Steam security issue revealed personal info to other users on XMas Day (fixed)

Phyla said:
Initially, Sony handled the breach very poorly. After the huge backlash from fans and international media, it went to great lengths to reduce the risk of it happening ever again. Sony's executives pubicly apologized in Japanese fashion and the company hired a top-tier security firm to improve their infrastructure. This event is not as catastropic as Sony's, but Valve sure could learn a thing or two from Sony's eventual response.
Click to expand...

DFh0UFF.jpg


That's a deep bow.

It made the Guardian -a little bit more of a big deal than Kotaku or IGN.
 
Palculator said:
Both defence force and lynch mob are rubbish.
Click to expand...

I can't think of a way Valve could have handled this situation worse. A "lynch mob" mentality is the usual internet explosions, but criticizing Valve for their utter, total incompetence in every category is justified. Frankly, I'm glad there are users getting emotional about this whole thing - this is serious business and Valve's usual aloofness won't fly here.

Beefy said:
Does Amazon have alot of your information? Do other companies? This is included in my etc etc. It is never down to blaming the consumer.
Click to expand...

I agree that it's not the consumer's fault, but savvy consumers have ways to make sure they aren't hit by these sorts of issues.

There are ways to stop the buck, despite what you say. I don't see how it can't be so. If it's so bothersome, don't make accounts, buy everything in cash, etc etc.
 
Fishlake said:
I have a question related to this. I don't save any purchasing methods on my accounts and that include my steam account. Is it only saved methods that were available or was there also previous ones stolen?
Click to expand...

Only Saved info - AND you have to have used the account page or checkout page (where the info was displayed and cached) during a specific period of probably a few hours before the issue started and during, in order to be vulnerable - since the pages rendered were cached and thus accessible because they were visted by the user.

For example if you used those two pages 6hrs prior to the issue, it is likely you would have been absolutely fine.
 
Beefy said:
But what are we meant to do about it? We can do jack shit. Valve, PSN, XBoxLive etc etc, all want you to put your personal info onto your accounts so we are able to play games. How else can we lower the risks, we can't. The only people that can lower the risks and the only people to blame are the companies who want all our info.
Click to expand...

Yeah I know, it sucks. I wish there were some good ways for us to use services more anonymously. I know I'll be filling out at little, or as fake, as possible in the future.

Personally I've been using different usernames and e-mail addresses on different services since a while back (prevent cross-referencing of database leaks), but this is a pain the ass for most people and you can't expect them to do that. My bank used to generate one time-CC numbers for you to use for internet purchases, it was great but they removed that feature for some reason.
 
I'd like there to be a follow-up investigation on how this occurred. Maybe journalists could do more than simply take the "it was caching" at face value.

The original problem from yesterday may be fixed, but it happened because of a fundamental code or security oversight which allowed normally-encrypted information to be passed and cached by the cache or CDN.

As someone who works with this stuff as a part of my job, I do not buy the explanations offered so far and would like to hear how this could have happened.

Otherwise, customers are simply hoping Valve found the issue and everything will be perfect.... Yeah right.
 
Nzyme32 said:
Only Saved info - AND you have to have used the account page or checkout page (where the info was displayed and cached) during a specific period of probably a few hours before the issue started and during, in order to be vulnerable - since the pages rendered were cached and thus accessible because they were visted by the user.

For example if you used those two pages 6hrs prior to the issue, it is likely you would have been absolutely fine.
Click to expand...

Thank you very much.
 
direct_quote said:
Steam's interface, friends, and community structure has been the same for a while and still is lacking in my opinion.
Click to expand...
Yeah, because continued UI design and tweaking isn't as fun trying to implement radical new ideas through game programming. Same reason why it will have taken nine years for Team Fortress 2 to implement competitive matchmaking.

There is a balance between having a corporate style managerial style that stifles creativity and having unfocused whims of fancy overwhelming the fundamentals and underlying architecture. And there doesn't have to be one grand standardized paradigm either: for instance, design work and security are very different and you can't get effective results from both using just one standardized management style for everything.
 
Disaster Nebraska said:
I'd like there to be a follow-up investigation on how this occurred. Maybe journalists could do more than simply take the "it was caching" at face value.

The original problem from yesterday may be fixed, but it happened because of a fundamental code or security oversight which allowed normally-encrypted information to be passed and cached by the cache or CDN.

As someone who works with this stuff as a part of my job, I do not buy the explanations offered so far and would like to hear how this could have happened.

Otherwise, customers are simply hoping Valve found the issue and everything will be perfect.... Yeah right.
Click to expand...

+1
 
Humenkind said:
Man fuck this shit, and fuck all the fanboys defending it. I swear video games attract the most easily manipulated people.
Click to expand...

It's a combination of both Steam / Valve fanboys trying to minimise the issue, and fanboys of other platforms baiting the hell out of them or just going far over the top with what has happened.

Regardless, Valve have yet to communicate directly to Steam Users since the incident - which in my opinion is utterly wrong when personal data has been compromised. It could be possible that they are trying to get more information together to make a more detailed statement, but I find that hard to believe over this much time.
 
NSQuote said:
Valve has found a paradigm for development that is wonderful for creativity, originality, and allowing passion to show through. But as usual, there's no one-size fits all paradigm, and their attitude towards development does not translate well to security, community management, and customer support.

It seems entirely reasonable to me that the support side of Steam could organize itself more efficiently to actually function properly without stifling the more creative work of programmers.
Click to expand...

Some people function well, even thrive, when they know exactly what is expected of them and what they should do. I'm sure Valve could create a branch dedicated to customer support and have a lot of happy employees with that personality type working there too. I don't think they should change what's working for them on the technological/creative side but perhaps they should revisit their approach elsewhere,.
 
orthodoxy1095 said:
I think you're seriously overestimating the Libertarian/ideological attitude of their setup. If they have some laissez-faire attitude, it doesn't seem to be producing bountiful harvests of game development or platform development. Their problem reeks of unwillingness to invest rather than a particular ideological orientation.
Click to expand...

There is no commitment to any one vision because there is only one leader at Valve by design and the company has grown too much to remain focused and for de facto leadership based on status to produce results. That, and everyone probably wanting to work exclusively on VR because it is the "coolest".

Too much structure and direction leads to corporate style focus group approved exercises in fillimg checkboxs, but too little leads to no games being made at all.

Disaster Nebraska said:
What has Valve Corporation developed lately other than hats and Steam cards?
Click to expand...

"After nine years of development on a game that was nine years in development, we hope this basic matchmaking that the community has ran for free without our help for years was worth the wait!"
 
NSQuote said:
Heh, it's always the people who victim blame harassment victims who have the weakest mental fortitude. Surprised he even tried to address you with a feeble "no" instead of running off.

Valve is absolutely terrible at anything and everything involving community, they really should at the very least outsource customer service and Steam support if having dedicated teams will ruin their culture.

Libertarianism once again shown to not be a wise paradigm on a large scale - it can be effective for creative work and allow new ideas to flourish, but when security is concerned there must be some architectural framework in place. I fail to see why Valve can't have both its laissez-faire attitude towards creative work and still have competent and organized Steam support from another branch.
Click to expand...

This makes too much sense, they'll never do it.
 
My objective opinion is this seems like a small issue honestly. Was there any regulated personal data involved? Was there confirmed fraud on accounts? Sounds like people can just see your account details. If it's just stuff like name, email and home address, this type stuff happens thousands of times each week. And lots of companies already have this info, so you should assume it's already out there.

I am surprised there hasn't been a response from Valve, it might be that their incident response program is investigating and they want to be sure before they put their foot in their mouth.
 
ctw0e said:
I'm just curious, who are defending it?
Click to expand...

Not defending, sorry, more like victim blaming.

I only recently read and found out about this, and then realized I had card info saved. I find it sad that there have been people doing this, but that post was uncalled for, I'll retract it.
 
I'm not defending Valve (or their lack of response here), but isn't their customer service/communication pretty awful in the first place? I don't know how or why that would change after an event like this.

This situation sucks for everyone affected, wacky security breeches are no joke.
 
It was a security breach plain and simple. There's no way around it. You can't shift blame to another entity like a group of hackers because it was Valve who did it. I cannot understand the defense for them screwing up and downplaying the bad parts of this and the legitimate criticism that no company should change configurations during the holiday rush. You always do that stuff before in preparation or after when things have settled down. Not to mention their configuration was not properly tested. Lack of response for hours was horrendous, not even an email to notify their users that steam will be going down for a moment and telling people to stay calm. No apology, just nothing at all from them that journalists had to beat a response out of them. We're expected to trust this company to handle our things with care but they're not, they don't really care as they just shrugged it all off like nothing happened.
 
NSQuote said:
"After nine years of development on a game that was nine years in development, we hope this basic matchmaking that the community has ran for free without our help for years was worth the wait!"
Click to expand...

Er...didn't they just launch 2 hardware products? Guessing they have OS updates too. Not fair to keep painting them as just hat makers.
 
DrForester said:
So what was the window on this? I made a purchase on Christmas Eve. Would that have been before the issue?
Click to expand...

The thing is, no one knows. We speculate. All we got is speculation. Valve outside of one comment to Kotaku has said nothing. They said it was okay and nothing got out but considering peoples information was viewable people are still massively concerned. No one knows how bad this might have been and with Valve being so silent it's questionable if they even know yet the full extant until they do check out a number of things. Until then, speculation.
 
d1rtn4p said:
My objective opinion is this seems like a small issue honestly. Was there any regulated personal data involved? Was there confirmed fraud on accounts? Sounds like people can just see your account details. If it's just stuff like name, email and home address, this type stuff happens thousands of times each week. And lots of companies already have this info, so you should assume it's already out there.

I am surprised there hasn't been a response from Valve, it might be that their incident response program is investigating and they want to be sure before they put their foot in their mouth.
Click to expand...

Oh look. Another one.
 
Nothing will come out of this. Valve won't improve their security or response nor they will improve customer service.

But oh hey, I'm sure we can look forward to a few more pieces of fan art featuring Lord Gaben leading the PC master race towards gaming heaven eh?
 
Princess Cadance said:
I'm not defending Valve (or their lack of response here), but isn't their customer service/communication pretty awful in the first place? I don't know how or why that would change after an event like this.

This situation sucks for everyone affected, wacky security breeches are no joke.
Click to expand...

Yes, it's terrible. They were graded F in customer service and so far they're still all talk with "we have to do better."
 
d1rtn4p said:
My objective opinion is this seems like a small issue honestly. Was there any regulated personal data involved? Was there confirmed fraud on accounts? Sounds like people can just see your account details. If it's just stuff like name, email and home address, this type stuff happens thousands of times each week. And lots of companies already have this info, so you should assume it's already out there.

I am surprised there hasn't been a response from Valve, it might be that their incident response program is investigating and they want to be sure before they put their foot in their mouth.
Click to expand...

Yeah, "just." Go ahead and post that info. Throw in your phone number and the last digits of your credit card.

"Just."
 
Diffense said:
Some people function well, even thrive, when they know exactly what is expected of them and what they should do. I'm sure Valve could create a branch dedicated to customer support and have a lot of happy employees with that personality type working there too. I don't think they should change what's working for them on the technological/creative side but perhaps they should revisit their approach elsewhere,.
Click to expand...
Exactly, they've made their creative structure into a part of their greater identity and are now unable to coordinate because they've made structure as a concept out to be inherently their enemy as opposed to a neutral part of coordinating efforts that sometimes gets out of hand.
 
d1rtn4p said:
Phone can be intrusive if people want to harass you. Last 4 of credit card is worthless.
Click to expand...

it may not be super valuable. But it can be used with a customer support site combining 4 digits of card and email and number, and then they possibly get more data from the customer support.
 
d1rtn4p said:
My objective opinion is this seems like a small issue honestly. Was there any regulated personal data involved? Was there confirmed fraud on accounts? Sounds like people can just see your account details. If it's just stuff like name, email and home address, this type stuff happens thousands of times each week. And lots of companies already have this info, so you should assume it's already out there.

I am surprised there hasn't been a response from Valve, it might be that their incident response program is investigating and they want to be sure before they put their foot in their mouth.
Click to expand...
Being able to view someone else's account is a huge issue.
 
d1rtn4p said:
Phone can be intrusive if people want to harass you. Last 4 of credit card is worthless.
Click to expand...

Phone is added to a pool using some other identifier (any piece of related data like postal or zip code) and then sold to canvassing companies. Those companies are under no obligation to keep your info safe and can sell it onto others, and so on.
 
Valve's "response" is absolutely unacceptable. Hopefully the EU can threaten them with legal action because that's the only way I see them finally fixing their broken customer service.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
147
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
85
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom