Steam security issue revealed personal info to other users on XMas Day (fixed)

RyanW said:
I mean I use Steam Guard so have fun trying to get into my Email
Click to expand...

You can always worry peep figure out your email's password, but they can't grab your phone. plus the emergency code that can used to recover your pass if someone does hijack your account.
 
Garrett Hawke said:
Do you use a Hotmail/Live/Outlook email? Because if so, and you have it connected to Xbox Live with payment info, someone could feasibly use the fact that they now know your full name, full address, and last 4 numbers of your CC in order to convince MS's customer service that you have lost access to the account but you can prove it's you by giving them all that info, then get access to your Steam once they have your email.

Not saying it will happen as I doubt most of the people who even saw this glitch would do or even try anything like that but it's possible, which is what some people are so worried about (and fair enough).
Click to expand...

Nope, old email address that the only thing tied to that I still use is Facebook. Everything else is on a newer one
 
tuxfool said:
They shouldn't be able to buy anything because what people were accessing is cached data, not an open session. What is bad is that somebody could potentially use the personal information that was exposed to cause damage in some other service.
Click to expand...

cartographer said:
Most people with an understanding of the situation aren't worried about purchases using their Steam accounts. There have been some reports but AFAIK none that are verifiable.

However, username, address, phone number, last four digits of CC, e-mail etc are all incredibly valuable to social engineering. Especially the last four digits of your CC, and especially when that is shown on a page with your username and e-mail. All that is dangerous to have in combination because it can be used to get more information and access to other accounts.
Click to expand...

I see, well thanks for clearing this up.
 
Is thing going to be a PR nightmare for Valve or what? As much as I love(ed) them, they deserve just as much scrutiny as anyone else, like the backlash Sony got for their goof. I have a feeling people will brush this aside because its Valve and they are somehow immune to any form of criticism.
 
Icedburden said:
Political dog whistle? Don't bring that nonsense in here.

It's like asking for handouts on the street when your not homeless. There's a problem, but YOU aren't affected in any way personally. You lost nothing.
Click to expand...
How would someone know they're fine in this situation?
 
Hasn't this happen before? I seem to remember a few years back viewing my account but it showed someone else's information instead just like what was going on today.
 
cartographer said:
Most people with an understanding of the situation aren't worried about purchases using their Steam accounts. There have been some reports but AFAIK none that are verifiable.

However, username, address, phone number, last four digits of CC, e-mail etc are all incredibly valuable to social engineering. Especially the last four digits of your CC, and especially when that is shown on a page with your username and e-mail. All that is dangerous to have in combination because it can be used to get more information and access to other accounts.
Click to expand...

That about sums it up. It seems very unlikely anything will come of it, but if some unscrupulous, persistent, and skilled individual started with those details (name, address, phone, 4 digits, email address) they could, in theory, and with enough time, potentially leapfrog off that into more.

Now, whether you need to fear someone like that randomly getting -your- info, and whether they actually -are- able to do anything meaningful is a different issue.

Personally, it's not something that particularly concerns me.
 
cartographer said:
Most people with an understanding of the situation aren't worried about purchases using their Steam accounts. There have been some reports but AFAIK none that are verifiable.

However, username, address, phone number, last four digits of CC, e-mail etc are all incredibly valuable to social engineering. Especially the last four digits of your CC, and especially when that is shown on a page with your username and e-mail. All that is dangerous to have in combination because it can be used to get more information and access to other accounts.
Click to expand...

So are you saying I should cancel my credit card?
 
autoduelist said:
That about sums it up. It seems very unlikely anything will come of it, but if some unscrupulous, persistent, and skilled individual started with those details (name, address, phone, 4 digits, email address) they could, in theory, and with enough time, potentially leapfrog off that into more.

Now, whether you need to fear someone like that randomly getting -your- info, and whether they actually -are- able to do anything meaningful is a different issue.

Personally, it's not something that particularly concerns me.
Click to expand...

Thats pretty much where i'm at. I'll wait and see. Even if 5 people saw my information chances are no ones going to bother doing anything malicious. Throw in the fact that this happened mid day during Christmas and even less people are online reading forums. I'm sure theres some people that probably will try to mess around with someones info but thats why you have to be vigilant with your identify protection online.

BiggNife said:
So are you saying I should cancel my credit card?
Click to expand...

I'm going to say no because the time they could purchase something has passed. They couldn't actually see your cc info. Theres no information stating where your cc/debit card is even issued from. However I'd monitor my statements for the rest of the week and next week just to make sure no charges show up from today that were not made by you so you can contest them or whatever process your bank goes through to fight those charges.
 
Mass_Pincup said:
I mean they fucked up, The infos should've been private and not visible by anyone. Even having to deal with this thing on Christmas Day is bad enough, but for a significant amount of time people didn't even knew if their credit cards were compromised. You even have people in this thread who canceled their debit cards. It shouldn't have happened at all, and in this case compensation is a sign of good faith.
Click to expand...
I completely agree they fucked up. Big time. But I can not stand people begging for free shit if are NOT actually affected. If something is lost, yes, all day you deserve something. But NOT if you are a bystander to the car crash.
 
Good thing this seemed to be resolved by the time I got home. I got a Steam controller for Christmas and was excited to update it and test it out.
 
Can someone please tell me just how everybodys information could have been Google cached/put on the Internet forever? If I took a look at my account information while logged into steam last week it wouldn't have been logged right? Why would someone's else's info be logged then, just because it was incorrectly displayed on my log in?
 
Yeah, I'm mad at Valve but now that the dust settled I don't think anything serious comes from this (it still is an issue and Valve needs to answer tho).

That said, if your e-mail appears in a pastebin list, a good way to get a warning is HaveIBeenPwned?
 
Mjöölnir;190445325 said:
Can someone please tell me just how everybodys information could have been Google cached/put on the Internet forever? If I took a look at my account information while logged into steam last week it wouldn't have been logged right? Why would someone's else's info be logged then, just because it was incorrectly displayed on my log in?
Click to expand...
The information in google's cache is of a specific person. Everyone is seeing the same cached version of some mexican dude.
It's whatever random account google's web crawler got when it went through valve's site.
 
Icedburden said:
I completely agree they fucked up. Big time. But I can not stand people begging for free shit if are NOT actually affected. If something is lost, yes, all day you deserve something. But NOT if you are a bystander to the car crash.
Click to expand...
Never mind compensation, everyone is entitled to proper disclosure from Valve on what exactly happened and Valve should also not be acting like a breach of personal data isn't a big deal.
 
Icedburden said:
I completely agree they fucked up. Big time. But I can not stand people begging for free shit if are NOT actually affected. If something is lost, yes, all day you deserve something. But NOT if you are a bystander to the car crash.
Click to expand...
Unfortunately in these situations it's hard to prove who was or wasn't compromised. It's why crediting everyone potentially affected is standard practice for Internet businesses.
 
chaobreaker said:
So if the worst thing that could come from this caching issue is having some stranger see your purchase history, account username, and last 4 digits of your credit card, how can anyone buy anything off your account otherwise? Steam Wallet?

I don't want to undermine anyone who got legit hacked in the past few hours but how would that even work? Valve is claiming there's nothing to worry about.
Click to expand...

In the increasingly service- and account-based Internet, every piece of personally identifiable information a person hands over to a service should be treated as a potential attack vector for phishing or hacking attempts, (not to mention doxxing), not just for that specific service but for any other service the user might have registered for. As such, it is (or should be) of paramount importance for service providers to keep all personally identifiable information completely secure as much as possible. Two pieces of obscured information like username and billing address might not be enough to quickly login as that person through the login page, but if the user uses any of the same information on another service, hackers only need to gather a few pieces of information like that to try to get through security questions or to social engineer their way into the account, which might in turn yield the clues to gain access to even more accounts, etc.

It's overly simplistic to only list the specific fields that were leaked and decide that nothing useful can be done on the Steam storefront with them. It would have been trivial during the breach for someone well versed in web scraping to write a script that repeatedly hit the account details page and saved all the information it could about however many users were getting exposed. All of those represent potential attack vectors. If those users have been the victim of other data breaches for other sites (you may have noticed this is happening with disturbing frequency), their email addresses might already be in hackers' repositories of breached users, and so the info from their steam page can be added into whatever is already known about them. Their billing address or last 4 CC digits or phone number might used as security questions by another service provider, and that would be enough to get in. This is how modern identity theft works.

None of this is certain to happen to any particular user, of course, but I hope it explains why service providers need to be held accountable for any sort of data breach and treat any breach as a massive liability concern, and why users should be encouraged to be safeguard their own information carefully and treat any data breach as a potentially legally actionable cause.
 
BiggNife said:
So are you saying I should cancel my credit card?
Click to expand...

I don't know. I don't know if your information was vulnerable, and if it was, I don't know if somebody managed to collect it. Do you have other accounts associated with that e-mail, username, CC number etc? Could they be socially engineered with that information (my old cable account and credit union I was a part of could have been with that before they updated security measures).

I don't know. At the very least if you think your information could have been vulnerable I'd update passwords and watch your other accounts over the next few weeks.

blankempathy said:
I'm going to say no because the time they could purchase something has passed. They couldn't actually see your cc info. Theres no information stating where your cc/debit card is even from.
Click to expand...

Purchases using your steam account isn't the issue here.
 
Mjöölnir;190445325 said:
Can someone please tell me just how everybodys information could have been Google cached/put on the Internet forever? If I took a look at my account information while logged into steam last week it wouldn't have been logged right? Why would someone's else's info be logged then, just because it was incorrectly displayed on my log in?
Click to expand...

Because Google cached a version (at least as far as I know there's just one) of the account details page while the issue was going on.

Even if you were logged out while it was going on you'd be shown the account details pages of other people if you went to the account details page, which is why it just as much affected Google's page caching bot.

edit:

nvm, misunderstood.
 
Really hope that Valve sort everything out for people.

I know I say it everytime that something like this happens but I really hope that nobody saves card or banking details on any online store as nothing is secure. That and never repeating passwords is something that people really should be doing.

What's happened here isn't acceptable in any way but people can'r rely on business looking after their data as there is no such as "secure" online, That wouldn't prevent this sort of thing but it can help contain the issues when things innevitably do go wrong.

Although it's probably going to be be far more complicated that it should be for anybody affected by this, I really do hope that everybody sorts it out as quickly and effortlessly as possible. :(
 
Mjöölnir;190445325 said:
Can someone please tell me just how everybodys information could have been Google cached/put on the Internet forever? If I took a look at my account information while logged into steam last week it wouldn't have been logged right? Why would someone's else's info be logged then, just because it was incorrectly displayed on my log in?
Click to expand...

It's about accountability to some extent. If the businesses don't feel negative consequences, there's no real drive to change. Giving away something of value as a consequence is business grounding.

I don't think necessarily everyone has those intentions directly but Valve deserves to lose out on this especially after this being the second strike in one year.
 
Icedburden said:
Potentially. I'm sure mine is out there too, but asking for freebies if I'm doing just fine seems a little... Disingenuous.
Click to expand...

Unless you're as dumb as your posts in this thread make you seem, odds are your private information is not out there on the Internet as this Steam information breach has exposed.

Identity theft is serious. BASELINE Valve should give every Steam user 1 year of identity theft protection from a good agency.
 
This reminds me of all those twitch glitches where you could see random peoples PMs and other account details

I need to start creating random email aliases for the few gaming things I have on my MAIN email account.
 
cartographer said:
I don't know. I don't know if your information was vulnerable, and if it was, I don't know if somebody managed to collect it. Do you have other accounts associated with that e-mail, username, CC number etc? Could they be socially engineered with that information (my old cable account and credit union I was a part of could have been with that before they updated security measures).

I don't know. At the very least if you think your information could have been vulnerable I'd update passwords and watch your other accounts over the next few weeks.



Purchases using your steam account isn't the issue here.
Click to expand...

Even if they get access to other accounts they will continue to remain vulnerable until they change the email used for them. So if they get access to say your amazon account but you canceled your current cc but happen to store a new one on file they'll still be able to make purchases. What people are better off doing is changing the email they use for those accounts. Use security questions. etc.
 
Valve better be getting mountains of shit for this.

Fucking seriously. They've exposed how bad they are at managing situations like this. Couldn't give out a store wide warning or something? Instead we had to wait for gaming journos to get something of a statement? The fuck is up with that?
 
blankempathy said:
Even if they get access to other accounts they will continue to remain vulnerable until they change the email used for them. So if they get access to say your amazon account but you canceled your current cc but happen to store a new one on file they'll still be able to make purchases. What people are better off doing is changing the email they use for those accounts.
Click to expand...

Good advice here.
 
Very poor decision by Valve to make an infrastructural configuration change on a major holiday such as Christmas. Surely that could've waited until next Monday...or better yet until after New Years.
 
So is there any way yet of telling if your info was leaked? I haven't accessed Steam in several days so I assume I'm okay, but an assumption isn't very reassuring.
 
BiggNife said:
So are you saying I should cancel my credit card?
Click to expand...
No. Wait and monitor your CC account. If there is a deduction of some sort that you didn't do, just call the CC company and tell them to book it back. Then Valve has to proove it was really you who made that purchase, which they really can't.

It's really no biggy if you have a credit card. I had some mysterious company taking money from my Visa once and I was surprised how well Visa handled it. I got a new card and my money back a few days later.
 
GravityMan said:
Very poor decision by Valve to make an infrastructural configuration change on a major holiday such as Christmas. Surely that could've waited until next Monday...or better yet until after New Years.
Click to expand...

I'm actually kind of shocked that this ended up being the reason for the caching issue. I'm even more shocked that after pushing the change, no one noticed or did anything for an HOUR. I can't believe no one in that time said "put the site into maintenance mode" or "shut down all the servers" or SOMETHING.
 
GravityMan said:
Very poor decision by Valve to make an infrastructural configuration change on a major holiday such as Christmas. Surely that could've waited until next Monday...or better yet until after New Years.
Click to expand...
It is doubtful that it's just a "configuration change".

If it is supposedly a "caching issue" (I doubt it is) there really isn't some configuration that you just make an oopsie and it randomly exposes people's information. I have worked both with Akamai and Varnish (the two services that at this point were identified as the source of the supposed "caching issue") and this isn't how either of them work.
 
blankempathy said:
Even if they get access to other accounts they will continue to remain vulnerable until they change the email used for them. So if they get access to say your amazon account but you canceled your current cc but happen to store a new one on file they'll still be able to make purchases. What people are better off doing is changing the email they use for those accounts. Use security questions. etc.
Click to expand...
Or just change passwords for all your accounts, especially ones where you use the same password (you should never use the same password on multiple accounts). Enable two-factor authentication for Steam, Amazon, Gmail, etc. Use PayPal, Google Pay, virtual credit card numbers, etc so as not to expose your real card number. If you really want to get paranoid you could setup different email addresses that all forward mail to a master email address. Just some helpful tips...
 
chrominance said:
I'm actually kind of shocked that this ended up being the reason for the caching issue. I'm even more shocked that after pushing the change, no one noticed or did anything for an HOUR. I can't believe no one in that time said "put the site into maintenance mode" or "shut down all the servers" or SOMETHING.
Click to expand...

Depending on how their servers are set up it could take an hour to push through a fix for the configuration change...
 
chrominance said:
I'm actually kind of shocked that this ended up being the reason for the caching issue. I'm even more shocked that after pushing the change, no one noticed or did anything for an HOUR. I can't believe no one in that time said "put the site into maintenance mode" or "shut down all the servers" or SOMETHING.
Click to expand...

Wait so is it confirmed that Christmas maintenaince caused the problem? That's beyond bananas, if so...
faceless007 said:
In the increasingly service- and account-based Internet, every piece of personally identifiable information a person hands over to a service should be treated as a potential attack vector for phishing or hacking attempts, (not to mention doxxing), not just for that specific service but for any other service the user might have registered for. As such, it is (or should be) of paramount importance for service providers to keep all personally identifiable information completely secure as much as possible. Two pieces of obscured information like username and billing address might not be enough to quickly login as that person through the login page, but if the user uses any of the same information on another service, hackers only need to gather a few pieces of information like that to try to get through security questions or to social engineer their way into the account, which might in turn yield the clues to gain access to even more accounts, etc.

It's overly simplistic to only list the specific fields that were leaked and decide that nothing useful can be done on the Steam storefront with them. It would have been trivial during the breach for someone well versed in web scraping to write a script that repeatedly hit the account details page and saved all the information it could about however many users were getting exposed. All of those represent potential attack vectors. If those users have been the victim of other data breaches for other sites (you may have noticed this is happening with disturbing frequency), their email addresses might already be in hackers' repositories of breached users, and so the info from their steam page can be added into whatever is already known about them. Their billing address or last 4 CC digits or phone number might used as security questions by another service provider, and that would be enough to get in. This is how modern identity theft works.

None of this is certain to happen to any particular user, of course, but I hope it explains why service providers need to be held accountable for any sort of data breach and treat any breach as a massive liability concern, and why users should be encouraged to be safeguard their own information carefully and treat any data breach as a potentially legally actionable cause.
Click to expand...

This really hits the nail on the head, I think, at least as far as the severity of the (unintentional) Steam security breach. It's a serious problem that really shouldn't be understated.
 
It seems all the information from SteamDB was correct as always. They are as much in the know as Valve, but more open.

I hate being called a Steam shill or full damage control from relaying information from Twitter to try to help people.
 
nullpoynter said:
Or just change passwords for all your accounts, especially ones where you use the same password (you should never use the same password on multiple accounts). Enable two-factor authentication for Steam, Amazon, Gmail, etc. Use PayPal, Google Pay, virtual credit card numbers, etc so as not to expose your real card number. If you really want to get paranoid you could setup different email addresses that all forward mail to a master email address. Just some helpful tips...
Click to expand...

Changing passwords in this case wouldn't do anything. With an email address name/address and phone number I'm sure theres some sites out there where someone could call a company up and say they got locked out of their account and possibly just need that information to get a password reset. However a lot of sites require more then just that nowadays.
 
GravityMan said:
Very poor decision by Valve to make an infrastructural configuration change on a major holiday such as Christmas. Surely that could've waited until next Monday...or better yet until after New Years.
Click to expand...

No shit. They are called "change freezes" and they are done to prevent these kinds of problems from happening when a large part of your team is on vacation.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
148
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
88
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom