Support NeoGAF

[Baha]

The website seems fine to me at the moment, but all of the account pages on the client just give me a black screen.

You mean profile pages, steam community's been down this morning afaik.

 

[hardcastlemccormick]

Wow I'm looking at someone else's account page right now.
Seriously what the fuck Valve.

I just searched for the Account website (cache) 5 minutes ago and stumbled upon this.

Okay, I understand.

We knew that there was a problem with the Google cache where you can see the information of a particular user. That's not the same as the other problem where looking at your own account would serve up another user's account page.

 

[Reizo Ryuu]

How do you know this? Anecdotal evidence?

We don't know how bad this breach was. We don't know if people were taking advantage of it. Valve's response wasn't even factually accurate, so we can't even be sure they have solved the problem yet.

Anecdotal? No, it's simply not how web caching works. There is absolutely no way to easily get the information of any specific account.

 

[hlhbk]

What is wrong with you? Are you dating Valve?

One random post saying he is still seeing the issue could easily be just spreading panic.

 

[alr1ght]

I'm sure glad Valve made everyone enter their tax information in order to sell on the community market. I know none of that was leaked, but their (expected) terrible statement and that yesterday's issues seem to still be happening, makes me pretty wary.

 

[Bedlam]

I have never once, nor seen anyone else following best practices, allow personal information or payment handling pages ever enter the cache.

Valve did.

Holy shit. A friend told me about this last night, but he believed someone had hacked Steam or something. So it was a problem on Valve's end? If so, could it happen again someday? Scary.

Yup, the sheer amount of incompetence that seems to reside behind the biggest digital retailer on the PC platform is truly scary.

 

[wheeplash]

Okay, I understand.

We knew that there was a problem with the Google cache where you can see the information of a particular user. That's not the same as the other problem where looking at your own account would serve up another user's account page.

I see, but isn't this pretty sketchy too?

 

[Reebot]

Video gamers, as a whole, could be the single most asinine group of corporate apologists in our modern times.

Its truly spectacular.

Really it's not that serious and I don't get why people are freaking out over this. As I posted before wether you realize it or not your full name, address, phone number, and email address are freely available online if you know where to look. The main alarming thing is any part of the credit card being available.

That being said it's a risk you are accepting by opting to save your payment information on retailers servers. I have been a part of many sites that have been breached, and at this point you need to realize it's not if but when this will happen to you.

As a Steam user since it was in beta in 2004 and have over 700 games in my library this won't effect my use of the service one bit.

Here's a great example.

Could you imagine if like a movie theater did this? Or a publisher? Or even a golf club? You think their customers would be tripping over themselves to downplay the seriousness of the breach?

 

[Disaster Nebraska]

Why was this information being passed unencrypted to the cache and/or CDN in the first place? This should've been done over an SSL (https connection) in which case it wouldn't have exposed the information to
random people vowing Steam's store.

The fact this info was encrypted at all should be a massive red flag. This isn't just a "whoops we clicked a button and some info got exposed". If this info is still available through a non-SSL connection then the problem still remains, hiding in the background.

 

[Beefy]

na I'm fine I stand by my post, do as you will

I suppose you are alright with their tone deaf statement about the outage, nothing happened, Why even apologise ?

Have a look at your post and see which part people have a problem with.

 

[orthodoxy1095]

They couldn't. I tried to delete one guy CC info whose profile was showing up for me so no one could charge him. Every time I clicked the button I got moved to another profile. I still could easily go back to the previous guy though. It was always still there.

It was people at Valve that removed them in the end, that I'm sure of. My own was gone as well.

Even if that's true, then that's Valve messing around with CC info and not telling you.

 

[hardcastlemccormick]

Anecdotal? No, it's simply not how web caching works. There is absolutely no way to easily get the information of any specific account.

According to who, SteamDB? That factually inaccurate non-response from Valve? There have been some good theories as to how this unfolded, but I stand by the fact that we still don't know the full extent of the issue.

I see, but isn't this pretty sketchy too?

Definitely. But we need to make sure users realize you're not talking about a new issue.

 

[AcademicSaucer]

What is wrong with you? Are you dating Valve?

Maybe just Gaben, not all Valve. I just cant with people defending this or victim blaming.

 

[Geraldo_Ray]

So...is it fixed or not? I'm getting mixed messages here.

I did the whole cache thing when searching on Google, and it's the same guy from Mexico that people keep mentioning from an hour or two ago.

 

[Costia]

I just searched for the Account website (cache) 5 minutes ago and stumbled upon this.

Which means that steam's servers are fine. It's just some other site's copy of the steam page from a while ago.
The only thing valve can to about it is to ask that site to remove the cached copy.

So...is it fixed or not? I'm getting mixed messages here.
I did the whole cache thing when searching on Google, and it's the same guy from Mexico that people keep mentioning from an hour or two ago.

It's fixed. Google will have to remove the cached copy they have. It's not in valve's hands.

 

[PhaZZe]

i dont know what to do.. is safe or what? wtf i should do?!?!

 

[jrcbandit]

If Valve was a responsible company, they would have immediately shut down all their servers immediately after finding about this mishap. If I didn't have over 500 games, I'd delete my account over this huge beach.

Should we even be accessing our account to remove personal info or will that makes thing worse?

 

[davepoobond]

Well this is concerning. Hopefully it is fixed

 

[Disaster Nebraska]

I have never once, nor seen anyone else following best practices, allow personal information or payment handling pages ever enter the cache.

Valve did.

Yeah, this.

This isn't just an accidental misconfiguration of the cache. Their website code is passing info that should be behind an SSL. I'd be interested to see if they can maintain their PCI compliance, seeing how that's required to process CC transactions.

 

[ElectricBlanketFire]

One random post saying he is still seeing the issue could easily be just spreading panic.

It's already a clusterfuck. It's great that you don't care for some reason, but saying this isn't a big deal is baffling.

 

[hlhbk]

i dont know what to do.. is safe or what? wtf i should do?!?!

It's safe until we get confirmed proof otherwise.

 

[orthodoxy1095]

It's safe until we get confirmed proof otherwise.

We're still waiting for you to share your info. Full name, address, phone number, and email address. Chop chop.

 

[hardcastlemccormick]

i dont know what to do.. is safe or what? wtf i should do?!?!

If Valve was a responsible company, they would have immediately shut down all their servers immediately after finding about this mishap. If I didn't have over 500 games, I'd delete my account over this huge beach.

Should we even be accessing our account to remove personal info or will that makes thing worse?

I'll quote what I said earlier:

We don't really know the full ramifications of what was capable during the breach. A lot of guesses.

Assume that your information on your Steam account page has been compromised. Replace passwords on all accounts that may be linked to your Steam account. Keep an eye out for login attempts on everything. If you don't already, activate two-factor authentication on your Steam account and anything else that supports it.

Your payment information and full phone number is probably safe. It is likely safe to log in to Steam. Personally, I would not buy anything right now.

Also anyone wondering about internet security in general should read the free PDF copy of Blown To Bits, an excellent basic overview of the subject.

It's safe until we get confirmed proof otherwise.

We have yet to get confirmed proof it's safe, aside from Valve's non-statement. We have plenty of proof that it wasn't safe at one point.

 

[Reebot]

We're still waiting for you to share your info.

Valve has already generously done that for him. What a great company!

 

[orthodoxy1095]

Valve has already generously done that for him. What a great company!

Thank God for Gaben and Steam. Truly the visionaries of our time!

 

[Jibbajabbawockky]

Really it's not that serious and I don't get why people are freaking out over this. As I posted before wether you realize it or not your full name, address, phone number, and email address are freely available online if you know where to look. The main alarming thing is any part of the credit card being available.

That being said it's a risk you are accepting by opting to save your payment information on retailers servers. I have been a part of many sites that have been breached, and at this point you need to realize it's not if but when this will happen to you.

As a Steam user since it was in beta in 2004 and have over 700 games in my library this won't effect my use of the service one bit.

Yeah... I guess its just cause I've sadly grown accustomed to this type of thing from all sorts of companies but this particular instance doesn't seem that bad when compared to other breaches of personal information. That doesn't excuse that it happened or Valve's very blasé response to it but in the grand scheme of personal data breaches, this seems pretty minor if the only thing that got out there was email addresses, account names, purchase history and last digits of CC numbers and phones. I mean, if people want to do nefarious stuff with that sort of info, I'm sure they could find it on the internet anyway. If actual CC numbers and full phone numbers and full personal names, addresses and so on got out there, then this would be a massive problem but at least as far as I understand this, that hasn't happened.

Its this kind of thing though that makes me never save any CC info on websites. And the fact that this seems like a self inflicted wound on Valve's part screwing up and not some malicious outside attack is definitely worrisome, especially when so much digital commerce is predicated on some level of trust that the company you're giving your personal information to isn't going to screw up like this.

 

[Prosopon]

Really it's not that serious and I don't get why people are freaking out over this. As I posted before wether you realize it or not your full name, address, phone number, and email address are freely available online if you know where to look. The main alarming thing is any part of the credit card being available.

That being said it's a risk you are accepting by opting to save your payment information on retailers servers. I have been a part of many sites that have been breached, and at this point you need to realize it's not if but when this will happen to you.

As a Steam user since it was in beta in 2004 and have over 700 games in my library this won't effect my use of the service one bit.

So are you suggesting every consumer should assume ever online service will not work as advertised?

 

[hlhbk]

We're still waiting for you to share your info.

I am not sharing shit man. That being said if my info leaks from an online site there is some responsibility I take by saving it there.

 

[epmode]

i dont know what to do.. is safe or what? wtf i should do?!?!

You should panic. Everyone should panic.

Alternatively: Hold off on checking your account page or buying new stuff until we get a more definitive response from Valve. We're most likely safe at the moment but Steam's being a little fucky for me and I'd appreciate more information on the issue.

 

[sora87]

Hmm, my activity and profile aren't loading on the client, the store is working fine though

 

[vityaz]

As I posted before wether you realize it or not your full name, address, phone number, and email address are freely available online if you know where to look.

Not in connection to my username on steam (which I might use in other places as well). Same with the e-mail. This is far more serious than just "oh, a first name and address, just like the phone book!".

 

[NoblesseOblige]

I am not sharing shit man. That being said if my info leaks from an online site there is some responsibility I take by saving it there.

So we can blame you for Steam's leaking of personal info?

 

[hlhbk]

So are you suggesting every consumer should assume ever online service will not work as advertised?

We have a winner!

 

[therapist]

Which means that steam's servers are fine. It's just some other site's copy of the steam page from a while ago.
The only thing valve can to about it is to ask that site to remove the cached copy.

It's fixed. Google will have to remove the cached copy they have. It's not in valve's hands.

Wouldnt be so sure.

The fact the community market keeps going up and down all morning and (If legit - not that im calling people liars here ofc) that people in here saying they had their cc numbers removed is really odd. It had to be valve that did that , unless there is something else very wrong we're not aware of.

All i know is I still cannot access the community market. However the store shows me logged in (Cant even access my inventory however as thats part of the comm market) and my account balance so idk.

 

[Alucrid]

Hmm, my activity and profile aren't loading on the client, the store is working fine though

Yeah I'm trying to sell people my cards and can't through the mobile app

 

[Hasphat'sAnts]

One random post saying he is still seeing the issue could easily be just spreading panic.

You know the easiest way to avoid that is to have Valve come out and address the situation.

O wait, that'd make too much sense.

 

[epmode]

Looks like steamcommunity.com is a bit of a mess at the moment. Can't get any forums or guides to load.

 

[Pie and Beans]

Ha ha ha, its happening again? What a fucking joke.

It's horrible that this is happening to peoples sensitive information, but I'm glad its happened to show how fucking off the rails Valve has been for years and that things need to seriously change hardcore over there. Steam has been a disgrace for a long time but chugged on protected entirely by a holy field of fans goodwill. Now theres a great big gash in that once unmoveable shield and fuzzy hype feelings aren't going to cut it any more.

Childish lack of management structure needs to finally kick its own arse up and into corporate adulthood.

 

[Reebot]

I am not sharing shit man. That being said if my info leaks from an online site there is some responsibility I take by saving it there.

Could you imagine if banks worked this way?

"Sorry, you took the risk of getting your money stolen by banking with us at this location."

Your bizarre partially-at-fault view is just wrong.

 

[Ghazi]

lol trying to add a phone number gives me an error, fuck off Valve.

E: Ah, Steam's going down again? Wonderful.

 

[inky]

I am not sharing shit man..

Thought so. Then kindly shut up or fuck off.

 

[orthodoxy1095]

I am not sharing shit man.

Then you should stop talking.

That being said if my info leaks from an online site there is some responsibility I take by saving it there.

No. That's not how consumer-customer relationships work. Aside from giving a really shady business my data, if I entrust a company with my data I don't have responsibility for their mistake.

What a weird way to look at things.

 

[Prosopon]

We have a winner!

So you think that's advice that normal people should be expected to follow?

 

[Syder]

Changed my PayPal password as soon as this all went down and at the time and since then there has been no activity there. Checked my bank account this morning and everything's fine.

Valve still have some 'splainin to do.

 

[Hasphat'sAnts]

Could you imagine if banks worked this way?

"Sorry, you took the risk of getting your money stolen by banking with us at this location."

Your bizarre partially-at-fault view is just wrong.

Good thing there are regulators in these industries looking out for the consumer!

 

[hlhbk]

Thought so. Then kindly shut up or fuck off.

That literally has nothing to do with the topic at hand.

 

[Reebot]

That literally has nothing to do with the topic at hand.

You're trying to downplay the risk while still openly afraid of replicating its consequences.

It is exactly the topic at hand.

 

[hlhbk]

So you think that's advice that normal people should be expected to follow?

100%.

 

[Alucrid]

100%.

I hope you never have any complaints about anything ever then.

 

[hardcastlemccormick]

So you think that's advice that normal people should be expected to follow?

In an ideal world, yes. Everyone should value their personal data as a commodity and very rarely share it with anyone.

Well actually in an ideal world, privately stored data is never publicly revealed. But to keep yourself and your data safe, you should avoid entering it on the internet as much as possible.

That being said, there's no excuse for blaming Steam users for this mess.

EDIT: Ah, hlhbk has been banned. What they were saying had a ring of truth, but surrounded by a lot of nonsense.