Steam security issue revealed personal info to other users on XMas Day (fixed)

Able to log in through the client and check my account details. Nothing changed or out of place it would seem. No other anomilies anywhere else either.

I'm still sitting here refreshing and hope not to be signed up for some weird porn sites or getting an email in cryptic Russian - I'll be more at ease in a week when I know more concretely it wasn't leaked.
 
I just logged in a few minutes ago and everything seems OK. What should I do to protect myself? Deleted my credit card and I'm thinking of removing my mobile number
 
I've been logged out of steam since my computer updated a few days ago, that means nobody was able to possibly see my account right?

No one knows as of this point. I would still remove any pre-approved payment plan you have through Steam for now, just to be safe.

I just logged in a few minutes ago and everything seems OK. What should I do to protect myself? Deleted my credit card and I'm thinking of removing my mobile number

I would advise against removing your number, it's probably the one true safe guard you have since no hacker/intruder/stranger has your phone number to intercept your log-in codes. The worst they can do is sign you up for cat facts, at that point you would know for certain if it leaked.
 
Much worse? Your info was publicly available to anyone who went to the steam website. And it was entirely valves fault, they didn't get hacked. Their own security system was shown to be trash. Plus the fact that earlier this year you could legit log onto ANY steam account without knowing it's password.... It's about time people stop worshipping valve as some god. They have massively fucked up twice now. They will have to earn peoples trust back.

The two aren't similair in any way, people need to stop bringing up the PSN hack as some kind of comparison or to diminish what is going on. Seriously. Your personal info was leaked to anyone. And again, in the same god damn year they had a bug where you could LOG anyone's account. Not even by "hacking" just leaving a the confirmation field blank and pressing enter. You could log any account. What the fuck.

It's insane how bad their security is.

Are you implying it wasn't Sony's fault they were hacked? Because just because information gets leaked on purpose (hackers) instead of on accident (bugs) doesn't mean you weren't at fault.

And yes, the Sony hack is worse. The information, ALL OF IT, got into the hands of hackers, those who plan to do harm with it. The Steam hack leaked random data to random users, 99% of those probably mean to do no harm with it. Not to mention the information Sony leaked (full credit card numbers) is much more severe than what Valve leaked.

Yes, this leak is bad, but it is not as horrible and severe as you and other users in this thread are making it out to be.
 
I disconnented my paypal info and changed the password. Do they have access to steam's password?

No they shouldn't. Password is the one thing that wasn't compromised. It was mainly pre-approved purchasing plans, your CC info w/ address and name which was saved in the cache. As long as you have Steam Guard and removed paypal you are good. Changing your password has made you extra secure.

I don't think I've seen it confirmed anywhere that the PSN hack included credit card info. At most it was a "Couldn't rule it out" thing.

I'm not sure, but I don't think your CC # showed up, only your address/name/phone number.

----

Only reason I'm not worried about my number is due to the fact that they only could see your full number if you saved your CC as your credentials, if you had paypal or nothing, you were safe and they only could get the last 4 digits of your phone number.
 
I would advise against removing your number, it's probably the one true safe guard you have since no hacker/intruder/stranger has your phone number to intercept your log-in codes. The worst they can do is sign you up for cat facts, at that point you would know for certain if it leaked.

Cool. Just re-verified

Make sure your profile name isn't the same as your login/account name.

Nice. Never had them the same. Hopefully I can continue going under the radar
 
I didn't see anything weird on my end both on the site and the client, but I removed my CC and PayPal info from being 'remembered' by my profile and changed my password just to be safe.
 
Hmm, still unable to buy anything.

I'm not particularly bothered by this thing. There's only a very slim chance someone accidentally accessed my account and even if they did, all they would be able to see would be my phone number which is pretty much public at this point (I think you can google it based on my GAF username alone), my email address which is also not exactly secret and the last four digits of my credit card number which is like the most useless thing ever.
 
I don't think I've seen it confirmed anywhere that the PSN hack included credit card info. At most it was a "Couldn't rule it out" thing.
Over the years this has been investigated by various governments and there is no evidence of any CC leak associated with it. Anyone who says otherwise hasn't kept up or is intentionally spreading misinformation.
 
I didn't see anything weird on my end both on the site and the client, but I removed my CC and PayPal info from being 'remembered' by my profile and changed my password just to be safe.
The important part is to remove the steam authorization from paypal, not from steam.
 
Cool. Just re-verified

Yup unless you physically give them your phone you are good. Just keep an eye out for anything suspicious phone-wise. If it was leaked you will know, at that point you can work on changing your number.

The important part is to remove the steam authorization from paypal, not from steam.

Yup, do it from paypal itself, but I think if you do it from Steam it cancels that same subscription on paypal itself, no?

Will this cause any problems for sent gifts?

It shouldn't. If you sent it prior to the ordeal, I'm sure it will be fine. Worst comes to worst, refund it and try again.
 
Are you implying it wasn't Sony's fault they were hacked? Because just because information gets leaked on purpose (hackers) instead of on accident (bugs) doesn't mean you weren't at fault.

And yes, the Sony hack is worse. The information, ALL OF IT, got into the hands of hackers, those who plan to do harm with it. The Steam hack leaked random data to random users, 99% of those probably mean to do no harm with it. Not to mention the information Sony leaked (full credit card numbers) is much more severe than what Valve leaked.

Yes, this leak is bad, but it is not as horrible and severe as you and other users in this thread are making it out to be.

The point I was trying to make is that it shows how incompetent Valve is with their security. I actually place the hack that happened earlier this year as worse than this one. When your entire security system for logging into a personal account can be ignored by just leaving a field blank.... that is insane.

How do you trust a company that has such glaring security issues? This is just another nail.
 
Very sad that some posters feel the need to refer back to previous hacks (from years ago) as if it makes this any less bad.

If Sony's hack was bad because "Sony should've known better and yet they chose not to upgrade their security", what does that say about a company in 2015?
 
How have I just come across this? My steam has been working fine.

Apart from yesterday when the store loaded up in USD when I am in the UK, but I thought nothing of it and just hit refresh.... Strange.

EDIT: Now it is just stuck verifying login details.
 
I use PayPal, but my password is required when logging in. I guess that's OK.

If it's a pre-approved subscription I would highly suggest canceling it for the near future until we know what truly went down.

Otherwise if you did the normal paypal -> log in -> pay (non-subscription) - you are good to go.
 
Lmao, what a fuck up, in between my nap too. Good thing I don't really have a lot of personal info on my account.

Maybe we'll get Half Life 3 as a sorry! :P

Very sad that some posters feel the need to refer back to previous hacks (from years ago) as if it makes this any less bad.

If Sony's hack was bad because "Sony should've known better and yet they chose not to upgrade their security", what does that say about a company in 2015?

It says that this isn't a hack.
 
Make sure your profile name isn't the same as your login/account name.

The page which was compromised though is the account page, which for alot of people may be the same as their login name (at least it is for me...I signed up for steam back in the beta days, maybe it's different for newer accounts)
 
And what of the bank charges he tweeted about

He hasn't mentioned anything about that yet, but he did follow-up the bank stuff with "Heads up for all the people looking at me for the steam things, I could only see the purchases made in my account details." That one was like an hour or so before that other tweet I posted.
 
No one knows as of this point. I would still remove any pre-approved payment plan you have through Steam for now, just to be safe.

Thanks I actually had removed all payment options off my account a while back it seems so I guess I'm not in any real danger of being compromised, still gonna change my password, it definitely needs an upgrade anyways even if that isn't the issue here.
 
I do have a Steam account, but I have not accessed it in months, will I be ok?

I don't have any credit card/paypal info on there, I don't have any address/phone details either as far as I know, there is no point in me trying to login now until tomorrow is there?
 
The most upsetting part of all of this is the fact that people will forgive Steam after a few weeks.

What a ridiculous post. If Valve don't respond robustly, their business is fucked. Simple as that. I've got over 350 games on Steam, this is the first time I've ever had cause to doubt what they're doing. I'm not overly concerned, but I'd like some reassurance. If I don't get it, I'm offski,

And for the poster who tried to make out the PSN breach was worse- that's irrelevant, this may or may not be something as serious, but it's Valve's problem and comparisons are very unhelpful. It's not a pissing contest, this is how robust massive corporations' systems are.
 
Yeah, fuck it, I'm done with Steam over this. There's fucking up and then there's fucking up.

They can take my launch day 4-digit UID and shove it.
 
What's a pre-approved subscription? When I buy something, I choose pay by PayPal, then the PayPal website opens and I have to log in.

You can setup a subscription through Paypal, so when you purchase through Steam it just takes one click, no login to purchase something. It's how many people got charged during the whole ordeal.

Cancelling a subscription cancels all future scheduled payments of that subscription. A subscription can be cancelled up until the day of the next scheduled payment.

Log in to your PayPal account.
Click the Profile icon next to "Log out."
Select Preapproved Payments under "Payment settings."
Select the merchant whose agreement you want to cancel and click Cancel.
Click Cancel Profile to confirm your request.

Source: https://www.paypal.com/selfhelp/article/FAQ577

Check your preapproved payments, if you see anything Steam related cancel it. I forgot I even had one, I stopped using it due to issues with it. I pressed that cancel button like the wind.
 
When did the issue start? I was going through the recommendation page around noon and might have clicked on my cart, I'm not sure.

No idea. I've been a bit late to this party and spent most of my day drinking and eating.

I think the biggest issue (other than the possibility of personal information being viewed by a nefarious party) is that Valve have done fuck all to communicate what is going on; not even a comment that they know about it and intend to inform us of what is happening at a basic level and what precautions are needed. Instead, there are people like the folks at SteamDB, Reddit, Totalbiscuit etc communicating the issues as best as they can tell.

Customer service is one thing, often shit, misleading or obfuscated for many companies, but for a security or data breach, communication is absolutely paramount - many people could have heard the news and naturally gone to remove info / change things, when if anything that has put them at a far greater risk if the issue was caching related.

I can only hope that Valve get their arse kicked for that, and actually invest in dealing with the customer service and communication, particularly for situations such as this.
 
Kinda glad I haven't been using Steam the past few weeks (Livin' that Xenoblade life) now.

Think I'll just keep it that way until I see a definitive 'all-clear' sent out just to be on the safe side.

Hope it's resolved quick and with minimal collateral damage.

Over the years this has been investigated by various governments and there is no evidence of any CC leak associated with it. Anyone who says otherwise hasn't kept up or is intentionally spreading misinformation.

It's the same 'Sony too!' shit so often used to derail and deflect in Xbox critical threads. Disappointing to see that some PC gamers are so eager to resort to the same tired tactics.

Just ignore it and keep the focus on the situation at hand.
 
The year hasn't ended yet, Valve, wanna go for a 3rd massive security breach to form the trifecta of incompetency?

At least I scrubbed my Paypal info before anything happened.
 
No one knows as of this point. I would still remove any pre-approved payment plan you have through Steam for now, just to be safe.

Not necessary, the loophole has now been closed...so unless someone other than yourself magically redirects to your account page when purchasing games, you're quite safe leaving things as they are.

Even back when all this was happening, there was no real confirmation that people could purchase anything using someone else's Paypal anyway.
 
What a ridiculous post. If Valve don't respond robustly, their business is fucked. Simple as that. I've got over 350 games on Steam, this is the first time I've ever had cause to doubt what they're doing. I'm not overly concerned, but I'd like some reassurance. If I don't get it, I'm offski,

And for the poster who tried to make out the PSN breach was worse- that's irrelevant, this may or may not be something as serious, but it's Valve's problem and comparisons are very unhelpful. It's not a pissing contest, this is how robust massive corporations' systems are.

The way people defend Valve is insane. Earlier in the year there was a bug where anyone could log your account. Those 350 games, your account details, everything. I keep brigning this up, but the fact that was largely ignored, this probably is too.
 
You can change your settings so that you don't have to visit paypal each time you want to buy a game on steam. If Valve/Steam is a pre-approved subscription, you can immediately purchase a game by just clicking that you want to pay with Paypal.

That doesn't happen for me, I need to log on.
 
What a ridiculous post. If Valve don't respond robustly, their business is fucked. Simple as that. I've got over 350 games on Steam, this is the first time I've ever had cause to doubt what they're doing. I'm not overly concerned, but I'd like some reassurance. If I don't get it, I'm offski,

And for the poster who tried to make out the PSN breach was worse- that's irrelevant, this may or may not be something as serious, but it's Valve's problem and comparisons are very unhelpful. It's not a pissing contest, this is how robust massive corporations' systems are.
You mean second time, right?
http://www.neogaf.com/forum/showthread.php?t=1084810
Looks like that time they sent emails a day later.
 
What's a pre-approved subscription? When I buy something, I choose pay by PayPal, then the PayPal website opens and I have to log in.

You can pre-approve PayPal as a payment method so you don't have to log in. I've removed that based on a suggestion earlier in the thread. Less convenient, but more secure.
 
Yeah that's the bad part. No company is immune to hacks, which is unfortunate and Sony did not handle their situation well. But now twice, Valve by their own doing has shown they are completely stupid about their security.

Yeah, it's actually quite a bit worse in my opinion that these have been due to incompetence rather than some concerted effort to break in.
 
Not necessary, the loophole has now been closed...so unless someone other than yourself magically redirects to your account page when purchasing games, you're quite safe leaving things as they are.

Even back when all this was happening, there was no real confirmation that people could purchase anything using someone else's Paypal anyway.

It has been proven by people on GAF and elsewhere that they were charged through Paypal, I would do it as a precaution until we have more concrete details from Valve about the situation, then people can add it back if they feel safe to do so. It's a suggestion, if people feel they are safe, then by all means leave it. Just trying to help out.
 
The point I was trying to make is that it shows how incompetent Valve is with their security. I actually place the hack that happened earlier this year as worse than this one. When your entire security system for logging into a personal account can be ignored by just leaving a field blank.... that is insane.

How do you trust a company that has such glaring security issues? This is just another nail.

In my opinion they handled that as best as they could. They fixed the issue and informed users in a very timely manner, and all the hacked accounts were restored. The hackers couldn't even get CC numbers because that all gets cleared when a password reset happens, which is a good security practice implemented before the flaw was introduced. They didn't go silent and then tell users two weeks later that their personal information is in the hand of hackers, which is exactly what Sony did.

Good security isn't never getting hacked, it's how you respond when it happens. And as of right now I'd still trust Valve over Sony in that regard.
 
I'd freak out, but I have like 50 cents in my steam wallet and I never save my payment information on steam. Feel bad for the people who do leave hundreds in their wallet or their info on steam, though. Someone is surely bound to take advantage of that.
 
Top Bottom