Steam security issue revealed personal info to other users on XMas Day (fixed)

PetriP-TNT said:
I said that caching is a good example of an issue that can occur on production servers despite working correctly on staging and then you reply to me that you use a testing environment at work. Okay?
Click to expand...
We would've caught it because our testing environment would use the same caching the production environment uses. Because what use is a testing environment that doesn't work exactly the same? How difficult is that to understand? They did sloppy testing there's no doubt about it. It's absolutely amateur hour if they weren't using the Varnish server in their testing environment. Internal testing is a key component in making sure you don't fuck your customers over.

But go ahead, continue with your cheerleading, I hope it helps you sleep at night.
 
So what does this mean to me?

I should change my password? No payment details are stored on steam.

I also didn't access Steamor anything during this issue.
 
cyba89 said:
Still nothing but that laughable kotaku answer from valves side?

I have over 900 games on steam and don't plan to quit pc gaming anytime soon so it's unrealistic for me to entirely boycott this shitty company. But I will make sure to purchase as little from their store as possible and use other authorized resellers so Valve don't get their 30% or whatever cut from me (they don't, right?).
Planned to buy a few more games from their site during the sale but I'm not really in the mood for that anymore.
Click to expand...

What happened today is fucked up but I feel like shit happens and as online consumers we know the risks involved and we should always be vigilant in protecting ourselves. However, I am so disappointed with Steam right now after reading the updated Kotaku article. Not even an apology huh, and just telling people to move on basically and do nothing is unbelievable
 
I'm just curious about this whole cache issue, any IT people here that know if this was caused by user error on Valve's end? I know it's a shitty thing that happened, but if it was user error: A) I feel bad for that dude and they are more than likely fired; B) If it can happen to Valve it can happen to other services as well.

Someone posted this:

ApBWhmh.png


Don't know how true this graph is about the incident that happened. Maybe it was just an error in the systems?

Source: https://www.reddit.com/r/Steam/comments/3y8fgb/an_eli5_of_how_the_recent_events_happened/

Past 2 days almost, I feel like I'm getting a crash course in the inner workings of IT.
 
Valve's handling of this has been pretty disgraceful. They really need to have better customer service and be far more transparent about what exactly happened today.
 
saunderez said:
We would've caught it because our testing environment would use the same caching the production environment uses. Because what use is a testing environment that doesn't work exactly the same? How difficult is that to understand? They did sloppy testing there's no doubt about it. It's absolutely amateur hour if they weren't using the Varnish server in their testing environment. Internal testing is a key component in making sure you don't fuck your customers over.

But go ahead, continue with your cheerleading, I hope it helps you sleep at night.
Click to expand...

No company would release a new product version on Christmas Day. If it indeed was a configuration change that appears on Christmas Day, it's most likely an increase of some threshold value or some other limit change, to allow more users for the Steam winter sale. How would a company do a stress test for millions of concurrent users during a threshold change?
 
AbsintheGames said:
Interesting. Got a security code sent to my phone. Looks like someone was trying something I guess? All my info is fine on my account, nothing changed, still have Steam Guard enabled, no email alerts though and no CC on file. Hmmmm.

I haven't received a text code since I added my phone number. Odd.
Click to expand...

Change your password! A security code is sent if someone logs in using a correct username and password and then triggers the two step authentication. If you got a code out of nowhere, someone knows your username and password!
 
jariw said:
No company would release a new product version on Christmas Day. If it indeed was a configuration change that appears on Christmas Day, it's most likely an increase of some threshold value or some other limit change, to allow more users for the Steam winter sale. How would a company do a stress test for millions of concurrent users during a threshold change?
Click to expand...
It's got nothing to do with stress testing, if the caching issue occurred at all it would've presented with 5 users let alone 5 million. They didn't do their due diligence and in the process user data was leaked.
 
djtiesto said:
And people wonder why I still prefer physical gaming...
Click to expand...

If you still prefer physical gaming when it comes to PC games, despite what happened now, then you might as well don't bother at all.

And if you have purchased a physical games through online retailers, your personal information is still at risk. And that's the major issue with this event.

What's important is how to move forward, not that we run back.
 
CecilRousso said:
If you still prefer physical gaming when it comes to PC games, despite what happened now, then you might as well don't bother at all.

And if you have purchased a physical games through online retailers, your personal information is still at risk. And that's the major issue with this event.

What's important is how to move forward, not that we run back.
Click to expand...

So we're stuck with buying from GAME :'(
 
jariw said:
No company would release a new product version on Christmas Day. If it indeed was a configuration change that appears on Christmas Day, it's most likely an increase of some threshold value or some other limit change, to allow more users for the Steam winter sale. How would a company do a stress test for millions of concurrent users during a threshold change?
Click to expand...

Which is WHY you try as much as humanly possible NOT to touch anything crucial on Christmas Day during one of your busiest times of the year! Valve has plenty of traffic data from previous years. They should've at least been able to forsee what caching regimen they should have in place to handle the whole sale. Obviously, things can happen and shit can go wrong that requires a hotfix. But short of the site dying, you'd think under normal circumstances no one would've tried to commit and push a configuration change like this. And if they were, you'd think someone would be ready to shut the whole thing down if something went awry.

Someone on Reddit theorized that maybe the configuration change was automatic based on a Chef script or something like that. If so, maybe that's more understandable on Valve's part (at least the bit where no one caught the issue for an hour), but it still implies their code was faulty if the Chef script was pushing a bad configuration.
 
Gez said:
You say 'Outside of steamworks games' as if its nothing.

Alot of major PC games are forced Steamworks. Want to play games like Fallout 4, Black Ops 3, Saints Row 4, Deus Ex: Mankind Divided and almost 400 other games but don't want to use Steam? Then your only choices are piracy or consoles.
Click to expand...

Jup. But at least the acces to all of my games is in the hands of one company. Can't have other publishers make me download their distribution system yo. I mean, all those extra mouse clicks..
 
Atomski said:
Uh stores get their networks breached all the time.. or you get a bad employee who is a scammer.

Probably more risk involved lol.
Click to expand...

Cash. I use it for everything.

Edit: ok not everything, just almost everything. But CCs can be handled in a secure (where secure = low limit + limited use + I make my bank call me) fashion, even if you just maintain a couple for credit scores / crazy emergencies as I do.
 
Well, time to change my password. I am never saving my CC info on Steam (or anything else, for that matter) again.

Also: just a short statement (not even an apology) on kotaku/gamespot? Not even an detailed explanation on what happened? Nothing on the homepage of the software, no e-mail advising to change our password or warn us that our data may have been compromised? Nothing?

What are the odds of a class action being taken against Valve? This isn't a jest: such a huge security breach, with a lot of personal infos being leaked out (e-mail adress, phone number, country, account name, 4 last number of CC, even your home adress) is intolerable. This should never have happened. This shouldn't have been even remotely possible to happen.
 
Not even an apology? Seriously.

Going to be reconsidering my options the next time I want to buy a PC game. The fact it even took them so long to respond is one thing, but the eventual response we did get is unacceptable in this day and age. They shared personal details without consent, really hope this doesn't blow over and they are forced to learn a sense of humility from it.
 
PLASTICA-MAN said:
What a shameful scandal! And the best part is that we won't be compensated.
Click to expand...
Unless you were one of the served up accounts what compensation would you expect?

The ones that did get served up and were up there for everyone (or how ever many random accesses on the various sites there were) should get identity theft protection services paid for by Valve.
 
Turin Turambar said:
Donn't worry guys, in a pair of days they will give a away a video game and everyone will love Valve game because free stuff yay!
Click to expand...
I have more videogames than I can physically play, what I want is to have details about what happened, why, and what risk we encountered and will encounter in the future.
I want to know if someone got access to my personal data, my cc info, address or whatever else.
 
CecilRousso said:
What do you expect/want as compensation? Free games? :)
Click to expand...

hlhbk said:
Why should we be compensated/
Click to expand...

benny_a said:
Unless you were one of the served up accounts what compensation would you expect?

The ones that did get served up and were up there for everyone (or how ever many random accesses on the various sites there were) should get identity theft protection services paid for by Valve.
Click to expand...

Free AAA games. Few years ago when Sony was attacked over the PSN, they made a press conference and bowed to apologize for their customers and gave free games and at that time not even user accounts were revealed or exposed or threatened like with this shameful event. Yet Few months later Steam got attacked and Valve didn't compensate anything at that time.Hell, they didn't even communicate about it as if they wanted to show themselves as inviincible and pretend they can never be attacked by not admitting what happened to them (lol it was very funny steam forums led to porn site at that time what a shame). Now this problem is really SERIOUS! They need at least to talk about it and apologize. Correct the mess, increase their service security and refund the victims.
 
PLASTICA-MAN said:
Is the problem fixed now? Do we need to chnage anything in the account like password or anything?
Click to expand...

Nohar said:
Well, time to change my password. I am never saving my CC info on Steam (or anything else, for that matter) again.

Also: just a short statement (not even an apology) on kotaku/gamespot? Not even an detailed explanation on what happened? Nothing on the homepage of the software, no e-mail advising to change our password or warn us that our data may have been compromised? Nothing?

What are the odds of a class action being taken against Valve? This isn't a jest: such a huge security breach, with a lot of personal infos being leaked out (e-mail adress, phone number, country, account name, 4 last number of CC, even your home adress) is intolerable. This should never have happened. This shouldn't have been even remotely possible to happen.
Click to expand...

I don't think there's anything you need to do now besides take precautions to avoid future attacks. No passwords were breached through this leak, so strictly speaking I don't think you need to change your password (it wouldn't have helped you anyways in this particular instance), but changing your password is usually not a bad idea even if there's no security breach or information leak in progress. I haven't tried it yet, but removing your payment information may also help. I don't know if Valve keeps your billing address stored in its system if you remove payment info, or for how long if they do, so it's possible your address and phone number could remain in their system even after you wipe all payment options from your account.

Hopefully Valve is preparing a more thorough response for tomorrow. Shutting down the site and fixing the leak took too long, but that's done now so no further damage should be done, at least. Their initial response is wanting, but this is one place where I'll buy the excuse of "it's Christmas," especially as there appear to be no steps anyone can take to mitigate the current damage at this point and likely no way of even knowing if your information in particular was exposed (unless you're one of the lucky people who have already been contacted via email or phone by concerned strangers, of course!).
 
People over here like "I want free shit" and I'm sitting here praying Valve hires dedicated staff to make sure things like this are actually handled when they happen. Priorities I guess.
 
PLASTICA-MAN said:
Wow even LeMonde french international journal talks about it: http://www.lemonde.fr/pixels/articl...ait-paniquer-les-joueurs_4838188_4408996.html

What a shameful scandal! And the best part is that we won't be compensated.
Click to expand...

Would a compensation really help you though? A compensation would be a short-term solution for a long-term problem. I'd rather want Valve to state how this problem has learned them something and how they'll reduce the risk of it happening again.
 
Phyla said:
Would a compensation really help you though? A compensation would be a short-term solution for a long-term problem. I'd rather want Valve to state how this problem has learned them something and how they'll reduce the risk of it happening again.
Click to expand...

Yes I stated that in the previous page.
 
PLASTICA-MAN said:
Free AAA games. Few years ago when Sony was attacked over the PSN, they made a press conference and bowed to apologize for their customers and gave free games and at that time not even user accounts were revealed or exposed or threatened like with this shameful event. Yet Few months later Steam got attacked and Valve didn't compensate anything at that time.Hell, they didn't even communicate about it as if they wanted to show themselves as inviincible and pretend they can never be attacked by not admitting what happened to them (lol it was very funny steam forums led to porn site at that time what a shame). Now this problem is really SERIOUS!
Click to expand...

I mean we actually don't know how many Steam users were affected but it seems based on the evidence that only a minority were effected by this caching error.

I think it's super fucked up that Valve have yet to clarify the extent of the breach and how they may have been effected but its hard to argue that everyone should receive compensation for what has only happened to a few users.
 
There doesn't need to be compensation in the form of free games. What's the point? Valve just needs to fix their shit so it doesn't happen again.
 
PLASTICA-MAN said:
Free AAA games. Few years ago when Sony was attacked over the PSN, they made a press conference and bowed to apologize for their customers and gave free games and at that time not even user accounts were revealed or exposed or threatened like with this shameful event. Yet Few months later Steam got attacked and Valve didn't compensate anything at that time.Hell, they didn't even communicate about it as if they wanted to show themselves as inviincible and pretend they can never be attacked by not admitting what happened to them (lol it was very funny steam forums led to porn site at that time what a shame). Now this problem is really SERIOUS!
Click to expand...

Really it's not that serious. As I posted before wether you realize it or not your full name, address, phone number, and email address are freely available online if you know where to look. The main alarming thing is any part of the credit card being available.

That being said it's a risk you are accepting by opting to save your payment information on retailers servers. I have been a part of many sites that have been breached, and at this point you need to realize it's not if but when this will happen to you.
 
I would argue that some sort of CC protection service should be handed out as compensation. Or at least some sort of general protection service program. Something that'd actually assist people should a real issue arise from this.
 
Soooo...it seems I went to sleep,only to wake up about an hour ago to find out there has been a Steam Apocalypse.

My question is...do I need to do anything eg change password,payment details.etc.
 
PLASTICA-MAN said:
SERIOUS! They need at least to talk about it and apologize. Correct the mess, increase their service security and refund the victims.
Click to expand...

Of course they should, that's what people have been saying in this thread from the start. But giving out free games doesn't solve anything. Instead of people will either be offended, or use it as an excuse to be offended.

As for victims not being refunded? Has there been any reports or signs of them not going to be refunded?
 
Anne said:
People over here like "I want free shit" and I'm sitting here praying Valve hires dedicated staff to make sure things like this are actually handled when they happen. Priorities I guess.
Click to expand...

They still haven't sorted out their customer support issues and it's been over a year since they mentioned they were actively looking into it - who knows how much earlier were they considering that aspect. We need a miracle from them to get something like IT emergencies. Honestly they need to step it up, they are a multi-billion dollar company, they can invest in some sort of fail-safe.
 
Hahahahahahahahaha. Valve's response was "oh yeah we changed some setting and some shit happened. It's fixed now. Whatever. Cya."

Sogood.
 
So I just saw this, I had bought a game around the time of the issue, and then unlinked the payment method right away, is that an issue?
 
Anne said:
People over here like "I want free shit" and I'm sitting here praying Valve hires dedicated staff to make sure things like this are actually handled when they happen. Priorities I guess.
Click to expand...

I think both can be expected in this case. Valve needs to show they value their costumers. So far they just come off as arrogant brats.
 
I've seen a lot of "last 4 digits of CC" comments in this thread, but can you actually see the last 4 digits of the CC on steam? All I find are the last 2 when I go to order something or check my account details. Last 2, no expiry date and obviously no 3digit security code, that doesn't seem like it'd do much of anything.

The rest of the information is annoying, but sadly I've been on internet so long I don't have any doubt all that information is already readily available either from sites selling my information by forcing me to sign some ToS thing that gives them the right to or just from one of the many many breaches in the past. At this point I'm resigned that my name, adress or email aren't really secret in any way or form, so one more breach doesn't really change much.
 
saunderez said:
We would've caught it because our testing environment would use the same caching the production environment uses. Because what use is a testing environment that doesn't work exactly the same? How difficult is that to understand? They did sloppy testing there's no doubt about it. It's absolutely amateur hour if they weren't using the Varnish server in their testing environment. Internal testing is a key component in making sure you don't fuck your customers over.

But go ahead, continue with your cheerleading, I hope it helps you sleep at night.
Click to expand...
I can imagine the issue with caching stemed from the load of Christmas day. So unless you run regression suites while you're running your load testing, you probably wouldn't of done.

Although have they said more? Was it just some idiot changing something they shouldn't of done?
 
saunderez said:
It's got nothing to do with stress testing, if the caching issue occurred at all it would've presented with 5 users let alone 5 million. They didn't do their due diligence and in the process user data was leaked.
Click to expand...

saunderez said:
We would've caught it because our testing environment would use the same caching the production environment uses. Because what use is a testing environment that doesn't work exactly the same? How difficult is that to understand? They did sloppy testing there's no doubt about it. It's absolutely amateur hour if they weren't using the Varnish server in their testing environment. Internal testing is a key component in making sure you don't fuck your customers over.

But go ahead, continue with your cheerleading, I hope it helps you sleep at night.
Click to expand...


Personal attacks aside: Due to how (layered) caching works, there could be significant difference between how the server handles 5 or 5 million or 50000 users. Cache by nature is a feature that can have unexpected consequences even hours later. Obviously the timing could not have been more unfortunate: very busy business day, but also THE biggest holiday around the world. You might think that assessing the situation and fixing the problem was just a flip of a very large switch, but it really doesn't work like that.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
148
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
87
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom