Steam security issue revealed personal info to other users on XMas Day (fixed)

Did having PayPal require you to enter billing information? As far as I can tell now that I'm logged back in, the way someone could have gotten someone else's address and phone number is by adding a credit card and it prefills in the new card's billing address and phone number automatically. If this was not the case with PayPal, PayPal people can worry a little bit less than others.

Most likely going to switch from CC to PayPal for Steam given all this.
 
Tenebrous said:
On your Steam profile page, next to your name, there's a little arrow with opens a drop down menu with all your previous screen names. Is there any way to clear this? My account name is one of them, and I know I'm probably being a tad paranoid, but I'd love to see it removed.
Click to expand...
IDK if that feature exists but a quick fix would be to just change it like 8 times to random stuff and then back. That "wipes" the most old names and replaces them with the most recent.
 
So did anyone else get a notification for a new item in their account? Because I had one happen during the whole ordeal and it turned out to be a pack of cards. Not sure if compensation or lucky drop.
 
Herpes Reasons said:
Oh no! Any purchase made by someone else will be credited back to your bank account or credit card and Valve will fix your account. Not a big deal.
Click to expand...
This shit is embarrassing. You're really acting like another person being able to make a purchase on your account isn't a big deal as long as it's refunded.
 
RE: Unauthorized purchases

My guess is, provided the unauthorized purchases reported are true, that they fall into two categories:
1) User A was logged into User B's account, went to buy something without realizing he was logged into User B's account
2) User A was logged into User B's account, decided to troll by spending User B's money.

It's hard to imagine that anyone was benefiting from this the way they were with the FIFA points stuff, because you couldn't play the games or use the items you "bought" from another person's account.
 
Vyse24 said:
So did anyone else get a notification for a new item in their account? Because I had one happen during the whole ordeal and it turned out to be a pack of cards. Not sure if compensation or lucky drop.
Click to expand...

Lucky drop. I didn't receive anything.
 
I don't remember having to put in a password for Paypal the last few times I added funds to my wallet

Am I dreaming or does Steam actually save your Paypal details?
 
butzopower said:
Did having PayPal require you to enter billing information? As far as I can tell now that I'm logged back in, the way someone could have gotten someone else's address and phone number is by adding a credit card and it prefills in the new card's billing address and phone number automatically. If this was not the case with PayPal, PayPal people can worry a little bit less than others.

Most likely going to switch from CC to PayPal for Steam given all this.
Click to expand...

Any payment method will require entering billing information. Valve has to pay taxes and they need records.
 
Mr_Zombie said:
Do you receive messages if someone (you) changes something important in your account (like deleting payment information)? I've logged into my account and I can see that there's no CC info stored there even though I used to use Visa payments before. Now I'm not sure whether I deleted those info once I started using PayPal (thankfully I've never saved PP info in Steam) or if someone deleted it for me during the Steam fuckup.
Click to expand...

If you have steamguard enabled, you get emails whenever anything account related changes or needs your authentication.

I just logged into my account now and even my 'my paypal account' requires authentication again....so either Valve forced a one-time reauth after fixing this or me changing my Paypal password prompted this

The only personal info on my acct page is my email address, paypal email address and last 4 digits of my phone number. I guess I'm good then
 
I've used my CC on steam once, and I usually use those little ....gift? cards from stores lol. I never save CC info on most sites so I think I'll be alright, but this is still an event that makes me nervous >.>
 
Vyse24 said:
So did anyone else get a notification for a new item in their account? Because I had one happen during the whole ordeal and it turned out to be a pack of cards. Not sure if compensation or lucky drop.
Click to expand...
I'm pretty sure compensation wouldn't be done silently through Steam Trading Card drops, which I didn't get one of, since you were asking.
 
Syfadious said:
This shit is embarrassing. You're really acting like another person being able to make a purchase on your account isn't a big deal as long as it's refunded.
Click to expand...

Well, the potential harms of a ghost purchase going through and then being cancelled are:
1) Personal information exposed (not related to whether a purchase occurs, just related to whether your account was affected, which mine was)
2) If the charge resolves and you're broke and either the charge or another charge NSFs your account. Like, if you bought a pizza, and it cost $20, and the person keyed in $200, the only risk would be #2. And if they rolled it back before the payment posted, there'd be no risk, right?

So I think what the poster was saying was not that there's no harm from this event (because clearly there is in terms of personal info) but rather than no one is going to be out any money provided Valve does a rollback, which they absolutely should.
 
What a fuck up.

Well, I always use "virtual" CC's on my purchases, cards which only allow for one transaction up to the amount of money I chose, so I'm safe in terms of people spending my money and I have like 20 cents in the steam wallet, but this is messed up.
 
Maedhros said:
Not even top 3 though.

Sony one was WAY more fucked up than this one.
Click to expand...

How exactly? This gave all your information to anyone who wanted to view it. They fucked up, Sony got hacked. This one feels like it will have more real world consequences than just PSN being down.
 
Milestoned said:
I recently got a pre-paid CC just for Steam, PSN and so on. People were laughing at me saying that I'm paranoid. I added the CC as a payment option to Steam about 3-4 hours ago, had dinner, came back, saw this thread, checked my CC:

WYZTwQIl.jpg


Guess who is laughing now.
Click to expand...

steamgames.com doesnt belong to valve:
Registrant Contact
Name: PERFECT PRIVACY, LLC
https://whois.icann.org/en/lookup?name=Steamgames.com
By signing up for Perfect Privacy when you register your domain, our information is published in the WHOIS database, instead of yours.
Click to expand...
It's a service for hiding your real identity...

steampowered.com does:
Registrant Contact
Name: Valve Corporation
https://whois.icann.org/en/lookup?name=SteamPowered.COM
 
Herpes Reasons said:
Oh no! Any purchase made by someone else will be credited back to your bank account or credit card and Valve will fix your account. Not a big deal.
Click to expand...
Yeah, it usually just takes some time and I can't afford to be broke for that amount of time, because it's not every time just 9€. That's why I'm using a pre paid CC for this kind of stuff.
 
Searching "http://store.steampowered.com/account" in Google and checking the cached version is still not fixed.

I saw someone's e-mail and the last two digits of their credit card.
 
Herpes Reasons said:
Oh no! Any purchase made by someone else will be credited back to your bank account or credit card and Valve will fix your account. Not a big deal.
Click to expand...
Why don't you post all your credit card info online then? Any purchases will just be credited back anyway right?

Moron.

edit: Apparently I missed the sarcasm... :p
 
Stumpokapow said:
RE: Unauthorized purchases

My guess is, provided the unauthorized purchases reported are true, that they fall into two categories:
1) User A was logged into User B's account, went to buy something without realizing he was logged into User B's account
2) User A was logged into User B's account, decided to troll by spending User B's money.

It's hard to imagine that anyone was benefiting from this the way they were with the FIFA points stuff, because you couldn't play the games or use the items you "bought" from another person's account.
Click to expand...

Can't you just gift yourself stuff by using the account that you happen to be stuck in?
 
Cheeseman Battitude said:
Could this be an inside job by a disgruntled employee?
Click to expand...

... this is about the most convoluted way you could do that, and you'd be easily caught because when they figure out what happened with the configuration to cause this they're clearly going to investigate???

oneils said:
Can't you just gift yourself stuff by using the account that you happen to be stuck in?
Click to expand...

That might work, although you'd get caught immediately, right?
 
ShinRPGamer said:
Same thing on my end. I should be in the clear as well correct? There's nothing out of the ordinary from my account as well.
Click to expand...

Payment info is always censored on Steam, so that's not going to be a problem and removing that information isn't going to accomplish anything.

Unfortunately, no one who had their information cached today will be "in the clear". In theory, an identity thief could attempt to exploit that information. All you can do is pay attention to your bank/credit statements and ensure there's no suspicious activity going on--something that everyone should be doing regardless of whether their information was compromised.

But I stress that identity thieves don't hide in wait for Steam security vulnerabilities to come along. Trying to gain something from this particular incident would be a difficult, inefficient endeavor. Thieves go for easy targets, not hard ones. If this degree of data were particularly valuable, then Facebook would be ripe for the picking.

That said, this is absolutely a data breach and a security problem on Steam's part. I assume they haven't addressed it yet because they want to fix it before they air it. It would not be smart to exclaim, "Hey, we're having a problem with [this thing that can be exploited by anyone who is reading this]!"
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
150
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
90
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom