Steam security issue revealed personal info to other users on XMas Day (fixed)

charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

this is absolute spot on. this is the result of a culture of not putting customers first. there's this expectation, especially by people just now entering the workforce, of never having an unpleasant day at work and never having to put in effort. We need month long vacations at a moments notice because work should never come before your personal life. But these are the results when your work isn't the priority. Obviously there needs to be a balance and there's problems with the other extreme, but the reality is that we have put a lot of trust in a company that puts their wellbeing above you, the customer.
 
Look,

this is not the same as the Target hack from two years ago, but the way this has been handled and communicated out to customers is beyond dreadful. It's willful negligence bordering on doing business in bad faith.
 
low-G said:
This was far worse from an actual information leaking standpoint, but it appears to be over. PSN was just offline for ages...
Click to expand...

What happened with PSN is that someone got user access and rebooted the servers one by one to get supervisor access. When Sony figured that out they pulled the plug until they were sure the server farm was secure again. They even relocated it.

At this point, Valve might not even know what happened.

And it's way too early to know what the lawsuits against Valve will look like.
 
Hasphat'sAnts said:
Look,

this is not the same as the Target hack from two years ago, but the way this has been handled and communicated out to customers is beyond dreadful. It's willful negligence bordering on doing business in bad faith.
Click to expand...

It's Christmas day. Valve is probably running on a skeleton crew.

Not saying this should be swept under the rug but I'll give them a day or two to release a statement as long as everything is now secure.
 
Hasphat'sAnts said:
Look,

this is not the same as the Target hack from two years ago, but the way this has been handled and communicated out to customers is beyond dreadful. It's willful negligence bordering on doing business in bad faith.
Click to expand...

It's Christmas day. The real communication will come out in a day or two.
 
Myggen said:
Doesn't seem like cc data was leaked.
Click to expand...

Last 4 digits were if someone was looking at the account details page, but there should have been no way to change anything / buy anything etc since they were cached pages rather than actually being logged in with the correct account credentials, so any attempts would just ask you to login. Still, private data is out there, it just depends if someone was nefarious enough to want to collect the data and misuse it.
 
Do correct me if im wrong.
What could anyone do with the info there? It doesnt show your full credit card number, just the last numbers. In order to use it you have to know the security code. I dont see address etc readily accesible from the account page.
So whats the deal?
I mean it is bizarre and discomforting that this happened. But im not seeing a reason to hit the panic button.... yet.
 
Unknown Soldier said:
Forget the Trojan Horse, we're talking about betrayed by a guy who let the Persians sneak behind the 300 Spartans at Thermopylae serious here.
Click to expand...
Forget Sparta, remember when the snake managed to fool Eva into fooling Adam into eating the apple? And god didn't even exterminate the snake afterwards and instead kicked out the victims.
 
Is it safe to make purchases now? I removed my credit card for now, and that was the only personal information short of email I had associated.
 
spinz said:
Do correct me if im wrong.
What could anyone do with the info there? It doesnt show your full credit card number, just the last numbers. In order to use it you have to know the security code. I dont see address etc readily accesible from the account page.
So whats the deal?
Click to expand...
Some users also had their billing address, real name and phone number cached(and leaked).
 
BennyBlanco said:
It's Christmas day. Valve is probably running on a skeleton crew.

Not saying this should be swept under the rug but I'll give them a day or two to release a statement as long as everything is now secure.
Click to expand...

While that true, not even just least say a little something on twitter or such? They really should try to least do that.
 
spinz said:
Do correct me if im wrong.
What could anyone do with the info there? It doesnt show your full credit card number, just the last numbers. In order to use it you have to know the security code. I dont see address etc readily accesible from the account page.
So whats the deal?
I mean it is bizarre and discomforting that this happened. But im not seeing a reason to hit the panic button.... yet.
Click to expand...

Those last four digits are golden for social engineering, especially combined with other information like e-mail address, name, username etc.
 
I think at very worst your email and phone number is leaked, don't really care for phone number.. will change my email login tho
 
Nzyme32 said:
Last 4 digits were if someone was looking at the account details page, but there should have been no way to change anything / buy anything etc since they were cached pages rather than actually being logged in with the correct account credentials, so any attempts would just ask you to login. Still, private data is out there, it just depends if someone was nefarious enough to want to collect the data and misuse it.
Click to expand...

potential names from email accounts + last 4 digits of credit card plus recent payment history = fantastic start to begin phishing with

its a security breach--plain and simple
 
BennyBlanco said:
It's Christmas day. Valve is probably running on a skeleton crew.

Not saying this should be swept under the rug but I'll give them a day or two to release a statement as long as everything is now secure.
Click to expand...

Exactly. The entire Washington DC, including the White House could be offline and I wouldn't be answering my phone. It's Christmas.

Is it too much to ask for Gordon Freeman to announce "Probably not a problem"?
 
Syril said:
Is it safe to make purchases now? I removed my credit card for now, and that was the only personal information short of email I had associated.
Click to expand...

I wouldn't purchase anything until Steam releases an official statement. But that's me, if they restarted the service is because they properly tested that the problem was resolved, if they didn't do that it would be like dropping a buggy config file in your production enviroment that allowed users to see private info of other users, haha that would be silly right? how would that happen?! so yeah, go buy some games, that will make Gabe Santa happy.
 
BennyBlanco said:
It's Christmas day. Valve is probably running on a skeleton crew.

Not saying this should be swept under the rug but I'll give them a day or two to release a statement as long as everything is now secure.
Click to expand...

Silent Chief said:
It's Christmas day. The real communication will come out in a day or two.
Click to expand...

No excuse for zero communication. You run an online, 24 hour service. Someone is always on call for something like this.
 
So basically people would get the information of a totally random steam user for about an hour and people are going to sue them for it? Meanwhile in the real world...
 
Nif said:
Odds are it was not valve, but their cache service / CDN.
Click to expand...

From the statement released, it sounds like it was a configuration change by Valve. Additionally, Valve writes the code that deals with caching authorized pages containing PII via something like Varnish. If a CDN made a configuration change that caused something like this, we'd have seen issues with more than just Steam as that change would've rolled out to more than just the servers caching Valve's content.
 
Silent Chief said:
Exactly. The entire Washington DC, including the White House could be offline and I wouldn't be answering my phone. It's Christmas.

Is it too much to ask for Gordon Freeman to announce "Probably not a problem"?
Click to expand...

If Valve's thinking is similar, they should shut down Steam during certain times.
 
Mjöölnir;190443921 said:
So basically people would get the information of a totally random steam user for about an hour and people are going to sue them for it? Meanwhile in the real world...
Click to expand...

No one's talking about suing. Why are you crapping on people who are worried about their personal information?
 
The only anomaly I can see on my account so far is that the 2015 'winter sale trading cards' that I had in my inventory so far are now completely different. No transactions have been made, no items traded, steam wallet funds are intact and I have no pending transactions on pay-pal etc.
 
BennyBlanco said:
It's Christmas day. Valve is probably running on a skeleton crew.
Not saying this should be swept under the rug but I'll give them a day or two to release a statement as long as everything is now secure.
Click to expand...
Silent Chief said:
It's Christmas day. The real communication will come out in a day or two.
Click to expand...
That's a bad excuse. If they leave enough manpower to handle selling stuff and making money, they should also leave enough people to handle a crisis.
Basically, if they didn't leave enough people to handle this, they should have shut down the store completely for the holidays.
But since that would be commercially stupid, they should have left or had enough people on a short notice to handle this fiasco.
A response a few days after the problem happens would be too late.
chaobreaker said:
So if the worst thing that could come from this caching issue is having some stranger see your purchase history, account username, and last 4 digits of your credit card, how can anyone buy anything off your account otherwise? Steam Wallet?
I don't want to undermine anyone who got legit hacked in the past few hours but how would that even work? Valve is claiming there's nothing to worry about.
Click to expand...
Also real full name, address and phone number.
 
So if the worst thing that could come from this caching issue is having some stranger see your purchase history, account username, and last 4 digits of your credit card, how can anyone buy anything off your account otherwise? Steam Wallet?

I don't want to undermine anyone who got legit hacked in the past few hours but how would that even work? Valve is claiming there's nothing to worry about.
 
How Valve responded to this serious information leak is appalling to say the least. I have lost any trust I had in Valve keeping my information secure. I fully expect both compensation for the event that took place today, as well as an apology and a transparent email about what happened. Anything less would be a horrible way to care for costumers.
 
Uzzy said:
Forget Ephialtes, we're talking about the worst security failure since the garden of eden here.

Edit: GODDAMN IT CHARIOT
Click to expand...

Chariot said:
Forget Sparta, remember when the snake managed to fool Eva into fooling Adam into eating the apple? And god didn't even exterminate the snake afterwards and instead kicked out the victims.
Click to expand...

bGaA2dw.jpg


Damn guys, I was trying to keep it in Greek history but then you went all Biblical and shit
 
Mjöölnir;190443921 said:
So basically people would get the information of a totally random steam user for about an hour and people are going to sue them for it? Meanwhile in the real world...
Click to expand...

Basically, a bunch of personal information was cached that shouldn't be cached. Enterprising people know what to do with that if they want to. You can start searching if you want. Can even view some still cached information if you want.
 
Well, I cancelled my debit card when I heard this news initially. I guess I didn't need to.

Better to be safe than sorry? I have a hard time deciding if I should feel angry or relieved.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
150
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
89
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom