Support NeoGAF

[Hexa]

PSN information wasn't encrypted... so yeah...

It was crypto hashed so for all intents and purposes as it applies to stolen information that's the same thing.

 

[dadjumper]

Looks like things are back to normal now, store's back up and everything seems fine

 

[Nzyme32]

man, I was all like

I wonder if we'll get a satisfying explanation for this. I've been out of IT for four years now, so maybe I'm just out of touch, but it's strange to think about unencrypted customer data just hanging out someplace where anon/public access is sufficient. & actually that doesn't even sound like the kind of indexing/whatever problem that would return the random results we've all seen. So that's two questions, I guess.

Just doesn't really follow for me, not that they would disclose their own architectural details... just sounds weird.

Anyway, this really has shaken my confidence. I hope they will communicate effectively with regard to both root cause and countermeasures. I've been going crazy with PC games ever since I got this laptop, and am really enjoying the platform.

This is the most likely explanation I have seen yet:

It's a problem with their caching-server (varnish), caching pages that should not be cached (such as Account-Details, Cart, etc.). It invalidates after some time and is re-cached when the next user visits the page with their profile. You are not actually logged in (as in, you take over the session of the user), you just see pages rendered for others than yourself. This is why different parts of steam appear as different users.

Which page you see is probably dependent on the edge node (first server you connect to) closest to you, hence why different users see different profiles.

My guess to how this could've happened is that an untested configuration got activated when steam went down earlier, e.g. due to an auto-conf service (puppet, chef) pulling an untested config or some of their live servers being replaced by staging / development servers. It's also possible that they were under heavy load and the engineer on duty reconfigured all their edge nodes to cache more aggressively.

Let's hope they fix this fast, because this is a major data leak. I can see private E-Mail and account names. Let's hope their cache server is not delivering internal pages.

Credit to: /u/mrallon

 

[boredandlazy]

If you purposefully misuse your information they won't credit you back. If it is compromised they will.

I don't know why people have to be so defensive about credit card "theft" because it never hurts the card owner unless you admit to doing the purchase or something.

Never hurts them? So you're fine with that info being in the hands of total strangers? People can use that info to sign up for accounts on websites etc. What is wrong with the people who don't see an issue with this?

 

[ekim]

is this happening to someone else right now

Poor stump

Happening again?

 

[Aselith]

is this happening to someone else right now

Man, we need to start taking a collection for Stump or something. Poor guy.

 

[Unicorn]

Is this payback for steam users being smug when consoles got DDoS'd on Christmas a few years ago?

 

[VisceralBowl]

is this happening to someone else right now

lol

 

[JaseC]

All of mine say steampowered.
That's just strange. Why would valve register their domain via a 3rd party that hides their ownership? Maybe they bought the domain from a some private owner some time ago and just kept it there. Anyway, its weird.

To prevent domain registration-related leaks, I would presume.

 

[Reebot]

Shit, just got home and see this thread. Try to login to my Steam account and keeps telling me password and name error. When I press cant login, it said it cant connect to the server. Is this normal or am I screwed? I got like $23 dollars in credits.

The servers are still wonky, it doesn't mean your account has been stolen.

Now now what have i told you about using the naughty word "misleading"?
Talking from your ass isn't a nice nor a clean thing to do you know.

Sorry, I meant to say "lying."

 

[Stumpokapow]

is this happening to someone else right now

i have close to that many pms but not quite that many.

 

[Tainted]

My card was removed from Steam. Am I still okay to go PayPal?

Paypal offers an extra layer of security than having a CC linked directly to your steam account....so yes

I don't link my CC directly to any online service for this very reason, although it is currently linked to my paypal account as a backup payment.

 

[OverdriveOtaku]

is this happening to someone else right now

Remove that photo.

Don't post usernames.

Read thread titles please.

EDIT: I see the joke now, was just looking out for you Stump <3

 

[ekim]

This is the most likely explanation I have seen yet:

Yup. That's also what I think happened.

 

[Stumpokapow]

Remove that photo.

Don't post usernames.

Read thread titles please.

he's making a joke about GAF hahaha

 

[Cindi Mayweather]

Is the thing about not deleting your cc information true? What to do? Should I delete it or just leave it alone like Steam DB said?

 

[StereoVsn]

RE: Unauthorized purchases

My guess is, provided the unauthorized purchases reported are true, that they fall into two categories:
1) User A was logged into User B's account, went to buy something without realizing he was logged into User B's account
2) User A was logged into User B's account, decided to troll by spending User B's money.

It's hard to imagine that anyone was benefiting from this the way they were with the FIFA points stuff, because you couldn't play the games or use the items you "bought" from another person's account.

What about gifts? Buy and send it.

 

[UpDownLeftRight]

Is the thing about not deleting your cc information true? What to do? Should I delete it or just leave it alone like Steam DB said?

It's hard to say. The only ones who would actually know what we should do have got their lips sealed tight.

 

[Reebot]

Is the thing about not deleting your cc information true? What to do? Should I delete it or just leave it alone like Steam DB said?

No one really knows, Valve is silent. Unfortunately, we just have to wing it.

 

[Anthony Soprano]

Paypal offers an extra layer of security than having a CC linked directly to your steam account....so yes

I don't link my CC directly to any online service for this very reason, although it is currently linked to my paypal account as a backup payment.

This. Even with "my paypal account" in the dropdown, it still opens a new Steam client browser window to authorize the paypal payment - it has you log into paypal.

You should be using this instead of the credit card method that stores your CVV. Also, remember that revoking your card and adding it again sometimes causes issues where you need to wait on Steam - people learned this the hard way by adding new cards immediately prior to sales in the past, they were unable to purchase things for a day or two, IIRC.

 

[zma1013]

I swear if I log onto my account and see 100 copies of bad rats...

 

[AbundantChoice]

BTW, they must compensate everyone for this.

"Here's the Valve Bundle of all of our Valve games that we've already given you three times before for other screwups we've done in the past! Enjoy!"

 

[Stumpokapow]

What about gifts? Buy and send it.

That could be one possible abuse, but it would leave a paper trail to get your subsequent account banned and I can't imagine it'd be for a resale scam since the rollback is likely to occur before the resale. Could be possible though.

 

[True Fire]

its always that one mexican guy email that showed up in google cache for me

I'm kind of jealous of him. If anyone gets pity credit from Steam it'll be him.

 

[7DollarHagane]

Never hurts them? So you're fine with that info being in the hands of total strangers? People can use that info to sign up for accounts on websites etc. What is wrong with the people who don't see an issue with this?

No, they can't use that info for anything of any consequence. What, they sign up for an eharmony account or something? Lol.

A compromised ssn is a bigger deal but there are free and fairly painless ways of protecting that as well.

There are laws about how credit and credit card companies must handle these things that protect the consumer. Breaking those laws carries harsh penalties for the credit card issuer.

 

[daviyoung]

Is the thing about not deleting your cc information true? What to do? Should I delete it or just leave it alone like Steam DB said?

the storm has passed so it won't make a difference now

 

[Large Professor]

I swear if I log onto my account and see 100 copies of bad rats...

lol

 

[Komo]

Wow, Steam's showing me logged in as this guy called 'Azu'

What's up with that

 

[dity]

So things are all good now?

 

[PeterVenkman]

Still can't log on. Been trying to remove payments and personal info for hours now.

 

[Tainted]

Is the thing about not deleting your cc information true? What to do? Should I delete it or just leave it alone like Steam DB said?

The only reason they said that, is because accessing your account page (to delete your cc) would add your cached account page to the 'pool'

It appears that loophole has been fixed, so you're probably fine to do it now

 

[RandomExpletive]

Yikes, I'm pretty sure I don't have my CC or paypal saved on steam, but I'd like to be sure... is there a safe way to check or are still not visiting steam pages?


Oh well alright then

 

[strafer]

So things are all good now?

I would wait for a official response.

 

[Wuthering_Heights]

Remove that photo.

Don't post usernames.

Read thread titles please.

EDIT: I see the joke now, was just looking out for you Stump <3

If you're going to backseat moderate, at least do it correctly.

 

[TheSeks]

i have close to that many pms but not quite that many.

HOW!? Isn't the GAF PM limit like... 150?

 

[daviyoung]

I would wait for a official response.

we didn't get an official response that things weren't ok, as far as comms goes it's been business-as-usual all this time

 

[NaM]

I would wait for a official response.

lol

 

[Lazulic]

got on safely and removed my shit. only had a dollar in the wallet, though if this happened tomorrow it wouldve been 120 due to christmas steam gift cards

bullet dodged

 

[Fergie]

Logged in fine and everything seems to be in order, that's just on my side though.

 

[cyba89]

Over three hours since a lot of sensible user data got exposed and still radio silence from the affected company.

 

[Conor_Fool]

Am I gonna get free games because of this? A $20 credit would be nice for my first Steam winter sale &#128527;

 

[CrazyHal]

I contacted my credit card company and told them what happen. They shut down my current card so that nobody can use it and sent me a new one.

Might be overkill but i'm not taking any chances.

 

[Professor Beef]

HOW!? Isn't the GAF PM limit like... 150?

I have 1255 currently. Step your PM game up.

 

[efyu_lemonardo]

"The Great Steam Account Ordeal" badge, level 1.

lol... implying there are additional levels would be a good way to piss off the customer base

HOW!? Isn't the GAF PM limit like... 150?

I currently have close to 900

 

[ironcreed]

Wow, Steam's showing me logged in as this guy called 'Azu'

What's up with that

Nevermind.

 

[OverdriveOtaku]

My wishlist on the Store tab is gone, but can still access it from my Games list.

Other than that, haven't seen any changes. My comp stayed logged in from yesterday, not missing any Steam credit.

 

[cyba89]

Am I gonna get free games because of this? A $20 credit would be nice for my first Steam winter sale &#128527;

You will get the credit after the sale when things are expensive again and it will only be valid until the next sale.

 

[Timu]

I can't login from the client!!!

 

[Inkvoterad]

Can i access my games offline somehow? Not sure if offline mode requires an online login at first or not.

 

[Alvarez]

Still can't log on. Been trying to remove payments and personal info for hours now.

As this is a caching issue, it's actually not a good idea to attempt to remove any information from Steam right now. By accessing (viewing) the information, you potentially air it to others. That said, the problem seems to have been fixed, but we have no confirmation of that yet.

My suggestion to everyone is to just stay out of your Steam's account management for now, wait for a statement from them, and then--regardless of what Valve says or doesn't say--check your bank/credit statements regularly for suspicious activity.