steam lol

they're fucked

 

[Theorry]

Last time i used Steam i used Click and Buy. That doesnt even exist anymore i believe. So i am good?

 

[DeaviL]

I tried to log in to the mobile client before reading the thread properly.

I fucked up didn't I?

I'm happy to say you didn't.
I got some cache pages from mobile users.

Got a "browser doesn't support this address" error.

 

[Alvarez]

It's a caching server problem, so you can all stop panicking. This will not allow anyone to log into your accounts or access your payment information.

That said, it does allow random* people to temporarily view your e-mail address, name, and other info. In theory this could be taken advantage of... if a dedicated, inefficient thief happens to come upon your info.

 

[-Opaque-]

I tried to log in to the mobile client before reading the thread properly.

I fucked up didn't I?

Everything has been taken down now, so you *should* be fine (can't guarantee that though obviously)

 

[butzopower]

I wonder how many total accounts were compromised.

While people were posting account names at the beginning of the leak, I noticed I was seeing similar names to three other users.

If the cache servers kept logs of the pages they cached, it might be possible to take all the generated pages and figure out which emails were exposed, etc.

 

[mere_immortal]

I have a 3 card booster pack in my inventory that wasn't there before. No purchases as far as I can tell.

You can get those randomly.

 

[Mr. Luchador]

As has been stated, the best thing to do right now is if you're logged on, stay idle and don't open any pages (store, account, etc.) and if you're not, stay logged off.

The only truly safe step one can take at the moment seems to be unlinking your Paypal off site. Anything else may expose you.

The repercussions of this could be huge for Valve. I can't see them not offering credit monitoring (or more) if this is as bad as it seems. Fingers crossed it's only an unfortunate few and not every single user at risk.

Oh Valve are going to get hit with a fine if this is a real breach, the Data Protection laws in the EU will hurt them big time. At the least they've lost a lot of people's trust and confidence in their service.

 

[Professor Beef]

Great thinking!

It's also a great time for Nintendo to be selling 3DS without chargers, and Sony to cancel Last Guardian because right now no one gives a fuck

they already do that though

 

[Madchad]

The easiest way to check if stuff has happened to your steam account at the moment is to go to the email that is associated with your account and see if you have anything from steam.

 

[Justinh]

Well shit, I just got home and noticed steam wasn't working properly. Guess I shouldn't have opened steam?

Guess I'll just have to hope for the best.

The easiest way to check if stuff has happened to your steam account at the moment is to go to the email that is associated with your account and see if you have anything from steam.

I'm more worried about my phone number and email address becoming flooded with shit.

 

[strafer]

Man, who knows what person checked out my info. It's really scary.

I hope no one is collecting the info and shares it somewhere.

 

[Nabbis]

Enjoy the digital future. Surprised it took them this long to fuck it up.

 

[TheSpoiler]

It's a caching server problem, so you can all stop panicking. This will not allow anyone to log into your accounts or access your payment information.

That said, it does allow random* people to temporarily view your e-mail address, name, and other info. In theory this could be taken advantage of... if a dedicated, inefficient thief happens to come upon your info.

Already had a journalist confirm that he had 130 taken from his account, so you can stop running damage control.

 

[blackdevil]

You can easily script this and make a bot to manually "hit F5 on the account page" so to speak in almost any simple programming language. Any programmer could have abused this during the hour that the leak was happening and could have gotten many, many profile details.

well i guess you are right .

Just checked and steam is down completely now.

 

[JacksUsername]

I wonder how many total accounts were compromised.

While people were posting account names at the beginning of the leak, I noticed I was seeing similar names to three other users.

I think that's the scariest part of all this. The fact that multiple users were seeing the same usernames makes it so much riskier for those unlucky enough to have their information popping up. It just increases the odds that it may have been seen by someone with malicious intentions.

 

[Deleted member 125677]

they already do that though

They knew this was coming those bastards

 

[cartographer]

It's unfair to expect a response from Valve, people. What do you expect them to do? It's Christmas. And contacting users to inform people is way too much! Are you unfamiliar with Valve as a company? Having somebody inform users of a significant security breach goes against their company structure. Who do you think they are, EA? They can't afford to hire somebody to handle this, and even if they did, the spirit of Valve would be lost forever.

 

[Svafnir]

It's a caching server problem, so you can all stop panicking. This will not allow anyone to log into your accounts or access your payment information.

That said, it does allow random* people to temporarily view your e-mail address, name, and other info. In theory this could be taken advantage of... if a dedicated, inefficient thief happens to come upon your info.

There are reports of people having purchases happen on their accounts. Not just random people either. Guy who works for IGN reported it happened to him.

Edit: Not to menton your full phone number, email and address being leaked is alright reason to panic. So the idea of telling people to not worry is insane.

 

[Enter the Dragon Punch]

Enjoy the digital future. Surprised it took them this long to fuck it up.

nice

 

[Blastoise]

So was anyone able to purchase games on someone else's account? Should I be worried about random charges?

 

[More_Badass]

Is it safe to log into the client if it's in offline mode?

 

[TheFatOne]

It's a caching server problem, so you can all stop panicking. This will not allow anyone to log into your accounts or access your payment information.

That said, it does allow random* people to temporarily view your e-mail address, name, and other info. In theory this could be taken advantage of... if a dedicated, inefficient thief happens to come upon your info.

Why are you running damage control? Seriously read the thread.

 

[Fuu]

Called my brother to tell him about the situation but I wasn't even sure of what to suggest exactly. Told him to avoid using the client and to try not logging in his account for now.

 

[DeaviL]

Why are you so desperate to downplay this?

On Steam a username is a login name. It cannot be changed.

The display name is what everybody generally sees.

Oh boohoo, i'm just asking because my login username and the one steam shows are entirely different.

Also, i'm totally doing overtime on my astroturfing duties, gonna reign in the big bucks.

Spoiler

/s

 

[Mr. Luchador]

I'm highly doubtful this is a "caching issue". This sounds like a problem on Steam's end.

For starters, you don't cache everything at the CDN and information that's supposed to be encrypted is still encrypted. If Steam is caching all of this at Akamai they're idiots and it's still on them.

So even if it is "caching problem" it means that Stema has been caching unencrypted, raw account info at Akamai, though again, I'm very doubtful this is due to an issue there.

What seems more likely is that someone made an oopsie with the customer information database (drop a few key rows and suddenly info is showing up where it shouldn't have) or a straight-up hack.

Others are free to weigh in on this. I work in the webhosting industry and deal with CDNs on a fairly regular basis. Our company uses Akamai as well.

I feel the same way, but then... this is the Steam Client we're talking about, it's needed a totally re-write for at least the last 5 years. I wouldn't be surprised if it's still using some of the same crap it had in 2004.

 

[Reebot]

Already had a journalist confirm that he had 130 taken from his account, so you can stop running damage control.

We can't let reality stand in the way of corporate loyalty.

Oh boohoo, i'm just asking because my login username and the one steam shows are entirely different.

Also, i'm totally doing overtime on my astroturfing duties, gonna reign in the big bucks.

Spoiler

/s

Its the only explanation for your posts in this thread.

First it was "this is no big deal." Then "no personal information was leaked." Now its a trivial distinction between user and log in names.

Its a big deal. We can stop brazenly defending Valve and start asking for action.

 

[Chariot]

went to watch a random speedrun stream on twitch, everyone talking about Steam lol

they're fucked

I see Steam GAF on 9gag. On 9gag!

For some reason also way calmer than this thread.

 

[Maedhros]

The digital future is going to be a dangerous one. This is a pretty eye-opening situation.

This has nothing to do with digital/physical model, it's just a service being invaded, kinda like it always happened since internet was created.

 

[Gabriel_Logan]

Well got back to my house King's Quest is still downloading at 75%. At this point I think I don't really care all that much. My info is already out there thanks to the Chinese Federal database hack a few months back.

 

[deleted]

If you haven't visited any pages that contain your personal info, you are OK. Basically, people can only see your info if YOU saw your info.

I was playing for the past two hours - before that I was seeing the store in Russian, but I haven't bought anything since yesterday and didn't access my wishlist today either.
Am I already fucked just because I was playing?

 

[LurkerPrime]

Is it safe to log into the client if it's in offline mode?

You're logging into Steam still, so probably not.

Really, though, there's no way to be sure at this point.

 

[Hektor]

I see Steam GAF on 9gag. On 9gag!For some reason also way calmer than this thread.

Truly all hope is lost.

 

[odhiex]

This is terrifying (like the psn outage all over again). I hope Valve do whatever it can to fix everything soon.

 

[fertygo]

So don't log in no matter what? I was just going to change pass but at least I have 2 step verification enabled with Steam Guard.

same here but I just log in earlier, oh well at least I don't have anything saved there

my email and pass also created only for steam

my worry is phone number on steam guard are any significant?

 

[bgbball31]

Well, since I've already complained about the possibility of my account getting accessed (although, no e-mails about things bought, nor charges on my CC yet), let's look at the bright side. I was looking to start the Witcher today but was having a problem with Steam (no sound ingame) so I moved it over to GoG's client. Time to start it up, I guess.

 

[DarkLordMalik]

Valve are gonna get sued. There is no way they are getting out of this fuck up without getting sued by users who had their account info compromised.

 

[DarkLegion]

So was anyone able to purchase games on someone else's account? Should I be worried about random charges?

Yeah it looks like that's the case. Keep your eyes peeled for anything suspicious.

 

[jmga]

Again. This is false. I made a purchase yesterday on my pc and today on my smartphone and I could use the authorized "my PayPal account" payment option without logging in to PayPal again.

Well, that never happened to me, maybe I never authorized Steam to charge me without log in, I didn't even know you could do that.

 

[ekim]

Already had a journalist confirm that he had 130 taken from his account, so you can stop running damage control.

130 dollars? Where did they went? If someone buys something with the wallet of another person the things he bought also stay in that same account. You could refund stuff in this case.

 

[Lautaro]

It's a caching server problem, so you can all stop panicking. This will not allow anyone to log into your accounts or access your payment information.

That said, it does allow random* people to temporarily view your e-mail address, name, and other info. In theory this could be taken advantage of... if a dedicated, inefficient thief happens to come upon your info.

Before they pulled the plug I was able to see the edit card info page of another user.

In this same thread there was an image of that same page (for a "James").

I don't know about the rest but I'm not panicking. I'm just mad, mad at Valve and annoyed by the random people that try to make damage control for them.

 

[iNvid02]

at this point it wouldn't make much difference if it was a series of unfortunate events like a hardware failure on christmas day of all days, or valve being incompetent when it comes to security like that steamdb post is suggesting.

i dont think its gonna change my mind when it comes to storing payment info with steam, its gonna be more inconvenient than psn ever was, but the amount of info accessible is too much

 

[Gaz_RB]

I feel like I'm missing something. Why are people "terrified?"

 

[AnathemicOne]

I think I'm still logged into my profile, however I can't view the details of my account though my username is still there.

 

[cyba89]

You can easily script this and make a bot to manually "hit F5 on the account page" so to speak in almost any simple programming language. Any programmer could have abused this during the hour that the leak was happening and could have gotten many, many profile details.

You can also still access other peoples account pages through Google cache.

 

[obear]

Everything seems fine now. I'm in and i can view my account page and its my own info

 

[Theorry]

I see Steam GAF on 9gag. On 9gag!For some reason also way calmer than this thread.

Because they have a life and we have not.
Wait..