Steam security issue revealed personal info to other users on XMas Day (fixed)

Pyros_Eien said:
I've seen a lot of "last 4 digits of CC" comments in this thread, but can you actually see the last 4 digits of the CC on steam? All I find are the last 2 when I go to order something or check my account details. Last 2, no expiry date and obviously no 3digit security code, that doesn't seem like it'd do much of anything.

The rest of the information is annoying, but sadly I've been on internet so long I don't have any doubt all that information is already readily available either from sites selling my information by forcing me to sign some ToS thing that gives them the right to or just from one of the many many breaches in the past. At this point I'm resigned that my name, adress or email aren't really secret in any way or form, so one more breach doesn't really change much.
Click to expand...

It's the same for me. Two last digits of CC and four last digits on phone number. Not sure if there's another view available that shows more, but I haven't found it yet.
 
Yeah, not happy with Steam's response. Exposing login ID, billing address, account email- and paypal email addresses to random people is a MAJOR fuck up. It's worst than a hack, they just went full broadcast and exposed stuff on a silver platter.
 
In my account page it says "The following payment methods are currently associated with your account.

*PayPal Email*"

Is this the thing that saves my details so I don't have to fill them with every purchase? I want to cancel that

It also says "For your security, you will be required to re-authorize your purchase with PayPal." when I try to add funds with PayPal.
I cancelled the pre-approved purchase thing from PayPal's website yesterday, I'm assuming this is the reason for this msg
 
ChryZ said:
Yeah, not happy with Steam's response. Exposing login ID, billing address, account email- and paypal email addresses to random people is a MAJOR fuck up. It's worst than a hack, they just went full broadcast and exposed stuff on a silver platter.
Click to expand...

I agree, people going "meh" in this situation is baffling to me. Response from Valve even worse.
 
PLASTICA-MAN said:
Free AAA games. Few years ago when Sony was attacked over the PSN, they made a press conference and bowed to apologize for their customers and gave free games and at that time not even user accounts were revealed or exposed or threatened like with this shameful event. Yet Few months later Steam got attacked and Valve didn't compensate anything at that time.Hell, they didn't even communicate about it as if they wanted to show themselves as inviincible and pretend they can never be attacked by not admitting what happened to them (lol it was very funny steam forums led to porn site at that time what a shame). Now this problem is really SERIOUS! They need at least to talk about it and apologize. Correct the mess, increase their service security and refund the victims.
Click to expand...

PSN was also down for a month to fix their issues which affected everyone on their network. Steam was down for a day at most after an hour of vulnerability that affected a minority of people. This breach is a lot less serious than PSN's breach comparatively. About the only thing Valve can be called out for compared to Sony is not saying "Sorry! Our bad."
 
how do i know if i was compromised? I unlinked my paypal round the time of the issues (9 pm cet) from steam

why was it not ok to unlink from steam please tell me.
 
ChryZ said:
Yeah, not happy with Steam's response. Exposing login ID, billing address, account email- and paypal email addresses to random people is a MAJOR fuck up. It's worst than a hack, they just went full broadcast and exposed stuff on a silver platter.
Click to expand...

Ok this is really bad but let's not go too far here... It's not worse than a hack. Nowhere near.

If this was a full scale hack with all of the details listed being compromised then you'd be on the phone to your bank instead of posting here if you knew what was good for you.
 
GHG said:
Ok this is really bad but let's not go too far here... It's not worse than a hack. Nowhere near.

If this was a full scale hack with all of the details listed being compromised then you'd be on the phone to your bank instead of posting here if you knew what was good for you.
Click to expand...

In most cases "hacks" expose encrypted information and it is highly unlikely that they will be decrypted. Steam Catch bug from yesterday exposed all that information as it is without encryption so it is bigger issue even if only limited number of accounts are affected (we will never know how many).
 
dex3108 said:
In most cases "hacks" expose encrypted informations and it is highly unlikely that they will be decrypted. Steam Catch bug from yesterday exposed all that information as it is without encryption so it is bigger issue even if only limited number of accounts are affected (we will never know how many).
Click to expand...
It did not show anyones full cc number though...so there is that at least
 
Kurtofan said:
Ok why wasn't i supposed to unlink from steam; is it serious?
Click to expand...

Because doing any action on your account (updating/deleting info) could have exposed your page alongside the ones that were already out there. It could have already been out there, or it could not have had any affect we just don't know.

The severity of the issue depends on what info you had on your account details section. If you were affected your email address would have been exposed, and if you had cc info saved your billing address was exposed too.
 
Anne said:
People over here like "I want free shit" and I'm sitting here praying Valve hires dedicated staff to make sure things like this are actually handled when they happen. Priorities I guess.
Click to expand...
I'd stop hoping, Valve aren't going to do anything responsible and customer-beneficial like that. Just look at their laughably inadequate response above, they don't even consider revealing thousands of users' sensitive personal information to complete strangers to be a problem worthy of an apology.
 
"Less than an hour" is full of shit. The 4chan thread on /v went up around 2:30pm ET. The storefront and account details didn't get shut down until around 4:20pm ET. It was close to about 2 hours.
 
ctw0e said:
Where are you guys reading this.
Click to expand...

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979

Valve has finally commented on today’s events, sending a statement to Kotaku this evening:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

Lol.
 
daviyoung said:
Because doing any action on your account (updating/deleting info) could have exposed your page alongside the ones that were already out there. It could have already been out there, or it could not have had any affect we just don't know.

The severity of the issue depends on what info you had on your account details section. If you were affected your email address would have been exposed, and if you had cc info saved your billing address was exposed too.
Click to expand...

so my paypal account wouldn't be exposed anyway, right? Just my email address?
 
What I find it funny is:

-Steam implements Steam Guard
-Steam implements regional lock on purchased games and gifting
-Steam implements mobile phone auth
-Steam implements autenthicator
-Steam implements "hostage" period in case of trading

All of this in order TO PROTECT THE USERS.

Then they fucked up hardly (for the second time), and no one cares.
Who is so incompenent do adopt a configuration switch in christmas, when servers are under high volume traffic pretty much the whole time. And why?

At this point I ask myself what Valve employees do the whole day, because Steam support simply is the worse in the industry, even Origin/Uplay are much, much better.
There are no games in sight, if not occasional TF2/CSGO/DOTA2 updates, so a part of those employees work on this...but what about the rest? I mean, Valve is way slower to implement/upgrade Steam, to patch bugs in their client and so on, so what they do all the days?

And this post is not to troll or whatever, because I'm pretty much a PC player only (I have a PS3, but I didn't boot that in years), almost my entire catalogue is on Steam (with some games on GOG too), consisting in around 1800 titles. So yes, I gave Valve money, I don't want a free game/compensation, I just want to be safe with my data, because PSN breach forced me to take another debit card (at least I didn't store CC info on Steam, using only wallet cards), but still there was my address, my phone number, my mail (I recently changed it so it would be a big pain in the ass if I start receiving spam because Valve fucked up, forcing me to change it again on all associated services and people I need to contact) etc. This is inexcusable.
 
Anne said:
People over here like "I want free shit" and I'm sitting here praying Valve hires dedicated staff to make sure things like this are actually handled when they happen. Priorities I guess.
Click to expand...

Why would they handle it when they happen unless they are worried about being punished for not doing so?
 
daviyoung said:
Paypal info would have been safe, but go ahead and delink from paypal itself if you can. I did that under the Approved Payments screen in Paypal for WWW.steampowered.

Email addresses for affected folks was front and centre in the leak.
Click to expand...

I had already delinked from steam, I assume it's too late to delink from paypal, I'm not seeing any options there.
 
I "believe" what happened yesterday didn't affect any user and it was just servers checking by Valve just like last time, few months ago when you could hack an account by just knowing its login. Seriously Valve? We believe??? After what happened you still aren't sure of the extent of the attack that you don't want to acknowledge (like every time)? Does such statement come from professionals and from the most used online service? This: "We believe" should become a MEME, just like Skyrim's "got an an arrow on the know" that you just got btw. Thanks.
 
Sometimes things kind of work out. My credit card registered with Steam expired a few months ago, and unlike every time that happens, instead of registering the new one, I decided to use Paypal going forward (which doesn't store its password).

Still, this is really shitty, but there's little we can do about it except making a big enough splash that Valve double and triple check before making these kinds of changes in the future.

Smash88 said:
Someone posted this:

Don't know how true this graph is about the incident that happened. Maybe it was just an error in the systems?
Click to expand...

Seems pretty accurate (software engineer here). It's just an error in configuration, most likely out of a desire for the cache to operate on a wider range of pages (so as to alleviate some of the overload due to Christmas/deals shopping). As far as I can see, either they consciously configured the cache to work on all pages, forgetting that would expose personal information to anyone requesting it (a reasonable mistake if you assume validation occurs before accessing the cache, not after), or they made a honest mistake / typo in the cache wildcards that resulted in all of them being cached. It's still a human error in both cases though, and I wouldn't like to be in the shoes on the one/ones that pushed it online.
 
Ludens said:
What I find it funny is:

-Steam implements Steam Guard
-Steam implements regional lock on purchased games and gifting
-Steam implements mobile phone auth
-Steam implements autenthicator
-Steam implements "hostage" period in case of trading

All of this in order TO PROTECT THE USERS.

Then they fucked up hardly (for the second time), and no one cares.
Click to expand...

No one cares? Who doesn't care?

Ludens said:
Who is so incompenent do adopt a configuration switch in christmas, when servers are under high volume traffic pretty much the whole time. And why?
Click to expand...

Maybe because they were needed because of the high volume traffic? How many times how we been setting here during steam sales, when the servers looked unavailable, and screamed in unison "OMG Valve do something?!11". :)
 
samn said:
Why would they handle it when they happen unless they are worried about being punished for not doing so?
Click to expand...

They did handle it around a hour of getting notified of it (unless the going by that one guys calculation that starts from the thread on 4chan, because I am sure that every sysop guy is just casually surfing /v/ on Xmas eve) though.
 
Ludens said:
What I find it funny is:

-Steam implements Steam Guard
-Steam implements regional lock on purchased games and gifting
-Steam implements mobile phone auth
-Steam implements autenthicator
-Steam implements "hostage" period in case of trading

All of this in order TO PROTECT THE USERS.

Then they fucked up hardly (for the second time), and no one cares.
Who is so incompenent do adopt a configuration switch in christmas, when servers are under high volume traffic pretty much the whole time. And why?

At this point I ask myself what Valve employees do the whole day, because Steam support simply is the worse in the industry, even Origin/Uplay are much, much better.
There are no games in sight, if not occasional TF2/CSGO/DOTA2 updates, so a part of those employees work on this...but what about the rest? I mean, Valve is way slower to implement/upgrade Steam, to patch bugs in their client and so on, so what they do all the days?

And this post is not to troll or whatever, because I'm pretty much a PC player only (I have a PS3, but I didn't boot that in years), almost my entire catalogue is on Steam (with some games on GOG too), consisting in around 1800 titles. So yes, I gave Valve money, I don't want a free game/compensation, I just want to be safe with my data, because PSN breach forced me to take another debit card (at least I didn't store CC info on Steam, using only wallet cards), but still there was my address, my phone number, my mail (I recently changed it so it would be a big pain in the ass if I start receiving spam because Valve fucked up, forcing me to change it again on all associated services and people I need to contact) etc. This is inexcusable.
Click to expand...

Do you not remember this?:

http://dl.pcgamer.com/Valve_Handbook_LowRes.pdf

This shouldn't be a surprise to you.
 
CecilRousso said:
No one cares? Who doesn't care?
Click to expand...

The "no one cares" refers to Valve.
And yeah, of course changes are needed, but if I understood correctly, they experimented something new under christmas (if I'm wrong, then don't consider that part).

Still, is inexcusable such things happen. I can understand being hacked, but I can't tolerate you, the service I'm giving money and trust, screwing up hardly not a single time, but a second one too.
 
Last night i went on my account page to delete my paypal info from steam after all this shit happened, but i couldn't find my name/billing address in the page. Does that mean i'm "ok" and "only" my paypal and steam email were leaked, and my personal info would have been there only if i linked my credit card? I also saved my phone number but only the last 4 digits are visible.
 
PetriP-TNT said:
They did handle it around a hour of getting notified of it (unless the going by that one guys calculation that starts from the thread on 4chan, because I am sure that every sysop guy is just casually surfing /v/ on Xmas eve) though.
Click to expand...

It definitely lasted more than an hour. I was still seeing the store/account pages of other users shortly before I made this post:

JaseC said:
This thread was created almost two-and-a-half hours ago. ;)
Click to expand...
 
PetriP-TNT said:
(unless the going by that one guys calculation that starts from the thread on 4chan, because I am sure that every sysop guy is just casually surfing /v/ on Xmas eve) though.
Click to expand...
In what situation would you not start the time calculation at the first reported occurrence of the issue?
 
CecilRousso said:
Maybe because they were needed because of the high volume traffic? How many times how we been setting here during steam sales, when the servers looked unavailable, and screamed in unison "OMG Valve do something?!11". :)
Click to expand...

prior preparation prevents piss-poor performance

it's not beyond their scope to plan and test for this and make sure that infrastructure can support worst-case scenarios

making a config change at this date/time and with this much impact was amateur hour
 
I sort of understand for account info page thing. But why the hell the payment review page not protected with required login?

Its like if the same thing happened to GAF and PM page can accessed directly from url without login.
 
Going to be using Steam much less after that response. Which won't be hard considering the prices they charge outside of sales.

There are so many warning signs around how Valve are run. They need more dedicated staff regardless of culture. This should not just happen.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
147
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
86
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom