Steam security issue revealed personal info to other users on XMas Day (fixed)

Danj said:
The news story's been updated, Valve have made a statement:
Click to expand...

From Gamespot:

"Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."
Click to expand...

From Kotaku:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

Also, about the Steam forum thread containing the same statement:

JaseC said:
Killah just edited in the statement from the Kotaku article. Mods don't have an official line of communication with Valve employees any more than you or I.
Click to expand...

It's just the same statement over and over. There's nothing new, nor any sign that we'll get more info on what happened and why.

On an unrelated note: it looks like the Google cache that stored some poor sap's full billing address and phone number has finally disappeared.
 
TheTrain said:
The hysteria in this thread, so funny
Click to expand...

Yeah, it's hysterical being afraid of your personal data (including e-mails, telephone numbers and billing information if you saved them) floating around the web or someone meddling with your data. Such a funny thing.

And Steam's handling of the situation is amateurish. No, a statement in Kotaku's article or info buried somewhere on a message board is not enough. There's no official statement on Steam client, nothing on their Facebook or Twitter account. As if nothing happened. If someone doesn't follow gaming press or visit gaming message boards he/she could be even unaware that something happened.

"Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."
Click to expand...

Weren't people in this very thread confirming that they were able to delete other people's CC and PayPal info stored on their accounts? Yeah, that "no actions were allowed beyond viewing of cached page information" statement is bullshit.
 
chrominance said:
I am not familiar with the specific server architecture, I just happen to work in web development (but definitely not as a sysadmin!). I probably know just enough to be dangerous in most cases.

I actually couldn't tell you if it's safe to log in and change your account info, only that the single statement Valve has released about the incident suggests the problem has been fixed. This is corroborated by the lack of any new reports of the problem. Going to your account page is still a risk, given how the leak occurred last time (basically, you visiting the page could mean that a cache is storing that response, which could then be served to others later). However, if we take Valve at their word and the caching configuration error is gone, then either your pages aren't in cache at all or they're in a per-user cache that shouldn't be displayed to other users or guests.

Moreover, at this point, the sooner you access those pages, the sooner they'll leave any caching system if indeed those pages are still cached. I suspect they aren't, because there's no reason to ever cache those pages in such a way that leaves identifying information intact, but since Valve hasn't told us anything about the nature of the problem or the solution we can only assume the worst and hope for the best.

Early reports suggested the best thing you could do was log out of Steam and not view any store pages. I think that advice was given by SteamDB (note: NOT affiliated with Steam, they are a third-party site) because of the aforementioned cache, where visiting your own account pages legitimately could get your pages into the publicly accessible cache. There's no evidence that being logged in or out is a vulnerability in itself, so I don't think you need to worry about your login status for now.

tl;dr: I think it's about as safe as it's going to be to log in and change your account, short of another official statement from Valve. You probably don't need to worry about logging out, either. However, I wouldn't blame you if you chose to exercise extreme caution and just stay out of Steam for a while longer; evidence suggests your information is still there even if you remove your payment info.
Click to expand...

Thank you for the detailed reply. It feels shitty that I have to ask for advice on a videogame forum in this kind of situation but it's comforting to know there are good people on GAF who are willing to try and help.
 
chrominance said:
It's just the same statement over and over. There's nothing new, nor any sign that we'll get more info on what happened and why.
Click to expand...
Nor an apology for leaking people's personal information.

Valve showing how not to react when something like this happens. Awful response to the whole situation.
 
Valve's reaction to this is just unbelievable. Users were able to see personal account details of other users and they don't even care to mention that fact in their sorry excuse for a statement. There is not even a single word hinting at an apology.

Well, I made it a principle to never give out more details than necessary in any of my gaming accounts and specifically to not add my credit card info anywhere. Not on XBL, not on PSN and not on Steam.

Last night this was proven the correct way of going about these things yet again. If it's not some hacker attack, then it's incompetence as in this case. With a stance like Valve's, I guess it's only a matter of time before the first serious hacker attacks hits.
 
Mr_Zombie said:
Weren't people in this very thread confirming that they were able to delete other people's CC and PayPal info stored on their accounts? Yeah, that "no actions were allowed beyond viewing of cached page information" statement is bullshit.
Click to expand...
No one has been able to proof that.
 
Detox said:
Not sure what people expected it's the response their lawyers would have told them to write.

They're not going to admit the seriousness of the issue during their busiest period of the year.
Click to expand...
They don't need to admit to the gravity of the situation, they just need to fucking tell people their personal information MAY HAVE BEEN viewed by other people like email, phone, residence, etc.

Its their job to inform people when shit like this happens so people can prepare and take any measures necessary to protect potential fraud.

Having to go to a fucking gaming website to find out your shits fucked up is not something a majority do. Lots of people go to gaming sites if you look at them exclusively. Not a whole lot go to gaming sites, as a whole.

They need to contact everyone with a legit response and not some hand-waving bullshit excuse done in passing.
 
JustinJ004 said:
I'm a long term user and have deleted my payment details and all my wishlist with the intention of buying elsewhere whenever I can.

Not saying sorry when their own mistake causes concern to their customers is very poor and I won't support any company like that.
Click to expand...
I'm glad some people are taking it seriously!
jmga said:
No one has been able to proof that.
Click to expand...
We've had reports of being able to delete the CC info and then reports in this thread from users who say their CC info seemed to have been deleted by someone. So I guess we don't have proof per se, but putting two and two together seems to get us the conclusion that it was possible. Although the statement seems to be inaccurate, it was actually nice of people to delete others' CC info as that meant less negative outcomes hopefully.
 
orthodoxy1095 said:
We've had reports of being able to delete the CC info and then reports in this thread from users who say their CC info seemed to have been deleted by someone. So I guess we don't have proof per se, but putting two and two together seems to get us the conclusion that it was possible. Although the statement seems to be inaccurate, it was actually nice of people to delete others' CC info as that meant less negative outcomes hopefully.
Click to expand...

It'd be interesting to note if the people who deleted other user's cc info where the same ones that had their cc info deleted by others. If I understood Valve's response correctly (it's likely I may have not), people viewing other user's account were still, in fact, logged into their own accounts.
 
Mr_Zombie said:
Weren't people in this very thread confirming that they were able to delete other people's CC and PayPal info stored on their accounts? Yeah, that "no actions were allowed beyond viewing of cached page information" statement is bullshit.
Click to expand...

It is likely that those comments were bullshit; any attempt to do anything from those pages either resulted in an error or asking to log in, which makes sense with the issue being cached pages, ie not an active session under someone else's login credentials. You could see stuff for sure, but you couldn't do anything through Steam. Lots of potential outside Steam with the info though
 
jmga said:
No one has been able to proof that.
Click to expand...

By all means there's no way of telling that it did delete their CC info as Steam could have just falsely confirmed that the action while in reality it wasn't.

I know I could access the E-mail management page from someone's account details (with it still being the same user) and attempt to change their E-mail address, so I have no reason to doubt people were able to access the CC info edit page of other people as well.

Either way however there is no way of confirming nor denying that people were capable of these actions. As long as Valve refuses to communicate and inform to their customers which information was compromised and what actions could have been done, people have all rights to assume the worst and should do so given how severe this accident was.
 
AbsintheGames said:
They don't need to admit to the gravity of the situation, they just need to fucking tell people their personal information MAY HAVE BEEN viewed by other people like email, phone, residence, etc.

Its their job to inform people when shit like this happens so people can prepare and take any measures necessary to protect potential fraud..
Click to expand...

Seriously. Just send a fucking email out. Suggest people to keep an eye out, change email passwords, maybe even change their login/email associated with Steam.

Something.
 
efyu_lemonardo said:
It'd be interesting to note if the people who deleted other user's cc info where the same ones that had their cc info deleted by others. If I understood Valve's response correctly (it's likely I may have not), people viewing other user's account were still, in fact, logged into their own accounts.
Click to expand...
That's an interesting point. That very could have been the case. Maybe someone who noticed deleted CC info can comment on whether they tried to delete someone else's or if it just happened hours later when they found out about the hubbub and tried to log in.
Rainbow In The Dark said:
My card information was removed from my account as well. Initially, I asummed Valve did it for all accounts, but I guess it was some random person.
Click to expand...
Hello, speak of the devil haha. Did you try to remove anyone else's info that was appearing in your account?
 
massoluk said:
The response is so shitty. What is with that non-apology.
Click to expand...

I'm taking a guess they will do what they did with the password reset exploit and only email the users likely to have had their info compromised over that period based on the times those users accessed checkout / account pages. They really should address everyone though. In the past it has taken them a day to actually make a formal statement.
 
Rainbow In The Dark said:
nope
Click to expand...

then taking your word for it, either Valve removed your cc info as a precautionary measure, which is something they should absolutely notify their users about if they did, or someone other than Valve had more than just read-only access to your account.

edit: Someone with an actual undertanding of this should weigh in, my opinion in itself is meaningless as I have no professional knowledge in this area.
 
efyu_lemonardo said:
then taking your word for it, either Valve removed your cc info as a precautionary measure, which is something they should absolutely notify their users about if they did, or someone other than Valve had more than just read-only access to your account.

edit: Someone with an actual undertanding of this should weigh in, my opinion on itself is meaningless as I have no proffesional knowledge in this area.
Click to expand...

Like said, Valve needs to step in and clear up exactly what happened, who was affected, what information was affected, what actions could have been made on someone's account and what Valve might have done themselves to protect affected users.

Customers shouldn't be tasked with having to figure that out themselves.
 
The ambiguity on what exactly happened yesterday highlights the seriousness of this issue. We don't know what happened. We don't know what was compromised, what users were capable of in each other's accounts. We just have a loose idea of how far most people got.

The only one who can tell us this is Valve. Each hour they are silent is another hour users have to guess blindly at what they need to be doing to re-secure their email accounts. Each hour they are silent is another hour that users who had no idea this even happened are unaware that they may need to take action to secure their information. Valve's incompetence in the past 18 hours cannot be understated. The lack of proper, authoritative information on the breach is just as dangerous as the breach itself.

Valve's incompetent and clearly incorrect answer is not a supportive piece of evidence to the magnitude of this breach. Until proven otherwise by a detailed statement from Valve, assume the worst about all information on your account details page, and anything else you can view within Steam. The potential for people using this window of opportunity is unknown at this time - here I would not assume the worst just yet but I will be taking precautionary measures.

Anyone who feels out of their depth on internet security should give a read to Blown to Bits, and excellent overview of the basics of computer and internet security. It's available as a free PDF in the link above.
 
NoblesseOblige said:
You'd think the money they saved by hiring amateur engineers would have been used to pay for some actual CS/PR.
Click to expand...

Problem is that Valve doesn't want to hire CS/PR. It wants renaissance men/women, and gives them the freedom to work whatever project they want. They don't have formal managers or job titles.
If they hire people to do a specific job, their corporate culture would apparently be destroyed, and they value that more than the benefits of having people for the important, not fun jobs that creative people don't want to deal with.

Personally, I don't see how a free-wheeling creative side, and a more structured side handling Steam can't co-exist, but I ain't a business man.
 
Wow pure insanity.
Played dota last night. Anyway to know if you were exposed? Wouldn't have logged in if I knew shit was going down.
 
The fact this disappeared from the front page is hilarious. If this was any other service than Lord gaben's it would be pitchforks big time. Can you imagine if it was origin or uplay?

The leeway that steam gets is insane!
 
efyu_lemonardo said:
then taking your word for it, either Valve removed your cc info as a precautionary measure, which is something they should absolutely notify their users about if they did, or someone other than Valve had more than just read-only access to your account.

edit: Someone with an actual undertanding of this should weigh in, my opinion in itself is meaningless as I have no professional knowledge in this area.
Click to expand...

Although to be honest I haven't bought anything on Steam since June. Maybe I removed my card info around that time and I don't remember, but I doubt it since I actually trusted Steam with my info.
 
Dunkley said:
Like said, Valve needs to step in and clear up exactly what happened, who was affected, what information was affected, what actions could have been made on someone's account and what Valve might have done themselves to protect affected users.

Customers shouldn't be tasked with having to figure that out themselves.
Click to expand...

agreed 100%
 
pompidu said:
Wow pure insanity.
Played dota last night. Anyway to know if you were exposed? Wouldn't have logged in if I knew shit was going down.
Click to expand...

Beyond checking if someone posted your Steam account name, nope.

That's the problem right now, and it's up to Valve to fix it.
 
Skyball Paint said:
Problem is that Valve doesn't want to hire CS/PR. It wants renaissance men/women, and gives them the freedom to work whatever project they want. They don't have formal managers or job titles.
If they hire people to do a specific job, their corporate culture would apparently be destroyed, and they value that more than the benefits of having people for the important, not fun jobs that creative people don't want to deal with.

Personally, I don't see how a free-wheeling creative side, and a more structured side handling Steam can't co-exist, but I ain't a business man.
Click to expand...

Valve could outsource the tasks that they as a company are incapable of performing. A collection of firms could provide CS/PR, and Valve could dictate what they want or need. They could also accept contractor work for Steam's client and server software.

At least from the exterior, Valve appears to be in over their heads here. If they're doing any outsourcing, they need to do more.

silentchiloner said:
The fact this disappeared from the front page is hilarious. If this was any other service than Lord gaben's it would be pitchforks big time. Can you imagine if it was origin or uplay?

The leeway that steam gets is insane!
Click to expand...

My pitchfork is well and truly sharpened and I see plenty more in this thread. News of the issue will spread and the news will not be treated lightly.
 
silentchiloner said:
The fact this disappeared from the front page is hilarious. If this was any other service than Lord gaben's it would be pitchforks big time. Can you imagine if it was origin or uplay?

The leeway that steam gets is insane!
Click to expand...

This thread has two-thirds the posts and 1.5x as many views as the actual Steam winter sale thread that's been up for days. I'm pretty sure it's getting attention on GAF.
 
Looking at the account page now, I see that my phone number is there but it's only the last 4 digits, is that something they changed in the fix? Was the whole number visible before?
 
DorkyMohr said:
Looking at the account page now, I see that my phone number is there but it's only the last 4 digits, is that something they changed in the fix? Was the whole number visible before?
Click to expand...

From what I understand the whole number and address are visible in the edit/add payment options screen and possibly on the android steam app.

daviyoung said:
No it was only ever that.
Click to expand...
Not true

http://www.neogaf.com/forum/showthread.php?p=190425008#post190425008

http://www.twitch.tv/giantwaffle/v/31761287
at 1:33:00 ish
 
ElectricBlanketFire said:
But it was Christmas yesterday. I didn't see or hear anything about this until I got home at around 10 last night.
Click to expand...
hardcastlemccormick said:
Not everybody has something to say. I know personally I lurk but don't post in threads I know nothing about.
Click to expand...

both true


chrominance said:
This thread has two-thirds the posts and 1.5x as many views as the actual Steam winter sale thread that's been up for days. I'm pretty sure it's getting attention on GAF.
Click to expand...

Hah, I incorrectly figured (becasue of the changed thread title) that the latest winter sale OT was started after the incident..
 
One good thing came out of this: I never saved card info on Steam, but I've gone to amazon and others places where I shop and have deleted all of my saved card info. I would encourage others to use this as a lesson and do the same. :)
 
hardcastlemccormick said:
The ambiguity on what exactly happened yesterday highlights the seriousness of this issue. We don't know what happened. We don't know what was compromised, what users were capable of in each other's accounts. We just have a loose idea of how far most people got.

The only one who can tell us this is Valve. Each hour they are silent is another hour users have to guess blindly at what they need to be doing to re-secure their email accounts. Each hour they are silent is another hour that users who had no idea this even happened are unaware that they may need to take action to secure their information. Valve's incompetence in the past 18 hours cannot be understated. The lack of proper, authoritative information on the breach is just as dangerous as the breach itself.

Valve's incompetent and clearly incorrect answer is not a supportive piece of evidence to the magnitude of this breach. Until proven otherwise by a detailed statement from Valve, assume the worst about all information on your account details page, and anything else you can view within Steam. The potential for people using this window of opportunity is unknown at this time - here I would not assume the worst just yet but I will be taking precautionary measures.
Click to expand...

Well said.

If they don't tell us anything about this in the next 5 hours it will be over 24 hours til the exposure happened and we will know for sure that Valve doesn't care at all about their rightfully worried costumers.
If you don't frequent GAF, reddit or twitter you probably don't even know about your personal data being potentially exposed on the internet.

daviyoung said:
No it was only ever that.
Click to expand...

It was fully visible to people when you went through the checkout process.
https://i.imgur.com/SvwWJRG.png1

edit: beaten
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
155
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
101
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom