TheSpoiler
Member
Just did this right now.
Not going to address every single person on why this is a major fuck up, even if someone isn't going to use your information, but you should really read past pages before running to Steam's defense.
Steam security issue revealed personal info to other users on XMas Day (fixed)
- Thread starter Quirah
- Start date
Just did this right now.
Not going to address every single person on why this is a major fuck up, even if someone isn't going to use your information, but you should really read past pages before running to Steam's defense.
funkystudent
Member
Really shitty handling from Valve and shows how much they care for the userbase that they are doing their best to hide this giant breach in security from the general steam population.
A mass email should have gone out telling people to keep a eye on their purchase history and think about changing passwards / activate 2 factor.
Instead we get a one paragragh reply burried in a Kotaku story.
Names, Addresses, (phone numbers?) got out there
CC and Paypal info seems like it was mostly hidden. Only the basic stuff like last 2 numbers was there so you cant do much with that.
It is a social engineering wet dream though.
A mass email should have gone out telling people to keep a eye on their purchase history and think about changing passwards / activate 2 factor.
Instead we get a one paragragh reply burried in a Kotaku story.
Names, Addresses, (phone numbers?) got out there
CC and Paypal info seems like it was mostly hidden. Only the basic stuff like last 2 numbers was there so you cant do much with that.
It is a social engineering wet dream though.
TemplaerDude
Member
Maybe you shouldn't assume anyone calling out the hysteria is coming to Steam's defense. This is not something that should happen, this is a massive mistake on their part, but when I see people climbing over each other to cancel credit cards and claim to be getting rid of Steam, that's undue and ridiculous hysteria, plain and simple.
TheSpoiler
Member
Canceling a credit card isn't a bad idea considering all the information shown above, just to be safe. That's not "hysteria". That's just being safe, and there's nothing wrong with that considering how widespread people's profiles got.
And getting rid of Steam is an option if the consumer feels like it. If people don't feel like Steam is secure, there's no reason for them to continue using the service.
Now, when people start saying stupid shit like "they should give me five free games" and things like that? That's silly. But that's a minority in this topic.
BlackBuzzard
Banned
Hope Valve finally gets scrutinized for their amateuristic security/customer service. That PR response is laughable at best.
unknownhero
Member
I have a feeling I know what the next jimquisition video will be about.
Fair enough, I agree. I still believe that comparison was hyperbole, but it's not worth arguing over. Hopefully when they fill the office again they'll give a formal response to the situation.
You don't get to claim "it was a holiday!" when your entire store was popularized around the idea of holiday sales.
Also, what kind of company doesn't have a change freeze over Christmas? I've worked in Managed IT Services for 6 years now and every single account I've worked on or been exposed to has at least a 2 week change freeze over Christmas. It's amazing Valve don't do this.
Also, what kind of company doesn't have a change freeze over Christmas? I've worked in Managed IT Services for 6 years now and every single account I've worked on or been exposed to has at least a 2 week change freeze over Christmas. It's amazing Valve don't do this.
finalflame
Banned
Yup, I agree with this. Our code freeze for the holidays starts the first week in December, with most client teams releasing their final build in late November. It was moronic for Valve to make any kind of config changes while people were out of the office.
orthodoxy1095
Banned
Absolutely. If you're open for business and running a holiday centered sale, then that doesn't fly.
Tawney Bomb
Member
I can't even redeem my wallet cards from Christmas right now, keeps saying it can't contact the server and half the time I can't even browse the store. This is strange coming from Valve.
So the users whose details were compromised may not have a clue that their name, address, email etc has been available for many others to see because of Valve's fault, and that they can't be bothered to email every user or post a permanent message on their Store, warning people of what has happened AND apologising? Absolutely laughable. Whether it's Xmas time or not, Valve should be on top of this shithot, not ignoring it or waiting until people are back off their holidays.
Same here.
fluffydelusions
Member
Valve was all like
I haven't even tried, figure I will wait a couple days.
capitalCORN
Member
Same here. Hmmm...
onken
Member
Most likely ramping up infra ahead of the sale/holiday rush.
The Christmas excuse is no excuse whatsoever.
If you don't want to work on Christmas, close down your shit, and especially don't push some potentially catastrophic update out.
Oh, it'll cost you too much money to close down over the holidays? Then too fucking bad, I guess your multi-billion-dollar international company will just have to find some way to have staff to cover the holidays.
Palculator
Unconfirmed Member
Not an issue here. Just checked and even restarted the client and I'm still logged in in the store tab.
finalflame
Banned
You have zero perspective on how online companies operate, then.
There are always on-call engineers/people on other teams, hence why the problem got fixed. However, do you propose that the ENTIRE COMPANY not take holidays and stay at the office/working? Or that some people be forced to work while others are away? Or that the entire storefront be closed because the entire company isn't sitting at their desks?
On-call rotations exist for this very reason: always online services such as Facebook, Amazon, Google, Steam, etc, need someone to constantly be at the beck and call if something DOES happen, and they were, and it was fixed within hours. We're still humans, though, and that person needs to get a call/text/email, get to a computer with the appropriate environment, and diagnose/fix the problem. The issue of releasing a public statement for a huge data breach is even trickier, because there are likely only a handful or people who are authorized to publish anything to the public, and who know where or who those people are. You think any PM or engineer at Valve can make a statement? No, everyone is probably told to go through a PR person before doing ANY public messaging, and that's just how it is.
More likely than not, they DID reach an on-call person from the PR department, and got a statement they COULD give. Any further statement is probably going to require collaboration between responsible engineers and their team/leadership, management team members (perhaps up to Gabe himself, or his direct reports), the legal department, and full understanding of what happened, looking at logs, and discussing at length before PR can summarize all the data and give the public a response. There are most likely people losing their time off over this right now, but I am sure that the full collaboration to give the public a more detailed response won't happen until everyone, or most people, are back at the office on Monday.
Makes sense. We also have a rule of "nobody talks to the server team after Dec. 1st", since any and all changes like this could be catastrophic. Seems like unfortunately, in this case, someone messed up, and it was.
Morrigan Stark
Arrogant Smirk
Seriously.
Exactly. The only exception to "violate" a code freeze would be if they had found a major vulnerability right then or got hacked or something. I guess they were struggling with the high Christmas volume and tried to "improve" their caching to strengthen the store performance and it backfired immensely. But yeah, really dumb of Valve. And no apology is just the icing on the cake.
Boombox On
Member
This is top rank silliness right here.
None of that is how any Ecommerce-related anything works or will ever work for any company, let alone a company as small as Valve.
sneakypete
Member
I put in 5 earlier and bought games with no issue.
Sniffynose
Member
My brother and I refreshed through a few account pages to see if they actually changed (they did) we could see:
-Steam name
-Full name
-Full address
-Email address
-Last four phone number digits
-Last four CC digits
-Steam wallet balances
I didn't go any further since that was brutal enough =/
A third party, like a server host, might have been involved. Valve could staff all the people it wants, but if it needs to make an emergency phone call to a business partner who's out of the office until New Year, the scope of their immediate reaction could be limited.
I would hope that Valve has some rock-solid SLAs with all their suppliers, especially when it comes to emergencies and disasters. I also can't think of a hosting service that doesn't have some kind of skeleton crew operating at all times anyway. Would be some mom & pop operation if those providers knocked off for holidays.
Christmas and New Years legitimately wrecks havoc on businesses that runs over the festive period, SLAs or not. All the third party partners contracted to Valve might have skeleton staff, but if those third parties are in further partnership with other vendors around the world, especially companies in Central Europe and Russia who very much enjoy their Christmas and New Year off, a break in the chain brings a lot of problems for immediate reactions.
Holy fuck that's bad for anyone whose data was seen by anyone with bad motives.
Disaster Nebraska
Banned
Sure it is. I work for a webhosting company that probably isn't half as large or profitable as Valve and yet we have 24/7 staffing even on holidays.
True, anything can happen. But there's no indication that this is what went down. It still would have been 100% on Valve for not ensuring a plan in case of a disaster on their end or even knowing the links in their own chain of service.
DarkLordMalik
Member
If the response given to Kotaku was official and given by Valve, they can fuck right off. They are a professional company that have million of users worldwide and from their response, it feels like they don't give a shit what happens to their users.
Very unfortunate.
Valve is a company. They'll try to minimize any type of screw up and try to manage outrage as much as possible. Carefully crafted PR is just but one part of that strategy. At the end of the day Valve employees can be sympathetic with users regarding what happened on a personal level, it's after all a screw up on their end but they got a business to run and protect (lawsuits and long term image damage).
Valve is a company. They'll try to minimize any type of screw up and try to manage outrage as much as possible. Carefully crafted PR is just but one part of that strategy. At the end of the day Valve employees can be sympathetic with users regarding what happened on a personal level, it's after all a screw up on their end but they got a business to run and protect (lawsuits and long term image damage).
Valve not having mentioned it yet doesn't mean it wasn't the case, which is why I'm arguing the point that people should wait a bit for a full explanation to come out. People are jumping to far flung conclusions with little to no proof, which annoys me to all hell.
Far flung like what? Regardless of what happened it's Valves service and so it's their responsibility. If they had people there to make changes at Xmas they also had people there to check that things went ok. If they wanted to do it automatically they should have ensured a belts and braces approach. They didn't.
We got a response from them. There's no reason to expect any more at this time.
I'm sure it's annoying for you, too bad. It's also annoying to have your PII leaked and the company responsible giving no explanation or apology or facts on those affected.
I've had info leak through hacks like Gawker, Anime-On-Line.com, PSN and other services. What happened with Steam shouldn't have happened. What I've been saying the last few pages, is that it's more realistic for Valve to clarify the situation over the course of a few weeks, not within the space of an hour or two after the leak was stopped, as I've seen many people on here and Twitter vent about.
Norwegian_Imposter
Member
As someone who just moved to Norway what happened in the end there?
TheSpoiler
Member
Asking for a detailed explanation with a huge play-by-play of what happened and how they plan to fix it is a bit much. That'll take some time to hash out.
However, people want a better response than a few lines sent to Kotaku and Gamespot. Valve should, at the very least, warn people that their information could possibly be compromised since it was viewable to many people. A place of business owes some upfront notifications to the consumer when something so drastic happens.
So what I'm asking for is, "We fucked up, here's what information of your shit might have been leaked out during this attack". Not like they can skate on by since it was proven many times that things like the last four digits were shown publically.
What I find baffling is that Valve didn't warn its customers directly about the issue. Instead of sending e-mails and/or warning us through Steam, they decided to release a (very) short message relayed by two intermediary, Gamespot and Kotaku, which most customers probably don't visit.
Personal information was compromised. Customers have a right to know that, and should have been contacted directly.
Personal information was compromised. Customers have a right to know that, and should have been contacted directly.
I think the problem many people have is that Valve hasn't made any official statement yet - however vague it could be - neither on their platform, nor on their official communication channels (Facebook, Twitter, e-mail - you name it). Thousands (millions?) of people saw something funky going on for an hour or two with the service on Christmas: they could see themselves logged in as other people, they could see Steam pages in foreign languages, they could see account details that weren't their own, they could not buy games. It was fixed, sure, but there was no explanation (through official communication channels that would reach all customers - not some article or a message board post). In the times where online shops and services are hacked left and right, when every few weeks (days?) you can read about personal info leak from service X - as a laymen, an ordinary Steam user who is not a member of reddit, GAF, GameFAQs or any other message board - wouldn't you want to know what exactly happened and whether you should worry about info that might get leak or action that someone could do on your account?
A small company, right...
They are estimated to be worth billions of dollars. (2-4billion $ according to a forbes staff article)
It is purely their decision as a for profit commercial corporation not to hire more staff.
Your post is more damning than helping valve, because it is implying that despite their huge profits they are still not willing to spend a portion of it on proper customer support staff.
Rawket Lawnchair
Member
This is what happens when you're more invested in selling hats than security.
we're getting so far off the original point of "Xmas could be an explanation" that I don't even know what we're talking about any more
you have your expectations of a company, and other people have other expectations
Similar threads
- Poll