Steam security issue revealed personal info to other users on XMas Day (fixed)

ElFly said:
We live just waiting until one of the stores that have all our info is hacker or, in this case, makes a very stupid mistake and exposing all our info.
Click to expand...

Correct me if I'm wrong, but wasn't it only the top level account page which was compromised ? The one that only contains the last 4 digits of your CC number...which is pretty useless to anyone else.

I don't believe anyone was able to view/change someone elses full CC number
 
jmga said:
Still no proof you could do anything more than seeing email, history of purchases and, in some cases, address and phone number. Until proven otherwise, CC info and password were secured, info could not be modified and purchases could not be made.
Click to expand...

Wow, you speak like finding out a person's email, address and phone number is no big deal. Can you even imagine what you could do with such limited information? Geez.
 
Astarte said:
I want to play some video games but I'm getting mixed messages on whether or not I should log in :[
Click to expand...

You can log in, whatever was causing the issues of leaked personal info has been patched. Of course that's all we know on the surface, for all we know it could be worse. I'm logged in and as are many others, as long as you have your Steam Guard setup and have removed any subscription/pre-approved payments you are good, but once again we still don't know the full scope. I may be overly cautious, but I am on. If you are worried just wait it out, although I personally feel you should be fine now.

Matty8787 said:
It is 1am, I am tired.

I don't find this funny, just strange how I only just noticed all this going off.
Click to expand...

A lot of people have logged in, the surface problem has been fixed, but we do not know if there are any underlying problems, as I explained above. Either wait it out, or take the risk. You should be good if you have Steam Guard setup at least.
 
What the hell, i knew nothing about this and i normally entered steam today. Am i fucked? How do i know if personal information has been leaked? I already removed my Paypal account from steam and steam from Paypal authorized payments, what else should i do? Help please.

Fuck you steam, get your shit together.
 
Smash88 said:
You can log in, whatever was causing the issues of leaked personal info has been patched. Of course that's all we know on the surface, for all we know it could be worse. I'm logged in and as are many others, as long as you have your Steam Guard setup and have removed any subscription/pre-approved payments you are good, but once again we still don't know the full scope. I may be overly cautious, but I am on. If you are worried just wait it out, although I personally feel you should be fine now.
Click to expand...

How do we know it's been patched?
 
Thorgal said:
i disagree.

Yes i get that people are freaking the hell out ( for perfectly good reasons ) and they want Valve to give them some reasurance that they are working on it .

However , keeping it low profile until they know they got this fixed and double checked to make sure it is is still preferable to them running instantly to Twitter to shout over the rooftops : HEY GUYS ? THERE IS A GIANT ISSUE RIGHT NOW WITH EVERYONE BEING ABLE TO LOOK AT EVERYONE'S ACCOUNT AND PRIVATE INFORMATION . WE ARE CURRENTLY LOOKING INTO IT !
PLEASE DON'T BE A DICK AND ABUSE THIS OK.
Click to expand...

Keeping it low profile? Are you fucking kidding me? Steam was trending on Twitter worldwide, if you're aiming for security through obscurity (which is already the punchline to a bad joke) then I'd say that pretty much indicates you fucked up.

There is no excuse for the continuing lack of communication. It is absolutely indefensible, despite the constant stream of defenders pouring into this thread to debase themselves in front of the mighty altar of Valve.
 
Smash88 said:
You can log in, whatever was causing the issues of leaked personal info has been patched. Of course that's all we know on the surface, for all we know it could be worse. I'm logged in and as are many others, as long as you have your Steam Guard setup and have removed any subscription/pre-approved payments you are good, but once again we still don't know the full scope. I may be overly cautious, but I am on. If you are worried just wait it out, although I personally feel you should be fine now.
Click to expand...

Ah, was there an announcement of a patch? I'm a bit timid about stuff like this.
@above: Oh, I see. I wonder why Valve isn't saying anything about this.
 
charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

The most baffling thing, of all the baffling things, is that how they restarted the service with not a single announcement, how I'm am suposed to be sure, as a customer, that everything is alright? what they did to fix it? and what was the problem to begin with?

They just hit the rollback button and call it a day, that just unprofesional and irresponsible.
 
Konosuke said:
Wow, you speak like finding out a person's email, address and phone number is no big deal. Can you even imagine what you could do with such limited information? Geez.
Click to expand...
I was answering to a comment claiming unproven and far worse things.

I don't downplay the personal info leak.
 
Valve will say something eventually I assume and like always promise to communicate better in the future. Maybe one of these days they'll actually keep to that promise.
 
Rodin said:
What the hell, i knew nothing about this and i normally entered steam today. Am i fucked? How do i know if personal information has been leaked? I already removed my Paypal account from steam and steam from Paypal authorized payments, what else should i do? Help please.

Fuck you steam, get your shit together.
Click to expand...
We don't know. But what you did was good.

The only other step that is always recommended is to change your password on other services if it's the same as on Steam. There is currently no real reason to suspect foul play but the lack of communication makes reassurance hard.

--

Yeah I also think the lack of communication on official channels is extremely poor handling of the situation. Relying on third party websites to do damage control in some cases (self-motivated) or giving reasonable (and sometimes confusingly worded advice) interpretations of what happened is not enough.
 
Konosuke said:
Wow, you speak like finding out a person's email, address and phone number is no big deal. Can you even imagine what you could do with such limited information? Geez.
Click to expand...

I don't understand why everyone thinks that because this is clearly a very bad thing, spreading misinformation is wrong.

He didn't say it's not big deal. He didn't say you couldn't find and use that information. He said there's not proof people have been getting full CC info, making purchases, etc.
 
KarmaCow said:
How do we know it's been patched?
Click to expand...

Astarte said:
Ah, was there an announcement of a patch? I'm a bit timid about stuff like this.
Click to expand...

No announcement of a patch, but the issue is when you went to the "account details" page, you were given someone elses account info and even their own store page. This is no longer the case and has been fixed/patched. You can no longer see anyone elses info.

This is what we concretely know so far:

Grief.exe said:
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • Full addresses and phone numbers were able to be accessed.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the contrary is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.
  • Do not log into Steam to unlink your Paypal. If you feel the need, can be done from the actual Paypal website.
  • Reminder: Steamdb is not affiliated with Valve in any way.

bJK2asd.png


owZ6BYU.png


3lbQyvr.png




I'll update this post with more information going forward.
Click to expand...

The last few points were during the issue. It should be safe to login now, but like I said we don't know until Steam/Valve tells us and a response could take a week for all we know.

Like I said, if you are still worried, wait for an official response. I am personally logged in, just to make sure something didn't change, but if you are worried keep an eye out on your email/phone until Valve let's us know.
 
charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...
This is in my opinion the thing that Valve should be taken to task for out of this. You cannot expect to never be compromised, but you should take measures to properly handle situations like this one whenever they happen.
 
Thorgal said:
i disagree.

Yes i get that people are freaking the hell out ( for perfectly good reasons ) and they want Valve to give them some reasurance that they are working on it .

However , keeping it low profile until they know they got this fixed and double checked to make sure it is is still preferable to them running instantly to Twitter to shout over the rooftops : HEY GUYS ? THERE IS A GIANT ISSUE RIGHT NOW WITH EVERYONE BEING ABLE TO LOOK AT EVERYONE'S ACCOUNT AND PRIVATE INFORMATION . WE ARE CURRENTLY LOOKING INTO IT !
PLEASE DON'T BE A DICK AND ABUSE THIS OK.
Click to expand...

Bwahahaha......keeping it low profile. Just like Sony in 2011 right? Filling us in after a fucking week! That low profile enough? Valve is just terrible at communicating with its customers. Things haven't changed, even with such a huge fuckup.
 
Valve is the biggest steaming pile of shit in the industry when it comes to any sort of customer relations. I really wish GOG or some other upstart could make a significant enough dent Gabe and others would have to wake the fuck up
 
jmga said:
Still no proof you could do anything more than seeing email, history of purchases and, in some cases, address and phone number. Until proven otherwise, CC info and password were secured, info could not be modified and purchases could not be made.
Click to expand...

I took a snapshot of my phone's screen when this first happened, because I didn't know what was going on, and wanted proof that something was amiss.

I can tell you right now I could've deleted this person's payment info as well as view their purchase history and licenses. Not sure what else because I was freaking out, but those were options available on the screenshot I took.
 
Even though I have not kept a cc on any service since the Sony hack and I have my steam tied to just my pc, this still concerns me a little. :/ I also have not signed into steam since the first day of the sale I hope nobody saw any of my info.
 
Relaxed Muscle said:
The most baffling thing, of all the baffling things, is that how they restarted the service with not a single announcement, how I'm am suposed to be sure, as a customer, that everything is alright? what they did to fix it? and what was the problem to begin with?

They just hit the rollback button and call it a day, that just unprofesional and irresponsible.
Click to expand...

Don't worry, they're building consensus inside the company on what to say.
 
charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

This.

It's why I've been annoyed with STEAM for a long time now.

Valve can improve, they're going to be making bucket loads of cash either way. All they need to do is give a damn.
 
The hypocrisy in this thread is baffling sometimes.

"I hate steam, I've always hated steam, it's a huge pile of shit!" - has north of 350 games on account.

Mhkay. Wha'ever.
 
WAR recon zero said:
Rank this against the sony hack lol
Click to expand...

Why would we rank it against the sony hack?

Glasshole said:
The hypocrisy in this thread is baffling sometimes.

"I hate steam, I've always hated steam, it's a huge pile of shit!" - has north of 350 games on account.

Mhkay. Wha'ever.
Click to expand...

This shit that has happened is really bad and the worst is how we don't really know much because of Valve being shit at communicating with thei costumers.

The people who say the "I hate steam, I've always hated steam, it's a huge pile of shit!" kinda stuff I don't know what to say really, have your opnion but what does it have to do with this thread to do.
Like seriously if you really "hated" steam before why would this change it.
 
Honestly. Fool me once, shame on you. Fool me again... well fix your shit valve. But this is now what, the third time they have had a major fuck up? Also people acting like "who cares credit card numbers weren't taken.

Are you just purposely forgetting the time when credit card numbers were stolen from their databases? Sure they were encrypted but god damn. Anyone defending this company after everything they have shown about their security system is insane. Again whatever, who cares that valve got hacked a few years ago. The real bad part is the two recent examples are of Valve dropping the ball. Not hackers. Just them being shit at their job. TWICE in one year now.

http://store.steampowered.com/news/7323/
 
ShinUltramanJ said:
I took a snapshot of my phone's screen when this first happened, because I didn't know what was going on, and wanted proof that something was amiss.

I can tell you right now I could've deleted this person's payment info as well as view their purchase history and licenses. Not sure what else because I was freaking out, but those were options available on the screenshot I took.
Click to expand...
The fact that you could press a button saying "delete payment info" does not mean those changes were made.

Everything suggests it was a read-only bug.
 
Wow. Thank the lord I don't have my card information linked to my account. I just texted all my friends about this shit. The fact that some people have to live in fear knowing their information is linked to their account is ridiculous.

Steam is no longer my "go to" place to store all my digital purchases. There will no longer be a conflict in my mind if a game is available on steam vs. somewhere else. This is too big of a fuck up to ignore like I have done in the past.
 
jmga said:
The fact that you could press a button saying "delete payment info" does not mean those changes were made.

Everything suggests it was a read-only bug.
Click to expand...
And that is the problem right there. We, as customers wants to know what exactly happened! We have the right to know. But to Valve it seems making money is more important, let's fix the storefront so people can buy games and don't say anything about what happened, otherwise people might nog login to buy buy buy!
 
Costia said:
You mean second time, right?
http://www.neogaf.com/forum/showthread.php?t=1084810
Looks like that time they sent emails a day later.
Click to expand...

Sportbilly said:
I wasn't aware of that. Again, it's indefensible.
Click to expand...

Let's get the stories in order.

The first incident was actually in 2011, where the forums (that were separate from Steam at the time) were hacked but there was apparently no evidence that anything was taken. There was access to a whole bunch of stuff though, most of which was encrypted in the usual way. This the message that was sent out afterward - http://store.steampowered.com/news/6761/

Second incident was just this year, when they introduced two factor authentication and new account pages, and for some reason you didn't actually need to enter anything for the confirmation key to reset an accounts password, and so could just do it. Arguably this wasn't as awful as it sounds as the issue was at least somewhat trackable and could be reversed, as well as account access being denied to everyone who had SteamGuard enabled (which is on by default) - however I'm not sure what happened if you didn't have SteamGuard and what could happen. Here is the email that was sent only to the affected users:

Dear Steam User,

On July 25th we learned of a Steam bug that could have impacted the password reset process on your Steam account during the period July 21-July 25. The bug has now been fixed.

To protect users, we are resetting passwords on accounts that changed passwords during that period using the account recovery wizard. You will receive an email with your new password. Once that email is received, it is recommended that you login to your account via the Steam client and set a new password.

Please note that while your password was potentially modified during this period the password itself was not revealed. Also, if you had Steam Guard enabled, your account was protected from unauthorized logins even if your password was modified.

We apologize for any inconvenience.
Click to expand...

And now there is today's issue, which is massively different, where contact info was randomly shown to other random people in a nonspecific way due to the nature of the caching issue (if accurate). As such it wouldn't be possible for people to get all the info on a specific person, but they could definitely take a whole bunch - account name, email address, last digits of phone number and CC if via the account page // name, address, phone number, last digits of CC or email address if at the cart.

Rather than being like the PSN hack, where massive amounts of data was identifiably stolen including all personal info / contact info and encrypted CC info, this is randomised but could still have large repercussions depending on if nefarious parties got involved. It would have been possible to "mine" the exploit and sceencap the random person's details, so it might be possible that sooner or later there is some sort of dump on pastebin or something putting all that info wide open.

The worst thing here though (other than compromising personal info) is Valve's lack of communication during it. People could have avoided being at risk by not looking at the cart or account pages (ie where personal info gets shown / cached) during that period. Instead, many people heard the issue and innocently tried to change the info, inadvertently making it a accessible.
 
Inyourprime said:
Wow. Thank the lord I don't have my card information linked to my account. I just texted all my friends about this shit. The fact that some people have to live in fear knowing their information is linked to their account is ridiculous.

Steam is no longer my "go to" place to store all my digital purchases. There will no longer be a conflict in my mind if a game is available on steam vs. somewhere else. This is too big of a fuck up to ignore like I have done in the past.
Click to expand...

LOL yeah cause breaches never happen to any other store. Ever.
 
Thorgal said:
i disagree.

Yes i get that people are freaking the hell out ( for perfectly good reasons ) and they want Valve to give them some reasurance that they are working on it .

However , keeping it low profile until they know they got this fixed and double checked to make sure it is is still preferable to them running instantly to Twitter to shout over the rooftops : HEY GUYS ? THERE IS A GIANT ISSUE RIGHT NOW WITH EVERYONE BEING ABLE TO LOOK AT EVERYONE'S ACCOUNT AND PRIVATE INFORMATION . WE ARE CURRENTLY LOOKING INTO IT !
PLEASE DON'T BE A DICK AND ABUSE THIS OK.
Click to expand...

How do you keep something low profile when is a problem that arises just navigating the service and any of the store pages that contains people private info?

Just buying something could led you to see people private info or just trying to go into "account details".

Is not an obscure number of steps to replicate a problem that leads to a security issue, just navigating any of the steam pages led you to people private info, hell, you don't even needed to be logged in to see it. You know how much traffic can generate steam these days, do you understand how many people private info was on the wild and easilly accesible by anyone for one hour? Do you know kind of info should be protected by companies and they can accounted for if is leaked in this way? Why a company should keep in a low profile manner that the info their customers put in their care can be seen by almost anyone on the net?

Do you understand how dumb you sound?
 
charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

Agree 100% with this, specially with the bolded part, Valve is run like a flower-power hippie camp, they need a reality check and start acting like an adult company.
 
charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

The fact that we only got "updates" from a third party not connected to Valve was mind blowing.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
151
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
95
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom