Steam security issue revealed personal info to other users on XMas Day (fixed)

blankempathy said:
Changing passwords in this case wouldn't do anything. With an email address name/address and phone number I'm sure theres some sites out there where someone could call a company up and say they got locked out of their account and possibly just need that information to get a password reset. However a lot of sites require more then just that nowadays.
Click to expand...
But they're not just going to give you a password over a phone. They're going to more than likely send it to the email address on the account which that person would not have access to read.
 
nullpoynter said:
But they're not just going to give you a password over a phone. They're going to more than likely send it to the email address on the account which that person would not have access to read.
Click to expand...

Not anymore. I used to be able to call up my email provider and get a password reset with just my personal details like I said before. Truth is not much is going to come out of this. And if it does it'll be a few isolated instances. They've gotten stricter with the way they handle password resets. But who knows, maybe theres some aging email provider that still does this somewhere out there. Every company is different.
 
Grief.exe said:
It seems all the information from SteamDB was correct as always. They are as much in the know as Valve, but more open.

I hate being called a Steam shill or full damage control from relaying information from Twitter to try to help people.
Click to expand...

Maybe it's because you were also minimizing any reports of purchases and other unauthorized use by saying we need to wait on confirmation but then posting SteamDB stuff like gospel?

You may trust the source more but to an outsider with no knowledge of the source, it just looks like you had a bias towards information that made Valve look better and you didn't really explain why SteamDB is trustworthy.
 
Thorgal said:
However , keeping it low profile until they know they got this fixed and double checked to make sure it is is still preferable to them running instantly to Twitter to shout over the rooftops : HEY GUYS ? THERE IS A GIANT ISSUE RIGHT NOW WITH EVERYONE BEING ABLE TO LOOK AT EVERYONE'S ACCOUNT AND PRIVATE INFORMATION . WE ARE CURRENTLY LOOKING INTO IT !
PLEASE DON'T BE A DICK AND ABUSE THIS OK.
Click to expand...

This is wrong. Anyone in security will tell you that clear, upfront disclosure is the correct choice (not to mention legally required in some jurisdictions.) It's not like the bad guys aren't going to know about the problem if Valve doesn't announce it; the only thing that'll happen is that less connected users won't have accurate information and will be at the mercy of whatever random information they can find.

antonz said:
Valve is the biggest steaming pile of shit in the industry when it comes to any sort of customer relations. I really wish GOG or some other upstart could make a significant enough dent Gabe and others would have to wake the fuck up
Click to expand...

Periodic reminder that GOG did a stunt that involved a fake shutdown of their service with all content reported to be lost as part of an idiotic promotion of their DRM-free games.

tuxfool said:
Don't worry, they're building consensus inside the company on what to say.
Click to expand...

I mean, everyone at Valve is allowed to decide on what they want to work on, so if no one wants to work on making a response to their customers about a massive security breach then it doesn't get worked on!
 
Garrett Hawke said:
I feel like people are really underestimating the amount of social engineering you can do with what this breach may have provided

You could probably try and gain access to either people's Steam accounts or their other accounts using this info just by talking to a CS rep or putting through a "lost access to email" help request.
Click to expand...
The "good" news about this calamity is that random accounts were viewed by random people, not stolen by a single malicious entity, so there's less chance of the information being used maliciously.

But of course hoping that the people who viewed your information aren't assholes, isn't an entirely comfortable situation. And Valve has some rectifying to do for putting us in it, especially considering this is their second fuckup in like six months. However Valve has been operating, it's obviously anti-helpful for providing reliable security for their users.

I want them to start giving a shit and get better. An apology might help a bit in this endeavor, but you know, acta et verba, thank you very much.
Basileus777 said:
Why are you assuming that there weren't malicious entities collecting user information as well?
Click to expand...
Tunnel vision thought process brought on by dismissing uncertainty of how quickly those people can react and operate. My bad.
 
LurkerPrime said:
Wait so is it confirmed that Christmas maintenaince caused the problem? That's beyond bananas, if so...
Click to expand...

All I have to go on is the post by the (I assume volunteer?) moderator on the Steam Discussion forum, which updated with an unattributed quote saying a configuration change earlier today caused caching issues responsible for the leak. In lieu of literally any other communication from Valve (at least that I've seen), this is the closest thing we have to an official statement.
 
VibratingDonkey said:
The "good" news about this calamity is that random accounts were viewed by random people, not stolen by a single malicious entity, so there's less chance of the information being used maliciously.

But of course hoping that the people who viewed your information aren't assholes, isn't an entirely comfortable situation. And Valve has some rectifying to do for putting us in it, especially considering this is their second fuckup in like six months. However Valve has been operating, it's obviously anti-helpful for providing reliable security for their users.

I want them to start giving a shit and get better. An apology might help a bit in this endeavor, but you know, acta et verba, thank you very much.
Click to expand...

Why are you assuming that there weren't malicious entities collecting user information as well?
 
charlequin said:
Periodic reminder that GOG did a stunt that involved a fake shutdown of their service with all content reported to be lost as part of an idiotic promotion of their DRM-free games.
Click to expand...

I was incredibly vocally pissed when they did this, and I'm not saying it should be forgotten, but it wasn't security related. It was a completely boneheaded PR move. As pissed as I was, I'd take 10 similar PR gaffes over a single security gaffe. As of right now I'm still more inclined to trust GOG with my info than Valve.
 
Grief.exe said:
It seems all the information from SteamDB was correct as always. They are as much in the know as Valve, but more open.

I hate being called a Steam shill or full damage control from relaying information from Twitter to try to help people.
Click to expand...
What evidence do we have they were correct it other than their word? As I've pointed out several times in this thread, this is probably not a "caching issue", and if it is, then it has simply revealed Steam was passing unencrypted info to the cache in the first place, which is a massive no-no.

I have worked both with Akamai and Varnish. This behavior is not how CDNs or caches work. Like, at all...

Seems people in this thread are unusually eager to accept stuff at face value. I understand if a lot of you don't understand this stuff, but I work in the webhosting field where we deal with this exact sort of stuff all the time. I've never seen caching exposed or compromised in this way, and I can think of no way that Varnish or Akamai could be "misconfogured" to make this happen.

But sure, let's just take their word for it. Xbox 360s don't red-ring, either.
 
Disaster Nebraska said:
What evidence do we have they were correct it other than their word? As I've pointed out several times in this thread, this is probably not a "caching issue", and if it is, then it has simply revealed Steam was passing unencrypted info to the cache in the first place, which is a massive no-no.

I have worked both with Akamai and Varnish. This behavior is not how CDNs or caches work. Like, at all...

Seems people in this thread are unusually eager to accept stuff at face value. I understand if a lot of you don't understand this stuff, but I work in the webhosting field where we deal with this exact sort of stuff all the time. I've never seen caching exposed or compromised in this way, and I can think of no way that Varnish or Akamai could be "misconfogured" to make this happen.

But sure, let's just take their word for it. Xbox 360s don't red-ring, either.
Click to expand...


Kotaku got a report from Valve stating the same:

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979

Not that whoever they spoke to couldn't be wrong or the reporter misreporting but still Schreier is generally good for it.
 
I'm personally quite upset over this breach of data despite having taken the precautions of having a steam only 2-stepped semi-throwaway e-mail account, steam guard with a secure password, and no saved payment information. At this point I have to consider that e-mail account compromised, it's highly unlikely that it actually is but it's less unlikely than it used to be before. Social engineering is a thing and leaking the last 4 digits of my cellphone, my account name, and the attached e-mail is honestly incredible baffling(and that's if you didn't have stored info, all bets are off if you did). To handle public response to it with such a carefree attitude is utterly bewildering.

I'm honestly quite worried for the safety of the accounts of quite a few users who may have a single non 2 stepped mail address, had saved payment info, and had that e-mail tied to steam. I'm sure any decent "hacker" or person with malicious intent is fully capable of getting into that e-mail account with the info that valve leaked. After which every service tied to it is also compromised.

I'm honestly considering canceling all of my planned purchases for this sale unless Valve indicates some sort of corporate remorse and at least cares enough to lie to me by telling me they won't fuck up like this again in the future. The fact that I had to get an "official" response from an overglorified blog is sheer insanity.
 
Dawg said:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.


http://kotaku.com/steam-goes-nuts-o...m_source=Kotaku_Twitter&utm_medium=Socialflow
Click to expand...


Are they fucking kidding?

They decided that Christmas Day was the best time to do this, and they think that allowing access to user's private details is some minor non-issue not worth addressing or apologising for? They're going to act like this is some minor service disruption, and not a massive breach of data protection laws, only worthy of response by way of PR fluff to Kotaku.

I hope the EU grabs them by their balls and rakes them over hot coals, metaphorically speaking.
 
Grief.exe said:
It seems all the information from SteamDB was correct as always. They are as much in the know as Valve, but more open.

I hate being called a Steam shill or full damage control from relaying information from Twitter to try to help people.
Click to expand...
Thanks for the help grief, really. Screw them.
 
FloatingDivider said:
I'm personally quite upset over this breach of data despite having taken the precautions of having a steam only 2-stepped semi-throwaway e-mail account, steam guard with a secure password, and no saved payment information. At this point I have to consider that e-mail account compromised, it's highly unlikely that it actually is but it's less unlikely than it used to be before. Social engineering is a thing and leaking the last 4 digits of my cellphone, my account name, and the attached e-mail is honestly incredible baffling(and that's if you didn't have stored info, all bets are off if you did). To handle public response to it with such a carefree attitude is utterly bewildering.

I'm honestly quite worried for the safety of the accounts of quite a few users who may have a single non 2 stepped mail address, had saved payment info, and had that e-mail tied to steam. I'm sure any decent "hacker" or person with malicious intent is fully capable of getting into that e-mail account with the info that valve leaked. After which every service tied to it is also compromised.

I'm honestly considering canceling all of my planned purchases for this sale unless Valve indicates some sort of corporate remorse and at least cares enough to lie to me by telling me they won't fuck up like this again in the future. The fact that I had to get an "official" response from an overglorified blog is sheer insanity.
Click to expand...

what the hell am i reading
 
Haven't really read every page here, but anyone else find it disturbing that steamguard did absolutely nothing during this whole fiasco? I actually found out by some random guy emailing me (on the email I use for my steam account) saying I was logged in as him and could I please log out.

That means this guy was looking at my account information, got my email address and emailed me, meaning he was logged in as me, in a completely different country no less, and steamguard didn't even send me a text or email saying someone was logged in from an unauthorized account. Top notch fellas, top notch. It's things like this that really make me second guess all the digital purchases I make.
 
Disaster Nebraska said:
What evidence do we have they were correct it other than their word? As I've pointed out several times in this thread, this is probably not a "caching issue", and if it is, then it has simply revealed Steam was passing unencrypted info to the cache in the first place, which is a massive no-no.

I have worked both with Akamai and Varnish. This behavior is not how CDNs or caches work. Like, at all...

Seems people in this thread are unusually eager to accept stuff at face value. I understand if a lot of you don't understand this stuff, but I work in the webhosting field where we deal with this exact sort of stuff all the time. I've never seen caching exposed or compromised in this way, and I can think of no way that Varnish or Akamai could be "misconfogured" to make this happen.

But sure, let's just take their word for it. Xbox 360s don't red-ring, either.
Click to expand...

Cache key poisoning is a thing and every time it's because the company using the CDN is wrong, so I totally agree with your post. It's not up to Akamai to configure things for you. That's why they have staging servers.
 
Aselith said:
Kotaku got a report from Valve stating the same:

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979

Not that whoever they spoke to couldn't be wrong or the reporter misreporting but still Schreier is generally good for it.
Click to expand...
I'm not contesting the fact that some people are reporting "caching misconfiguration" as the source of the problem.

I'm saying -- as someone who actually has a working knowledge of this stuff -- that I find it highly unlikely. In the event that it is actually caching, it means that Steam was already passing unencrypted information to the caching. That's not how caches work and it would be an amateur mistake on their part.

So, it's kind of bad either way. Anyone making light of it or downplaying it would do well to learn how it works before declaring the matter settled.
 
Boogdud said:
Haven't really read every page here, but anyone else find it disturbing that steamguard did absolutely nothing during this whole fiasco? I actually found out by some random guy emailing me (on the email I use for my steam account) saying I was logged in as him and could I please log out.

That means this guy was looking at my account information, got my email address and emailed me, meaning he was logged in as me, in a completely different country no less, and steamguard didn't even send me a text or email saying someone was logged in from an unauthorized account. Top notch fellas, top notch. It's things like this that really make me second guess all the digital purchases I make.
Click to expand...

Steamguard would not help in the potential situation where non unique keys were being used to store things on a CDN. That person never logged in as you. He simply went to his profile page after logging in and your stuff appeared and vice versa.
 
Aselith said:
Maybe it's because you were also minimizing any reports of purchases and other unauthorized use by saying we need to wait on confirmation but then posting SteamDB stuff like gospel?

You may trust the source more but to an outsider with no knowledge of the source, it just looks like you had a bias towards information that made Valve look better and you didn't really explain why SteamDB is trustworthy.
Click to expand...

I was posting any information that could be realistically proven or from a reliable source. Steamdb is very familiar with Valve's API and backend and have proven their knowledge time and time again. Using GAF proof, even posted that people's address and phone numbers were stolen when other institutions were posting conflicting information.

Was money stolen ever completely proven at any point? I didn't see any reliable evidence that would 100% point to that occurring. Financial institutions are slow, especially on holidays. It's exceedingly likely that someone bought games on Steam over the past few days, only to have the payments posted today.

Disaster Nebraska said:
I'm not contesting the fact that some people are reporting "caching misconfiguration" as the source of the problem.

I'm saying -- as someone who actually has a working knowledge of this stuff -- that I find it highly unlikely. In the event that it is actually caching, it means that Steam was already passing unencrypted information to the caching. That's not how caches work and it would be an amateur mistake on their part.

So, it's kind of bad either way. Anyone making light of it or downplaying it would do well to learn how it works before declaring the matter settled.
Click to expand...

Multiple institutions, including Steamdb, have been pointing out that Valve has had security holes for years.

https://steamdb.info/blog/valve-security-one-year-on/

To whom it may concern,

This letter is collaboratively written by various members of Steam’s developer community regarding our concerns with Valve security behaviours, in particular Valve’s inconsistency in rewarding those who report bugs (occasionally punishing people), the speed at which Valve addresses bug reports (if at all), and the problems users face attempting to report bugs to Valve.

Valve does not have a bug bounty program, but bugs do exist in Valve’s products – just like any other pieces of software. Users, whether casual gamers or developers such as ourselves, occasionally come across these bugs, and we want to report them to ensure Valve’s products and customers are secure. There has been an observable trend over the past few months with individuals receiving rare economy items as a reward for reporting bugs (particularly bugs with a heavy impact on the virtual economies within Steam); this trend has been noticed and is commonly referred to when individuals users of Steam ask how to report bugs – it is being interpreted as a bug-bounty program. We believe this practise – granting economy items as compensation – is harmful to Valve’s products and reputation as a company, as this practise encourages casual gamers (the audience of Steam’s virtual economies) to find and report bugs which are often either questionable or entirely fabricated in hope to get a rare economy item, and we believe this practise dissuades experienced security researchers to pay any real attention to Valve’s products – as they would receive no compensation for their work.

Many other companies offer well defined bug-bounty programs which pay from hundreds to thousands of dollars to security researchers who find bugs. For example, Facebook offers a $500 minimum reward[1], and Google’s rewards range from $100 to $20,000[2]. For a company that is “more profitable [per employee] than Google and Apple” and has a wide variety of products (video-games, Steamworks & associated economy functionality, developer-tools, operating systems, living-room hardware) to not have a clearly defined bug-bounty program, but which arbitrarily grants virtual items in lieu (if at all), seems both reckless and insulting to experienced security researchers.

Regardless of bounties, not having a clear page describing how to report security bugs to Valve, and receive acknowledgement that reports have been received, is harmful to Valve’s customers; the top result when searching for “Steam bug report” on Google is a Steam Powered Users Forum section for the video game DogFighter – demonstrating that users who wish to report bugs responsibly have difficulty finding an avenue to do so.

There is also an issue of double-standards to be raised here. A few members of the developer community, and no doubt members of the community at large, have received infractions against their accounts for the discovery and disclosure of bugs – a subset of which are similar to those that have been rewarded with economy items. This is further damaging, as it introduces uncertainty with regards to the fate of individuals who come across bugs: are they going to be punished or rewarded?

In recent months a critical bug was found within OpenSSL, Heartbleed; this bug was huge – it affected a lot of the working web at the time it was published (it probably still affects a significant number of websites), and it allowed malicious users to easily read the memory of systems which were vulnerable to it. Unfortunately for Valve, the details on the Heartbleed bug were published when half of the company was in Hawaii; because of this, we believe it took approximately 24 hours for Valve to patch their servers (the bug was first mentioned, along with a patch to OpenSSL, on April 7th at 10:27 PDT[3] – though it did take a few hours for news of Heartbleed to spread; our own IRC logs indicate reports of Steam being patched around 10:28 PDT on April 8th). We believe this delay in action is unacceptable for a company like Valve – whose systems process sensitive data for millions of customers and partners.

During this time we caught the occasional mention that Valve’s servers were indeed leaking sensitive information (such as partner session IDs, logins and cleartext passwords), however upon patching the bug Valve did not mandate a password reset. As a result, an unknown user changed a different app’s name up to three days after the servers were patched[4] – proving that Steam Partner credentials were indeed exposed and abused during Heartbleed. We understand Valve mandated password resets for some Steam partner users, however we’ve had reports from many other Steam partners that their passwords had not been reset – leaving potentially compromised partner accounts accessible to this day. Additionally, Valve have never made an announcement to partners or customers with regards to what data may have been exposed via Heartbleed. We believe Valve’s response to Heartbleed was and remains unsatisfactory.

Unfortunately, these sentiments are not new – we’ve each had our concerns with regards to the security of Valve’s products for years, but we were never inclined to make any real effort to raise our concerns until the recent incident of a Steamworks developer receiving a Steam Community ban in relation to a bug report. Although we’ve mentioned the partner site and Heartbleed as a specific example of a failure from Valve, it’s worth clarifying that our comments are not limited to the partner site – we believe Valve’s behaviour put all of their products at risk.

Another core problem, we believe, is that Valve does not offer any adequate avenues for individuals to report bugs, nor sufficiently or consistently compensates individuals for reporting bugs. Our experience using the security@valvesoftware.com contact address suggests only one Valve employee appears to read and respond to these e-mails – which isn’t practical when major bugs (such as Heartbleed) are disclosed and urgent attention is required. We’ve had to resort to contacting Valve employees directly, often employees whose work is unrelated to the problems we’re reporting, over instant messaging services in order to ensure somebody at Valve is aware and can pass along the report to whomever can deal with it; while this often works out, it introduces various opportunities for the report to become misunderstood or lost en route to somebody’s desk.

The community at large has also had problems figuring out how to report bugs. It’s not uncommon for users of the TF2 subreddit to ask how to report a bug to Valve responsibly[5]. Most often the response is to email a specific set of employees at Valve, commonly those who are active in the various community mailing lists whose email addresses are therefore known. One service we’d recommend Valve take a look at and consider using, to alleviate many of the concerns we’ve raised in this letter, is HackerOne[6]. This service is used by many reputable companies (Yahoo[7], Twitter, CloudFlare[8], and more[9]) to manage their bug bounty programs, by making it easy for users to report bugs and optionally reward researchers who find bugs.

In conclusion, we believe Valve are putting themselves, their customers, and their partners at risk by not having a well defined bug bounty policy; not having any clear instructions on how users can report bugs; and not being transparent with the various parties involved when serious bugs arise. We’re all fans of Valve, and our ultimate goal is not to be an inconvenience, but to help make Valve’s products and customers more secure. We hope Valve understands our concerns and can rectify them within the coming months.
Click to expand...
 
Dragon said:
Steamguard would not help in the potential situation where non unique keys were being used to store things on a CDN. That person never logged in as you. He simply went to his profile page after logging in and your stuff appeared and vice versa.
Click to expand...

Shame on me for thinking my damn personal account information was worthy of using non-unique keys and wasn't being bounced around akamai like a whore.
 
Pathfinder said:
Well, this sure was a thing, wasn't it?

Can someone who's been reading please summarize the thread for me up to this point?
Click to expand...

Quick summary:

  • Viewing the Account Details page on Steam showed you as logged in as another user and allowed you to see their account details, including amongst other things the last 4 digits of their card number, their Steam account name and the E-Mail the account is attached to.
  • People start testing it and realize it does work; people become nervous about being affected and their account information being shown.
  • Couple of people report there have been purchases made causing people who have attached payment methods to panic
  • Huge demand that Valve takes down the servers and criticism for taking so long to do so.
  • SteamDB offers their theory on what happened, says it's not safe to log in or even view Steam pages making those who have been checking if the issue was still ongoing even more nervous
  • "Yeah yeah we're working on it" statement made by a Community Manager on Steam, declining a hacking attack
  • 1 hour later Steam servers go down (finally)
  • It is revealed that you could also see people's addresses and their full phone number(s) due to this issue. (if saved to the account due to the payment option)
  • Servers come back up without Valve saying anything
  • Valve releases short non-apology confirming SteamDB's theory but doing jack to inform people about their personal information being exposed.
  • Discussion about Valve's handling of the situation mixed with a bunch of people coming in thinking it's still an ongoing issue

I think that's the gist of the thread, sorry if I missed something.
 
Boogdud said:
Haven't really read every page here, but anyone else find it disturbing that steamguard did absolutely nothing during this whole fiasco? I actually found out by some random guy emailing me (on the email I use for my steam account) saying I was logged in as him and could I please log out.

That means this guy was looking at my account information, got my email address and emailed me, meaning he was logged in as me, in a completely different country no less, and steamguard didn't even send me a text or email saying someone was logged in from an unauthorized account. Top notch fellas, top notch. It's things like this that really make me second guess all the digital purchases I make.
Click to expand...
I don't think steamguard would have helped in this scenario. Authenticated user pages were being cached and randomly served to the wrong computers. Heck you didn't even have to be logged in to view someone's account earlier. Just punch in the account page url on your browser and you would get a random page served back to you.
 
At least one good thing happened because of this, it got me to check on my super old email I use for Steam

uyMuPoN.png


Lol
 
low-G said:
A sensible post by an intelligent poster. Unlike this one. *hands dunce cap*
Click to expand...

Troll/bait posts doesn't deserve any better, mate

Also, it's obvious you have some agenda here.

low-G said:
Probably the greatest security failure of all time in gaming, and Valve is acting far worse than Sony ever did... Whelp...

Definitely going to use the service more sparingly from here on out...
Click to expand...

low-G said:
Unless you're as dumb as your posts in this thread make you seem, odds are your private information is not out there on the Internet as this Steam information breach has exposed.

Identity theft is serious. BASELINE Valve should give every Steam user 1 year of identity theft protection from a good agency.
Click to expand...
 
Mihos said:
Statements on these kind of things come from legal and marketing, not 3rd shift IT guys
Click to expand...

Big companies, specially ones that handle sensitive information or payment data, should (and most do) have someone in an official capacity on standby, 24/7. Usually higher up communication staff are on call on rotation.

Pretty mindblowing how many people wave this off as nothing, or some small thing not worthy of anyone's time.
 
Email address, last four digits of credit card, purchase history is more than enough info to social engineer access to an account through customer service.

Anyone who says this isn't one of the biggest infosec disasters in recent memory needs to be on the receiving end of it, frankly.
 
Disaster Nebraska said:
What evidence do we have they were correct it other than their word? As I've pointed out several times in this thread, this is probably not a "caching issue", and if it is, then it has simply revealed Steam was passing unencrypted info to the cache in the first place, which is a massive no-no.

I have worked both with Akamai and Varnish. This behavior is not how CDNs or caches work. Like, at all...

Seems people in this thread are unusually eager to accept stuff at face value. I understand if a lot of you don't understand this stuff, but I work in the webhosting field where we deal with this exact sort of stuff all the time. I've never seen caching exposed or compromised in this way, and I can think of no way that Varnish or Akamai could be "misconfogured" to make this happen.

But sure, let's just take their word for it. Xbox 360s don't red-ring, either.
Click to expand...

Isn't this splitting hairs? If Valve screwed up by misconfiguring Varnish so that it cached account pages when it shouldn't have been, that's still a "caching issue." No one's saying that "caching issue" means Valve is somehow off the hook or that Akamai/Varnish/etc. are somehow at fault.

Boogdud said:
Haven't really read every page here, but anyone else find it disturbing that steamguard did absolutely nothing during this whole fiasco? I actually found out by some random guy emailing me (on the email I use for my steam account) saying I was logged in as him and could I please log out.

That means this guy was looking at my account information, got my email address and emailed me, meaning he was logged in as me, in a completely different country no less, and steamguard didn't even send me a text or email saying someone was logged in from an unauthorized account. Top notch fellas, top notch. It's things like this that really make me second guess all the digital purchases I make.
Click to expand...

Steam Guard wouldn't have helped because you were never actually logged in as anyone else. In fact, you didn't need to be logged in at all to see account information.
 
chrominance said:
Isn't this splitting hairs? If Valve screwed up by misconfiguring Varnish so that it cached account pages when it shouldn't have been, that's still a "caching issue." No one's saying that "caching issue" means Valve is somehow off the hook or that Akamai/Varnish/etc. are somehow at fault.
Click to expand...

From what I'm reading in what he said, he's saying the issue is more one of improperly encrypting the information sent which seems like a bigger deal to my layman eyes.
 
Dunkley said:
Quick summary:
Click to expand...
Thanks for this!! I think I'll just stay off Steam until Valve comes out with a better statement. My only payment method on file is PayPal which has the extra authentication level anyway so I'm not worried about that, but no need to participate in any drama.
ItIsOkBro said:
At least one good thing happened because of this, it got me to check on my super old email I use for Steam

uyMuPoN.png


Lol
Click to expand...
Holy crap, lol.
 
charlequin said:
This is wrong. Anyone in security will tell you that clear, upfront disclosure is the correct choice (not to mention legally required in some jurisdictions.) It's not like the bad guys aren't going to know about the problem if Valve doesn't announce it; the only thing that'll happen is that less connected users won't have accurate information and will be at the mercy of whatever random information they can find.
Click to expand...
I might have jumped the gun a bit with my earlier post.

but from where i am standing , it seems more logical to , when faced with a situation such as this to first fixing wathever caused it Asap to prevent any further users private info being visible to everyone.

only after it is fixed would they send the word out of what happened because while, as you said "The bad guys wouldn't not know about it if they kept quiet about it" why would we want to make even more of them aware of said problem before it is fixed?
 
Kalopsia said:
Email address, last four digits of credit card, purchase history is more than enough info to social engineer access to an account through customer service.

Anyone who says this isn't one of the biggest infosec disasters in recent memory needs to be on the receiving end of it, frankly.
Click to expand...

I don't think anyone would disagree with that.

The only positive side was it seems only a percentage of the total account base was exposed, rather than the entirety of the user base. Back when people were ignorantly posting account names in this thread, we noticed that several of us were frequently seeing the same names. The chances of that happening are exceedingly low.
 
Aselith said:
From what I'm reading in what he said, he's saying the issue is more one of improperly encrypting the information sent which seems like a bigger deal to my layman eyes.
Click to expand...

This is correct. Basically they appear to be feeding caching services unencrypted user data of somewhat high value (credit card address info, paypal email, last 4 digits of phone number, etc...). They associate the display normally with user ID being authenticated but something went south and that part failed obviously.

So the question is why in the world is Valve seeding non encrypted data into CDNs? I wonder if they are liable under any of the Fed laws covering data privacy as the data can be classified as PII).
 
So the official response is basically "Oops, our bad."

No apology for the thousands of email addresses that were stumbled upon.

No remorse for revealing entire purchase histories.

No breakdown of why the hell they would plan to do this on Christmas day.

No promise to not pull this stupid shit again.
 
Grief.exe said:
It seems all the information from SteamDB was correct as always. They are as much in the know as Valve, but more open.

I hate being called a Steam shill or full damage control from relaying information from Twitter to try to help people.
Click to expand...
For what it's worth, I don't really know why people were all up in your grill, you seemed to do your best keeping people informed and up to date without jumping the gun either way.

Community members stepping up and providing recaps like you did are key to keep people informed when an issue like this pops up and the thread goes a million km/h.
 
Aselith said:
From what I'm reading in what he said, he's saying the issue is more one of improperly encrypting the information sent which seems like a bigger deal to my layman eyes.
Click to expand...

Oh. Well, yes, those pages should never have been in a publicly accessible cache in the first place. If that's what that poster was getting at, then never mind, I may have just misread the tone. Caching was clearly involved (which is what I thought the poster was refuting) but the caching mechanisms themselves did their job properly from the sounds of things, it's just they were being asked to do the wrong thing.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
148
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
88
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom