Steam security issue revealed personal info to other users on XMas Day (fixed)

Whelp this schooled me. If anyone could provide a link to a guide or instructions on how to protect myself online, esspecially since this peronal info is now 100% out there that would be awesome. Or any helpful tips would be cool too.
 
There was a 90 cent steam market purchase made with money from my steam wallet and when I tried to click on it to see the details there's nothing but the money is still gone. Odd.
 
I have not bought anything on the sale yet, thanks to the removal of timed sales, and I might not buy anything at all now thanks to this.

Dunkley said:
Quick summary:

  • Viewing the Account Details page on Steam showed you as logged in as another user and allowed you to see their account details, including amongst other things the last 4 digits of their card number, their Steam account name and the E-Mail the account is attached to.
  • People start testing it and realize it does work; people become nervous about being affected and their account information being shown.
  • Couple of people report there have been purchases made causing people who have attached payment methods to panic
  • Huge demand that Valve takes down the servers and criticism for taking so long to do so.
  • SteamDB offers their theory on what happened, says it's not safe to log in or even view Steam pages making those who have been checking if the issue was still ongoing even more nervous
  • "Yeah yeah we're working on it" statement made by a Community Manager on Steam, declining a hacking attack
  • 1 hour later Steam servers go down (finally)
  • It is revealed that you could also see people's addresses and their full phone number(s) due to this issue. (if saved to the account due to the payment option)
  • Servers come back up without Valve saying anything
    [*]Valve releases short non-apology confirming SteamDB's theory but doing jack to inform people about their personal information being exposed.
  • Discussion about Valve's handling of the situation mixed with a bunch of people coming in thinking it's still an ongoing issue

I think that's the gist of the thread, sorry if I missed something.
Click to expand...

anyone got a link to this "apology"?
I have not recieved anything to my mail registered to Steeam
 
EricTheCleric said:
anyone got a link to this "apology"?
I have not recieved anything to my mail registered to Steeam
Click to expand...

Kotaku has it:

Valve said:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979
 
Glad I didn't have any payment info saved, it seems the only thing thing that could have by been seen was my email address which I could change. Gonna keep an eye on my email account for a while but I think I'm unaffected.

Really would be nice to hear a more in depth response from Valve and how they're gonna make sure this doesn't happen again, but I doubt we'll see that.

Any info on if those reports earlier of fraudulent purchases or PayPal emptying were true? According to Valves "statement" it shouldn't have been possible.
 
Valve's response was even worse than I expected, and I expected the worst.

You'd think they would mention something like "stay safe folks." When Neopets, of all things, had a similar cache breach, the admins personally went on the boards to tell people straight-up that shit was fucked yo and to stay safe.

This is what happens when a company has a monopoly. The barrier to entry for Steam competitors is also ridiculously high, because people have invested thousands of dollars in games linked to Steam. Steam isn't bound to console generations, so customers can't jump ship. PC gamers are trapped in a cycle of abuse.
 
So, my current theory is that anyone who didn't actually go through the process of specifically logging in during this time has not had their account show up for other people. I was online during the whole time but never logged out/back in and I have had no suspicious activity on my account whatsoever. Can anyone else confirm this so it feels a bit less anecdotal?
 
How is one meant to know if they've been affected by this – that is, their saved information accessed?

I believed I've logged into Steam in the past 24 hours, and have an address stored (isn't this required for all accounts?), but from reading the thread it sounds like there's no noticeable way to tell if an account has been accessed.

abracadaver said:
Kotaku has it:

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979
Click to expand...

Guess there really isn't a way to tell then. Way to play it down.
 
Valve said:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...
Heh, less than hour in ValveTime™.
 
EricTheCleric said:
anyone got a link to this "apology"?
I have not recieved anything to my mail registered to Steeam
Click to expand...
No email. If you didn't check gaming sites during the issue you have no way of knowing your data was/may have been made public. Current statement and overall handling has been garbage.
 
Obviously stuff like this shouldn't happen, but when it does it really should signify a huge wake-up call to the company in question and the necessity to have a responsive and empathetic PR and tech team. Regardless of how secure financial information is/was, people use these services under the belief their private account information remains hidden and safe from public eyes. When issues occur, you can't have a PR team more or less hand wave the incident as if the public are making a bigger deal than the actual risk, even if the actual risk is measurably low.

Very disappointing from Valve, even considering the inconvenience in time of year. Hopefully it results in a drastic overhaul of their PR and communications.
 
The only thing Valve seems to respond to is mass emailing. Email your favorite Valve person and ask them why this is such a non issue to them. They're all support, according to Newell, so you can't pick the wrong person.
 
Unknown Soldier said:
Does gaben@valvesoftware.com still work? It might be time to bomb his mailbox with complaints.
Click to expand...

Too easy. You can look up people in Valve's public directory. They list emails. Everybody is support.

The CS:GO and Dota communities have had success getting their games fixed by emailing devs. Then there was the paid mod fiasco. Valve responds to large email waves because (drumroll please) it costs them money to deal with them.

Don't spam them, but if you are unhappy or wish to express your concern, emailing them is actually a valid way to protest and probably the most likely avenue to get a response.
 
redpriest said:
It's only like this because we made it that way. How many times have I heard "I won't buy it unless it's on steam." - "It's so convenient to have all my games under one platform."

Having been PC gaming since the 80s, how can we accept this? Have we really become so lazy that an extra mouse click is too high a usability gap to navigate? I remember having to make specific boot disks for games because I needed that extra 4 KB of high memory out of 640kb to make the game work!

When you hand essentially monopoly powers to one service, even a benevolent one, they get complacent, and there's no innovation. Why should they? You're never going to leave them - it's like a relationship with an abusive spouse. I have games across multiple platforms, console, PC, handheld, mobile - I don't consider it a hurdle too difficult to get myself out of my chair and go to a different chair to use a different gaming system. Why should it be the same on one machine?
Click to expand...


Preach it. Unless it is a steamworks game that I absolutely have to play I don't buy anything from steam. Fuck them.
 
All of these shit but transaction in steam still better than anywhere else because you can buy thing without cc/paypal thanks to the marketplace or using gift card.. guess Its convince me to keep buying that way instead using debit card information.
 
GHG said:
Outside of steamworks games, when are you forced to use steam in order to play the game you want?
Click to expand...

You say 'Outside of steamworks games' as if its nothing.

Alot of major PC games are forced Steamworks. Want to play games like Fallout 4, Black Ops 3, Saints Row 4, Deus Ex: Mankind Divided and almost 400 other games but don't want to use Steam? Then your only choices are piracy or consoles.
 
True Fire said:
Valve's response was even worse than I expected, and I expected the worst.

You'd think they would mention something like "stay safe folks." When Neopets, of all things, had a similar cache breach, the admins personally went on the boards to tell people straight-up that shit was fucked yo and to stay safe.

This is what happens when a company has a monopoly. The barrier to entry for Steam competitors is also ridiculously high, because people have invested thousands of dollars in games linked to Steam. Steam isn't bound to console generations, so customers can't jump ship. PC gamers are trapped in a cycle of abuse.
Click to expand...

Yeah...

NexusMods, the mod portal for a bunch of games, got hacked a few weeks ago and had an incredibly extensive post about it and then another huge follow-up a few days later. The NexusMods dudes went into detail about the situation ASAP, the steps being taken, what was potentially breached, what was happening, and then reiterated everything once the facts were ironed out. NexusMods downright impressed me with their response.

Then there's Steam, which basically had to have a response beaten out of them by journalists. Like a friggin' piñata.
abracadaver said:
Kotaku has it:

Valve said:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979
Click to expand...
Like, it's the exact opposite I would've expected from the two. It's crazy!
 
Gez said:
You say 'Outside of steamworks games' as if its nothing.

Alot of major PC games are forced Steamworks. Want to play games like Fallout 4, Black Ops 3, Saints Row 4, Deus Ex: Mankind Divided and almost 400 other games but don't want to use Steam? Then your only choices are piracy or consoles.
Click to expand...

It's not nothing but it's nowhere near enough to make someone exclusively use steam for all of their PC games purchases.

The rest of the games can be purchased on competitor platforms but people are choosing not to do so, even if it can be significantly cheaper, for reasons unbeknown to me.
 
LurkerPrime said:
Like, it's the exact opposite I would've expected from the two. It's crazy!
Click to expand...

If you just email Gabe, it's pretty easy to contain. I half think that's why his email is out there so prominently. But if a dozen or so people that don't normally deal with Steam get emails from upset and disappointed customers, they're going to have to address things, because that sort of disruption costs them productivity (money). That's how paid mods were stopped.

They shouldn't get away with having shit tier customer service. If they say they are all support, take their word for it.
 
Yeap that answer is as bad as their customer support. But sad thing is that even multimillion lawsuit wouldn't change them. They are worst online store when communication with customers is in question. UPlay support is maybe slow but their Twitter support is really fast and they are fast on their forums too, Origin has best customer support, GOG also has relatively fast support. Hell Nuuvem was more helpful even I breached their ToS with purchasing there outside South America.
 
So basically no real response or apology from Valve at all? That is some weak sauce garbage
 
Yeah, Gabe should have sent a personalized letter stating that says that they are hoping everyones Neopets are safe and we should take care of our close ones instead of stating what happened (cache issue), what the situation is now (it's fixed), what's the severity (little to none) and what precautions one should take (none).

What the christ are some of you people about.
 
Phew. Logged in and removed my CC and set up Steam Guard. Nothing in my purchases history that isn't from me. Wondering if it's worth changing all my personal info over this.
 
Holy shit, Steam has breached the Data Protection Act and nobody has said or done a single thing about it? I work in information governance and this kind of thing is taken VERY seriously. I hope you can offer some kind of acceptable explanation Valve!!
 
Cheeseman Battitude said:
Phew. Logged in and removed my CC and set up Steam Guard. Nothing in my purchases history that isn't from me. Wondering if it's worth changing all my personal info over this.
Click to expand...

I'm in the process of changing my name, moving house and getting a new email address.

Can't have somebody else out there trying to be me. They can have my student loans debt though if they want.
 
saunderez said:
Not even that. Have these morons ever even heard of a testing environment? If they had they would have caught it before they ever made it to production.
Click to expand...

Somebody probably turned on the cache to solve the "slowness" hanged around for a few minutes in store and left for home happy.
 
saunderez said:
Not even that. Have these morons ever even heard of a testing environment? If they had they would have caught it before they ever made it to production.
Click to expand...

Cache issues are a good example of an issue that can easily occur in production despite clearing testing due to nature of caching works.
 
Not sure what people expected it's the response their lawyers would have told them to write.

They're not going to admit the seriousness of the issue during their busiest period of the year.
 
Disaster Nebraska said:
Why wouldn't the servers response simply return with a "bad header or session data" error, then?

Though I do see how what you've described could cause this, seems like they either have an extremely modified build of Varnish or bad site code. Typically you're not going to be able to change a few lines in a config file to create this sort of behavior.
Click to expand...

I'm not an expert in Varnish; we use it at work but I don't deal with it directly very often. I do know that I've seen instances where Varnish was serving per-user pages to people other than the user that originally requested the page. I mean, here's someone asking about that exact problem.

One of Varnish's big selling points is that it avoids having to make a request to the web servers at all if it's got something stored in its cache. Unless you consider the Varnish configuration part of the site code, that would mean any misconfiguration like the above is 100% not an issue with the site code, unless I'm completely misunderstanding the above page and the instances I've seen previously. (This is entirely possible, like I said the Varnish stuff isn't my usual wheelhouse.)

There are also caches closer to the web server like memcache that could easily do this, regardless of the session data. All it would take is for the controller to store the entire HTML response and then dumbly move the cache lookup outside anything that checks for the user's session. It sounds like that's not what happened here, based on the original statement (though if Valve is lying as you suggest, all bets are off), and this would qualify as an issue in the site code, but it does involve a caching layer.

In any case, I guess we're mostly arguing semantics at this point, as it sounds like we all agree on the fundamentals. Varnish alone wouldn't be responsible for this issue and was probably functioning as requested, and it seems really unlikely that a CDN would've been responsible either.
 
Detox said:
Not sure what people expected it's the response their lawyers would have told them to write.

They're not going to admit the seriousness of the issue during their busiest period of the year.
Click to expand...

And this is the time we remember that users of steam have given away their right to class action lawsuit in a TOS update of steam months ago.
 
PetriP-TNT said:
Yeah, Gabe should have sent a personalized letter stating that says that they are hoping everyones Neopets are safe and we should take care of our close ones instead of stating what happened (cache issue), what the situation is now (it's fixed), what's the severity (little to none) and what precautions one should take (none).

What the christ are some of you people about.
Click to expand...

Well, they didn't even bother with the typical "we apologize for the inconvenience this may have caused."

There's nothing. People could see home addresses, phone numbers and emails of other users, that is a huge data breach and not nothing at all.

And as someone mentioned me over Twitter who works in infosec, Faceless007s analysis is spot on:
faceless007 said:
In the increasingly service- and account-based Internet, every piece of personally identifiable information a person hands over to a service should be treated as a potential attack vector for phishing or hacking attempts, (not to mention doxxing), not just for that specific service but for any other service the user might have registered for. As such, it is (or should be) of paramount importance for service providers to keep all personally identifiable information completely secure as much as possible. Two pieces of obscured information like username and billing address might not be enough to quickly login as that person through the login page, but if the user uses any of the same information on another service, hackers only need to gather a few pieces of information like that to try to get through security questions or to social engineer their way into the account, which might in turn yield the clues to gain access to even more accounts, etc.

It's overly simplistic to only list the specific fields that were leaked and decide that nothing useful can be done on the Steam storefront with them. It would have been trivial during the breach for someone well versed in web scraping to write a script that repeatedly hit the account details page and saved all the information it could about however many users were getting exposed. All of those represent potential attack vectors. If those users have been the victim of other data breaches for other sites (you may have noticed this is happening with disturbing frequency), their email addresses might already be in hackers' repositories of breached users, and so the info from their steam page can be added into whatever is already known about them. Their billing address or last 4 CC digits or phone number might used as security questions by another service provider, and that would be enough to get in. This is how modern identity theft works.

None of this is certain to happen to any particular user, of course, but I hope it explains why service providers need to be held accountable for any sort of data breach and treat any breach as a massive liability concern, and why users should be encouraged to be safeguard their own information carefully and treat any data breach as a potentially legally actionable cause.
Click to expand...


Thankfully I hadn't been logged in the last couple of days because I just got my first SSD and transferred my OS and everything to it, also got a new card days ago before all this even happened. So if I did have any info, that part is outdated now.
 
PetriP-TNT said:
Cache issues are a good example of an issue that can easily occur in production despite clearing testing due to nature of caching works.
Click to expand...
I don't know how their testing environment works, but for my work testing environment my team typically uses it themselves as a major component of our testing. We absolutely would have caught a caching issue like this.
 
Still nothing but that laughable kotaku answer from valves side?

I have over 900 games on steam and don't plan to quit pc gaming anytime soon so it's unrealistic for me to entirely boycott this shitty company. But I will make sure to purchase as little from their store as possible and use other authorized resellers so Valve don't get their 30% or whatever cut from me (they don't, right?).
Planned to buy a few more games from their site during the sale but I'm not really in the mood for that anymore.
 
saunderez said:
I don't know how their testing environment works, but for my work testing environment my team typically uses it themselves as a major component of our testing. We absolutely would have caught a caching issue like this.
Click to expand...

I said that caching is a good example of an issue that can occur on production servers despite working correctly on staging and then you reply to me that you use a testing environment at work. Okay?
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
149
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
88
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom