Steam security issue revealed personal info to other users on XMas Day (fixed)

cyba89 said:
Do you have actually any proof for that.

If you don't have proof stop spreading potential misinformation.
Click to expand...
It was accurate based on the information known at the time.
Grief isn't the one your anger should be aimed at, go send angry emails to Valve or something.
 
oti xero said:
Soooooo... should I just do nothing or what?
Click to expand...

i dont think we can do much. I dont use paypal with my steam. So they could get my card, but i'm not worried about that. Visa is very good about stopping charges and protecting you. I would be more worried about username/password because we know how awful valves customer service is
 
I just tried to play PoE and it says not logged into steam even though I was logged into my account so I had to relog... while reading this thread. This is kinda scary.
 
Wait, so if this is all allegedly being spewed out of a recent cache, would that mean people who haven't been logged in for a few days be safe or do we literally know nothing?

I assume the latter
 
Skytylz said:
I'm late to the party :(

V8h1hIL.png
Click to expand...

Sorry.
 
Protome said:
It was accurate based on the information known at the time.
Click to expand...
No it wasn't. It selectively ignored posters in this very thread.
If you want to ascertain the truth you can't just ignore those reports.

The truth is shit is messy and it has to be figured out. Posting statement and bolding and highlighting them to give them authority when you're also just guessing isn't helping.
 
cyba89 said:
Do you have actually any proof for that.

If you don't stop spreading potential misinformation.
Click to expand...

  • Using the term 'so far' would allude to the information up to that point.
  • Last I posted that information, I stated would be updated as soon as we can have purchase confirmation.
  • Still trying to fully and completely substantiate before posting potentially horrifying info.
 
Reebot said:
To anyone downplaying the breach, I humby recommend publicly posting your physical address, phone number, last digits of cc, and email address.

Even for "only an hour."

See how little that breach feels.
Click to expand...

I predict that all of that has been breached at least twice for pretty much all users of NeoGAF. Sites like Have I Been Pwned has hundreds of millions of confirmed breached emails addresses.
 
DMTripper said:
I've asked before but what if you have store credit? Surely it would be easy to make purchases with that?
Click to expand...

It's unclear at this point, but ultimately with store credit it's no big deal because Valve could rollback the charges (obviously if they don't rollback charges associated with this, they're toast). The issue with credit cards, besides the information exposure, is that someone could get overdrafted or hurt if the payment actually posts before the rollback happens.
 
Your CC company is usually smart. If you never spend 1000+$ on steam in a single purchase they will not allow this transaction. They know your purchasing habits. At least my Visa is like this. Got hacked once and the guy tried to buy 2000$ at Canadian Tire and I only use my CC for small purchase online so they canceled the card immediately.

But yeah stop posting fake pics.
 
mugurumakensei said:
Don't even sign in to the client.
Click to expand...
I haven't turned my PC on since yesterday but I browsed on the mobile app this morning for a few minutes. Was already logged in, etc. I feel like I'm probably ok but kinda weirded out.

So you were only vulnerable if you were loading your profile page during a certain time earlier today?
 
Looks like a bit of investigating shows it's a caching server issue, and no auth permissions are being given under alternate accounts.

It's a problem with their caching-server (varnish), caching pages that should not be cached (such as Account-Details, Cart, etc.). It invalidates after some time and is re-cached when the next user visits the page with their profile. You are not actually logged in (as in, you take over the session of the user), you just see pages rendered for others than yourself. This is why different parts of steam appear as different users.
Which page you see is probably dependent on the edge node (first server you connect to) closest to you, hence why different users see different profiles.
My guess to how this could've happened is that an untested configuration got activated when steam went down earlier, e.g. due to an auto-conf service (puppet, chef) pulling an untested config or some of their live servers being replaced by staging / development servers. It's also possible that they were under heavy load and the engineer on duty reconfigured all their edge nodes to cache more aggressively.
Let's hope they fix this fast, because this is a major data leak. I can see private E-Mail and account names. Let's hope their cache server is not delivering internal pages.
Edit: /u/LymiaAluysia made an important point about whether cookies are being cached.
As far as I can tell, no HTTP-Headers are being cached which includes cookies. Below is a screenshot where I see the profile of someone else though the steam id in the cookie is still my own: http://i.imgur.com/TK9FFvx.png I'm hoping this is also true for login and store pages.
Click to expand...

Source: https://www.reddit.com/r/Steam/comm...cking_up_hard_right_now_signed_into_a/cyb7l09
 
banefirelord said:
Wait, so if this is all allegedly being spewed out of a recent cache, would that mean people who haven't been logged in for a few days be safe or do we literally know nothing?

I assume the latter
Click to expand...

The latter. It could very well be that only people who were online were being seen(or even the opposite). it's worth noting that a lot of people saw the same people's accounts, so it may only be a problem with a small number of users. But we don't really know shit beyond that.
 
I'm curious if the purchases happened due to this screwup, or due to bad information security exposed by this screw up.(Weak passwords/ no steam guard) I'm not checking my own accpunt until this is cleared uo, and I removed paypal authorization on the paypal site.
 
Grief.exe said:
Potentially compromise an account, versus citing the limited information we have so people are aware of what is going on?

I don't know man, you might have trouble backing your argument up.
Click to expand...
Posting factual information thats personally relevant and unexpected behaviour in a strange and distressing situation, versus cherry-picking sources and claiming knowledge thats repeatedly being disputed many times by trusted users on this very site for the purpose of damage control rather than clear communication.

One is instinctive and reactionary, not meaning to compromise data.
The other is deliberate and knowingly promoting disputed claims as fact.
 
Vamphuntr said:
Your CC company is usually smart. If you never spend 1000+$ on steam in a single purchase they will not allow this transaction. They know your purchasing habits. At least my Visa is like this. Got hacked once and the guy tried to buy 2000$ at Canadian Tire and I only use my CC for small purchase online so they canceled the card immediately.

But yeah stop posting fake pics.
Click to expand...

I'm just worried because my debit card was on there (too young/cautious for credit) so if someone gets in I'm utterly fucked. Luckily I managed to delete it (I think) but who knows
 
Okay, paypal unlinked from Steam via paypal's site. Fingers crossed. Pretty sure I never put my card info on Steam but I don't want to login to double check.
 
Grief.exe said:
  • Using the term 'so far' would allude to the information up to that point.
  • Last I posted that information, I stated would be updated as soon as we can have purchase confirmation.
  • Still trying to fully and completely substantiate before posting potentially horrifying info.
Click to expand...

You should confirm any information before posting, that includes good and bad news. We didn't know either way
 
Vamphuntr said:
Your CC company is usually smart. If you never spend 1000+$ on steam in a single purchase they will not allow this transaction. They know your purchasing habits. At least my Visa is like this. Got hacked once and the guy tried to buy 2000$ at Canadian Tire and I only use my CC for small purchase online so they canceled the card immediately.

But yeah stop posting fake pics.
Click to expand...

Yeah I tried to legitimately purchase $300 worth of games on my Steam (obviously using my own card) my bank denied the purchase and every purchase from Steam since then. So if anyone tried to buy stuff on my Steam account it wouldn't go through.
 
Steam's interface is so convoluted I couldn't even figure out how to check or configure my payment settings. You'd imagine something like that would be found under settings > account, but nope.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
160
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
102
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom