Steam security issue revealed personal info to other users on XMas Day (fixed)

Can view my own account again - glad I (somewhat randomly) removed my credit card and address from there a while back. Only had Paypal and the last digits of my phone...which is still annoying enough.

Unlinked Paypal either way.
 
The Dear Leader said:
Our accounts with thousands upon thousands of dollars of games and our personal information and payment information could have been compromised. Gee, I don't know why...
Click to expand...
But that's not really the case from what I understand. It's just name, address, phone number, last four digits of CC, right? No passwords or usernames? You don't need to be scared about your games.
 
DeathPeak said:
Ok, posted a few pages back, but maybe someone can settle my stomach. I'm seeing a pending transaction on my bank account for Target.com. It's for the amount that I paid to pre-order Dishonored 2. I'm not sure if this pending transaction is for that pre-order that won't come out for months, or if it's someone that stole my card info. Supposedly no one is able to get all the credit card info from this fuck-up right? I'll probably be calling the bank to be sure.
Click to expand...

it's either dishonored or target fucking up. as far as we know, no one actually got full on credit card numbers... but i'm still watching like a fucking hawk on my credit account anyways.
 
Well the 10 cent in my steam wallet is gone. Not that I would be sad over that, but well means someone definitely saw the info I had there.

Nothing odd in order history or email through.
 
Okay my account is safe, I had no balance in my account but I did have my credit card linked. Purchase History says no recent purchases I'm unaware of.
 
victor.m said:
Not in the US and Canada they're not. Everyone on Steam agreed to binding arbitration and a class-action waiver. They ain't getting sued by shit. Read your subscriber agreement.
Click to expand...

You can't agree to something that is against the law (at least in Australia)
So they can put whatever they want in it, doesn't mean it's enforceable
 
Gaz_RB said:
But that's not really the case from what I understand. It's just name, address, phone number, last four digits of CC, right? No passwords or usernames? You don't need to be scared about your games.
Click to expand...

Username and password length were totally out there. Plus if an account didn't have steam guard, it could be worse.
 
What's the deal with not visiting steam store pages? Part of the problem?

And I guess I should change my password...should I change my pass now @-@
 
Gaz_RB said:
But that's not really the case from what I understand. It's just name, address, phone number, last four digits of CC, right? No passwords or usernames? You don't need to be scared about your games.
Click to expand...

I'd rather my user/pw be exposed than my name and full address...
 
Mmm, now I can see my real account page... that delete buttons for my cc looks very tempting, I don't know...

EDIT: mmm, I can't edit the cc, I don't know about deleting it...
 
I logged back in and instantly got this

xOtS9VV.png


For once, I might actually look at the privacy policy.
 
Gaz_RB said:
But that's not really the case from what I understand. It's just name, address, phone number, last four digits of CC, right? No passwords or usernames? You don't need to be scared about your games.
Click to expand...


Not scared about them stealing games, but all that info will out me as a Hunie Pop owner.
 
AnathemicOne said:
Wait what, we aren't supposed to be viewing them? I've been trying to but it fails to connect to the servers so I can't.
Click to expand...
I'm no pro, but if the problem was steam making cached pages public, doesn't it mean that accessing your personal page without being sure they resolved the problem would theoretically add it to the cached pages pool?
 
Lautaro said:
Mmm, now I can see my real account page... that delete buttons for my cc looks very tempting, I don't know...
Click to expand...

I suggest you do it - I know I will be! I moved to prepaid cards ages ago for Battle.net & PSN, but random purchases on Steam stopped me from ever doing so... That's about to change.
 
victor.m said:
Not in the US and Canada they're not. Everyone on Steam agreed to binding arbitration and a class-action waiver. They ain't getting sued by shit. Read your subscriber agreement.
Click to expand...

Nope. At the end of the day most of that doesn't amount to being worth anything. They must certainly will get sued.
 
Disaster Nebraska said:
I'm highly doubtful this is a "caching issue". This sounds like a problem on Steam's end.

For starters, you don't cache everything at the CDN and information that's supposed to be encrypted is still encrypted. If Steam is caching all of this at Akamai they're idiots and it's still on them.

So even if it is "caching problem" it means that Stema has been caching unencrypted, raw account info at Akamai, though again, I'm very doubtful this is due to an issue there.

What seems more likely is that someone made an oopsie with the customer information database (drop a few key rows and suddenly info is showing up where it shouldn't have) or a straight-up hack.

Others are free to weigh in on this. I work in the webhosting industry and deal with CDNs on a fairly regular basis. Our company uses Akamai as well.
Click to expand...

The idea of storing account info in a CDN indeed doesn't make sense, but storing it server-side via something like Varnish or memcache would be slightly more plausible. It's probably not a database issue stemming from IDs somehow being linked to the wrong rows, mostly because it was possible to see account details from many different people just by reloading the page. Also, switching between different sections of the account management area would get you different people. Finally, people mentioned seeing the same people pop up between users, i.e. multiple GAFfers could access the same person's account details. Unless the database changes were ongoing and frequent, this wouldn't make much sense. It also wouldn't explain how people who weren't even logged in were able to view account details of random people (which is how Google has some poor sap's account information in its search engine cache now).

The other thing that's weird, though, is why would Valve's caching (assuming it is the cache that failed) suddenly do so on Christmas Day in such spectacular fashion when everything was working fine for years? Generally speaking, even with a massive sale on, it seems unlikely that anyone would be pushing even minor changes to the website's code. Indeed, the fact that there's a massive sale AND a holiday would be ample reason not to do so unless there was a major error on the site. Even if someone did push a bug to the site, presumably they would've been watching for issues and wouldn't have let the site stay up for an hour. So the caching issue would have been triggered by code that previously was reliable, and I can't think of anything significant that would've changed today of all days (but of course I'm not a Valve employee and have no insight into their systems).

So potentially (though I have absolutely zero evidence to suggest this and would never say otherwise) it could be the proximate cause was a caching failure, but that failure was caused by a hack. I certainly couldn't tell you and I don't think anyone else outside of Valve could either.
 
Enter the Dragon Punch said:
it's either dishonored or target fucking up. as far as we know, no one actually got full on credit card numbers... but i'm still watching like a fucking hawk on my credit account anyways.
Click to expand...

I don't even think I have my credit card info on there. I use paypal. Already unlinked that. Gonna keep an eye on it. If anything else shows up, then I'll know for sure.
 
DeathPeak said:
Ok, posted a few pages back, but maybe someone can settle my stomach. I'm seeing a pending transaction on my bank account for Target.com. It's for the amount that I paid to pre-order Dishonored 2. I'm not sure if this pending transaction is for that pre-order that won't come out for months, or if it's someone that stole my card info. Supposedly no one is able to get all the credit card info from this fuck-up right? I'll probably be calling the bank to be sure.
Click to expand...

My Dishonored pre-order transaction popped back up last week and I thought it was weird until I searched for the original pre-order transaction and apparently it never actually posted. So there was only 1 payment for it in the end.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
154
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
98
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom