Steam security issue revealed personal info to other users on XMas Day (fixed)

JaseC said:
Having a Steam Wallet balance would have been about as open to abuse in this instance as a saved payment method. Just don't save payment methods to your account. Yes, it's a little annoying having to type in your billing info each and every time you buy something, but better that than being out of pocket.
Click to expand...

I'm more thinking of the breach as a whole. I don't add funds unless I want to buy anything.
They might not have leaked stuff like in the PSN case, but this is a royal screw up and an announcement should be made from Valve. I don't even need an apology.

It's not like I am going to stop using Steam or anything. I knew anything could happen, it can happen to any service.
 
Labadal said:
I'm more thinking of the breach as a whole. I don't add funds unless I want to buy anything.
Click to expand...

Sure, but it's not as though you can buy Steam Wallet codes in particularly specific amounts. Like, if you wanted something that's $10 and the activated a $20 code, you'd have $10 sitting there until something else comes along. $10 that someone could have pinched earlier today. On the other hand, if you'd used a credit/debit card and elected to not save the payment info, then you would've had absolutely nothing to worry about in regard to unsolicited purchases.
 
JaseC said:
Sure, but it's not as though you can buy Steam Wallet codes in particularly specific amounts. Like, if you wanted something that's $10 and the activated a $20 code, you'd have $10 sitting there until something else comes along. $10 that someone could have pinched earlier today.
Click to expand...

Absolutely. At the same time, it would be the only damage done. It wouldn't be fun but it's far better than having issues with PayPal or your Credit Card.

I won't fuss about this just as I didn't fuss much about PSN (started using PSN cards and PayPal was the only difference).

What I am trying to say is that Valve shouldn't get away with this screw up. It should be reported on and they should issue an official announcement of what happened. That's basically all I want to see.
 
Labadal said:
What I am trying to say is that Valve shouldn't get away with this screw up. It should be reported on and they should issue an official announcement of what happened. That's basically all I want to see.
Click to expand...

Yeah, I understand that. I'm just making the point that it's actually safest to use something other than store credit and leave the payment info unsaved, unless of course you're eyeing something that happens to match the denominations you can buy.
 
JaseC said:
Yeah, I understand that. I'm just making the point that it's actually safest to use something other than store credit and leave the payment info unsaved, unless of course you're eyeing something that happens to match the denominations you can buy.
Click to expand...

Usually, I spend what I have so that I don't have wallet money. At points, I might have ~€5.
 
Gabe, I don't know how much you know about gaming but honor and shame are big parts of it.

The only thing to do now is release Half-Life 3 or you can kiss your business goodbye.
 
Dennis said:
Gabe, I don't know how much you know about gaming but honor and shame are big parts of it.

The only thing to do now is release Half-Life 3 or you can kiss your business goodbye.
Click to expand...

LOL it's not the same thing without "I don't know how much you know about japanese culture (I'm an expert)"
 
PetriP-TNT said:
If I make a statement about an issue I caused I usually start the timing when the information reaches me to the point where the fix has been shipped. When splitting hairs like 30 minutes it's always important to remember that rolling out things takes time and thats how it is. Would the statement made you feel safer if it laid out things by the minute? Maybe.
Click to expand...

Where was the due diligence when rolling out the configuration change? Because if it had indeed gone through a process the engineer responsible should have noticed the issue before the first customer (making the timespan between problem and solution even longer!). But you're saying it like some dude flipped a switch and said "well, that's a job well done" and went home. Then it was up to customers to raise the problem, and only when doing that did some apparent roll-out process began and the clock begin ticking.

Just sloppy behaviour all round from Valve.
 
daviyoung said:
Where was the due diligence when rolling out the configuration change? Because if it had indeed gone through a process the engineer responsible should have noticed the issue before the first customer (making the timespan between problem and solution even longer!). But you're saying it like some dude flipped a switch and said "well, that's a job well done" and went home. Then it was up to customers to raise the problem, and only when doing that did some apparent roll-out process began and the clock begin ticking. .
Click to expand...

What on Earth are you talking about. I mentioned multiple times that NOTHING about this was like flipping a switch. The configuration change was most likely automated task in the first place. Something goes wrong. It's reported somewhere. Eventually the right person(s) receives the information, who then asserts the danger and does the neccessary changes, confirms them and rolls it out to the needed services and sees that they come back and work as intended. Especially when you are talking cache here, some users might still get wrong content for quite a while.

People think that the damage here is somehow catastrophic, like all the personal information was spread to everyone, how Steam somehow spilt all it's beans. Obviously as a whole that's not the case, some individuals might be affected in a catastrofical way but I have no idea what that would be.
 
I can't believe Valve still haven't informed their users about this issue.

Over 100 million accounts are potentially affected, and you can bet your ass the vast majority of their owners don't read Kotaku or surf message boards, especially not at Christmas.

Valve have our email (and at this point, they're not the only ones) or hell, they could pop something up in the client or on the website. But nope, silence, aside from a shitty non-response in a place most of those affected won't read it.
 
PetriP-TNT said:
What on Earth are you talking about. I mentioned multiple times that NOTHING about this was like flipping a switch. The configuration change was most likely automated task in the first place. Something goes wrong. It's reported somewhere. Eventually the right person(s) receives the information, who then asserts the danger and does the neccessary changes, confirms them and rolls it out to the needed services and sees that they come back and work as intended. Especially when you are talking cache here, some users might still get wrong content for quite a while.

People think that the damage here is somehow catastrophic, like all the personal information was spread to everyone, how Steam somehow spilt all it's beans. Obviously as a whole that's not the case, some individuals might be affected in a catastrofical way but I have no idea what that would be.
Click to expand...

Regardless, the impact of the change should have been assessed and someone should have been there to monitor it. Automated task or flipping a switch and leaving is basically the same if you don't have protocol to sanity check the deploy. This was obviously not a routine change. And just being able to see other people's PII without permission/approval is catastrophic enough by the way.
 
just what the FUCK is this shit?

Valve what the hell? i can't even trust you with my personal info? i thought they were super vigilant with this stuff...

okay then, i haven't used Steam in a long time anyway so i'm ready to let it go, how exactly do i remove all my personal details? (without losing the games i bought preferably)
 
NaM said:
You can still see the google cache for the account website :|
Click to expand...
I think everyone can see the same dude's name (don't type it here obviously). Feel bad for the poor dude.
efyu_lemonardo said:
why isn't there a link in the OP?
Click to expand...
It's a load of horsecrap anyways, barely worth acknowledging that Valve said it:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...
They're not sorry. And the statement is arguably wrong. So whoopie.
 
NoblesseOblige said:
Long thread, and nothing mentioned in OP. Has Valve given any sort of statement in regards to this occurrence?
Click to expand...

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

http://kotaku.com/steam-goes-nuts-offers-access-to-other-peoples-account-1749718979
 
MNC said:
Is there a way go use Google authenticator with steam? I don't ike the mobile app.
Click to expand...

Sadly i don't think so.

You can however move it to a PC if you want with winauth which is a 2FA app for PC. Something else I would suggest would be moving from google authenticator because it doesn't have any protection like a pin.

I use Authenticator Plus(Paid) but there is also Authy(Free). Authenticator Plus is great because it has a export function which can be imported by winauth.
 
I just removed all my payment info from Steam. It still shows my home address and phone number when I try to add Steam credit. I can't find any way to specifically remove that data, so for the moment we're at the mercy of whenever Valve clears out that data (which could be never, if it's stored in a database as opposed to cached somewhere).
 
something still seems to be going on.
browsing community market i get logged out every 3-4 pages / links i click on.

Ill be looking at an item , refresh the page , and suddenly im not logged in. wait a min / refresh and im logged back in , over and over...

seriously annoying.

Volvo's customer service still a joke as always
 
NoblesseOblige said:
Long thread, and nothing mentioned in OP. Has Valve given any sort of statement in regards to this occurrence?
Click to expand...

There is a sticky buried in the forums.

http://steamcommunity.com/discussions/forum/0/458604254431478327/

wH8TYvJ.jpg
 
chrominance said:
I just removed all my payment info from Steam. It still shows my home address and phone number when I try to add Steam credit. I can't find any way to specifically remove that data, so for the moment we're at the mercy of whenever Valve clears out that data (which could be never, if it's stored in a database as opposed to cached somewhere).
Click to expand...

I remember reading your posts during the incident, you mentioned you are quite familiar with the sort of server architecture steam is using.

I take it you believe it's safe to log in and change our account info. Would you recommend logging out afterwards?
 
im not defending valve but customer service recover my cousin account in 1 day. now for this weird fuck up error, valve should apologize for this and do a property statement.

still not logged in on Steam. out of city.
 
orthodoxy1095 said:
It is indeed. And granted, for the majority of users, yesterday's mishap likely wasn't catastrophic. But the response is in poor form, and it makes me wonder what it'll take for people to finally stop gobbling up Steam's garbage treatment of users.
Click to expand...

I'm a long term user and have deleted my payment details and all my wishlist with the intention of buying elsewhere whenever I can.

Not saying sorry when their own mistake causes concern to their customers is very poor and I won't support any company like that.
 
I've deleted my payment info and have decided not to use Steam until Valve fixes their significant problems. Shame on you, Valve, for not being upfront with you customers affected by this error. It's inexcusable in this day and age, and somehow they still practice it.
 
therapist said:
something still seems to be going on.
browsing community market i get logged out every 3-4 pages / links i click on.

Ill be looking at an item , refresh the page , and suddenly im not logged in. wait a min / refresh and im logged back in , over and over...

seriously annoying.

Volvo's customer service still a joke as always
Click to expand...
Hey don't be talking shit bout Volvo.
 
The news story's been updated, Valve have made a statement:

Valve said:
"Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."
Click to expand...
 
efyu_lemonardo said:
I remember reading your posts during the incident, you mentioned you are quite familiar with the sort of server architecture steam is using.

I take it you believe it's safe to log in and change our account info. Would you recommend logging out afterwards?
Click to expand...

I am not familiar with the specific server architecture, I just happen to work in web development (but definitely not as a sysadmin!). I probably know just enough to be dangerous in most cases.

I actually couldn't tell you if it's safe to log in and change your account info, only that the single statement Valve has released about the incident suggests the problem has been fixed. This is corroborated by the lack of any new reports of the problem. Going to your account page is still a risk, given how the leak occurred last time (basically, you visiting the page could mean that a cache is storing that response, which could then be served to others later). However, if we take Valve at their word and the caching configuration error is gone, then either your pages aren't in cache at all or they're in a per-user cache that shouldn't be displayed to other users or guests.

Moreover, at this point, the sooner you access those pages, the sooner they'll leave any caching system if indeed those pages are still cached. I suspect they aren't, because there's no reason to ever cache those pages in such a way that leaves identifying information intact, but since Valve hasn't told us anything about the nature of the problem or the solution we can only assume the worst and hope for the best.

Early reports suggested the best thing you could do was log out of Steam and not view any store pages. I think that advice was given by SteamDB (note: NOT affiliated with Steam, they are a third-party site) because of the aforementioned cache, where visiting your own account pages legitimately could get your pages into the publicly accessible cache. There's no evidence that being logged in or out is a vulnerability in itself, so I don't think you need to worry about your login status for now.

tl;dr: I think it's about as safe as it's going to be to log in and change your account, short of another official statement from Valve. You probably don't need to worry about logging out, either. However, I wouldn't blame you if you chose to exercise extreme caution and just stay out of Steam for a while longer; evidence suggests your information is still there even if you remove your payment info.
 
The truly sad part is they know they have most PC gamers by the balls where they can't go anywhere else. So they have no incentive to own up to a mistake like this or improve customer service.

Makes me glad I started losing interest in AAA games a while back to where all my PC game purchases were outside of Steam for a while now.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
151
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
95
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom