Steam security issue revealed personal info to other users on XMas Day (fixed)

charlequin said:
Yep, this is beyond bush league. The most basic responsibility of a service-based company is to announce that something has happened, share any confirmed info, and shut down service until it can be verified to be safe. Valve has done none of that.

I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

Yeah, I mean they're one of the leading digital distributors in the PC gaming sphere, serve millions of customers each day and yet a business as big as Valve can't even manage to write up a simple statement informing customers that their personal information might have been compromised.

What a joke, took down the servers only after an hour, fixed the problem and reupped the servers without any statement so they can keep getting that Christmas Sale money without letting people know of the potential compromise of their personal information.
 
Tainted said:
Correct me if I'm wrong, but wasn't it only the top level account page which was compromised ? The one that only contains the last 4 digits of your CC number...which is pretty useless to anyone else.
Click to expand...

The last 4 digits of a CC number can be pretty useful if you are into social engineering.
 
Glasshole said:
The hypocrisy in this thread is baffling sometimes.

"I hate steam, I've always hated steam, it's a huge pile of shit!" - has north of 350 games on account.

Mhkay. Wha'ever.
Click to expand...

You can find their business practices especially when it comes to customer relations absolutely shitty and still deal with them. It is not as if there are millions of steam competitors all around and the PC section of most stores are all but gone so digital is becoming in many ways the only option and even if you buy a key from GMG or whoever it will almost always end up tying back to steam
 
jmga said:
The fact that you could press a button saying "delete payment info" does not mean those changes were made.

Everything suggests it was a read-only bug.
Click to expand...

"Everything suggests"? What's this "everything" because Valve hasn't said anything on the matter?

It sure looked like I could've spent the money in people's accounts as well. Not cool.
 
WAR recon zero said:
Rank this against the sony hack lol
Click to expand...

The Sony hack seems to have been way worse than this. PSN was down for nearly a month while Sony figured out how much data was compromised. From reports I'm seeing, it looks like it was just a read only cache error. Someone at Valve fucked up royally today, and will probably be fired. But I don't think there's much for customers to be worried about today.
 
Nzyme32 said:
And now there is today's issue, which is massively different, where contact info was randomly shown to other random people in a nonspecific way due to the nature of the caching issue (if accurate). As such it wouldn't be possible for people to get all the info on a specific person, but they could definitely take a whole bunch - account name, email address, last digits of phone number and CC if via the account page // address, last digits of CC or email address if at the cart. .
Click to expand...
Its the full phone number (not last digits) and full address as well.
http://www.neogaf.com/forum/showthread.php?p=190425008#post190425008

Edit: it's also strange in this case and earlier this year that the service wasn't taken offline the moment the problem was discovered. It was up in it's faulty state for hours. It even managed to be world trending on twitter before it got shut down this time.
 
They didn't release any statement because they're still trying to spin this shit as much as they can, but it's pretty hard.
benny_a said:
We don't know. But what you did was good.

The only other step that is always recommended is to change your password on other services if it's the same as on Steam. There is currently no real reason to suspect foul play but the lack of communication makes reassurance hard.

--

Yeah I also think the lack of communication on official channels is extremely poor handling of the situation. Relying on third party websites to do damage control in some cases (self-motivated) or giving reasonable (and sometimes confusingly worded advice) interpretations of what happened is not enough.
Click to expand...
Thanks for the answer. I'm going to change both my steam and paypal passwords (even if it wasn't saved).
 
I logged out hours ago on ipad. Now trying to log back in it says invalid password. When I hit password reset I get an error saying servers are busy
 
Catdaddy said:
That's still not good....Personal Info was available...
Click to expand...
I know, but many people keep claiming things far worse than that without evidence. I have even read people telling others to change their passwords when nothing indicates passwords were compromised.
 
charlequin said:
I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

But their employee handbook is so quirky....

It says everything that this has been going on hours and not a single employee has the spine to just shut down Steam.
 
Glasshole said:
The hypocrisy in this thread is baffling sometimes.

"I hate steam, I've always hated steam, it's a huge pile of shit!" - has north of 350 games on account.

Mhkay. Wha'ever.
Click to expand...

It's natural for people to be upset at such a large breach of personal information, especially when one takes risks by entrusting major companies with such details for the sake of easier transactions. Valve's track record with responses is uneven at best, PR never being their strong suit as a company.

The thing is that Valve has adjusted the service over time to strengthen security of accounts and the valuable data within. Steam Guard, two factor authentication, trade holds, and so on. Some of these, like two-factor, are just industry standard by now. But the escrow holding and other tweaks are their reactions to these amassing issues. They aren't sitting on their ass doing nothing. They're just making gradeschool level programming mistakes which just so happen to invalidate the work they actually do put in.

The last major direct breach of account info saw Valve speak up several times about the issue. But then, they didn't speak much at all about the password reset exploit from earlier this year. It's hard to say for sure if they'll speak up over this one or not, but I'd like to lean on the side of someone being sent to face the masses. We'll just have to wait and see.
 
inm8num2 said:
People expecting Valve to own up to this with a mea culpa are probably going to be disappointed.
Click to expand...

ceXjVFs.gif
 
Guaranteed first sentence of the press statement:

"We do sincerely apologize for what took place and lack of communication with you all immediately after due to the Christmas holiday."
 
Holy crap... Glad I don't have any payment info saved on my account (I always enter that shit every time I buy) but I'm really uncomfortable with the idea of someone seeing my private profile. Guh
 
jmga said:
I know, but many people keep claiming things far worse than that without evidence. I have even read people telling others to change their passwords when nothing indicates passwords were compromised.
Click to expand...

But changing passwords in light of today's events is not a bad idea.
 
Zaph said:
But their employee handbook is so quirky....

It says everything that this has been going on hours and not a single employee has the spine to just shut down Steam.
Click to expand...

Valve basically lucked out with their current niche of being resellers/content providers. The company itself is set up so there's no accountability for anything they do.

It's really too bad that other competitors have even worse UX's (if that's even possible) or are run by companies with even worse reputations, because Steam is like the Facebook of this industry - people now see it as more of an obligation than something they actually look forward to using.
 
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

- Valve
Click to expand...

http://kotaku.com/steam-goes-nuts-o...m_source=Kotaku_Twitter&utm_medium=Socialflow
 
Zaph said:
But their employee handbook is so quirky....

It says everything that this has been going on hours and not a single employee has the spine to just shut down Steam.
Click to expand...

What are you even on about? It went on for about an hour earlier today. The core problem was resolved a while ago now. And in fact, they did shut down Steam during the time in which they were fixing the core problem.
 
charlequin said:
I hope people who praise valve's management structure take a good look at this situation. Every part of this fiasco -- the half-assed ddos mitigation, the apparent untested launch of code with a massive security hole, and the complete silence to their customer base -- is a direct result of an organizational culture with no leadership, no responsibility, and no employees who are expected to do difficult or unpleasant work.
Click to expand...

Good post, it's disapointing that time and time again, Valve has prioritized preserving their corporate culture over their customers.
 
You can recover passwords for a couple of sites with just an email, full name, and address.

With a little bit of social engineering, this could become a pretty large headche for most people.

Thats what I'm worried about.
 
Dunkley said:
Changing passwords in general is never a bad idea.
Click to expand...
If steamdb's theory is correct changing the password during today's mess would have been a bad idea since it would cache those pages and would have allowed others to access them.
And there is no official confirmation that it is actually fixed.
Edit: well, now there is.
 
Dawg said:
http://kotaku.com/steam-goes-nuts-o...m_source=Kotaku_Twitter&utm_medium=Socialflow
Click to expand...

We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

Oh yeah, because people knowing other people's steam account names, billing addresses (and thus, potentially their phone numbers) and email addresses isn't an issue.

Costia said:
If steamdb's theory is correct changing the password during today's mess would have been a bad idea since it would cache those pages and would have allowed others to access them.
And there is no official confirmation that it is actually fixed.
Click to expand...

Oh, yeah, I guess then this is where the general rule doesn't apply. I meant to say it doesn't take a breach to humor the thought of updating your passwords once in a while.
 
Costia said:
If steamdb's theory is correct changing the password during today's mess would have been a bad idea since it would cache those pages and would have allowed others to access them.
And there is no official confirmation that it is actually fixed.
Click to expand...
There is and it had nothing to do with passwords.
 
Rebel Leader said:
You should not deal with it. You should prefer valve to fucking do something, say something.
Click to expand...

Sure. Valve should do stuff (which I'm certain they are) and talke more (they're so bad at communicating),, but still, every system like this has risks, and every time something happens, you have an opportunity to learn.

As much as one wants that to not be needed and everything to run perfectly, we know that it's not how it works.

And that's not a defence of Valve, but rather a (IMHO) pragmativ view on these systems.

Considering where my favorite developers are, and what kind of games I like, quitting Steam would mean me having to consider quitting games altogether, and that's not something I rushing.
 
In this thread: people freaking out about a small possibly that their personal information being leaked, despite the high likelihood that said personal info had already been leaked elsewhere.
 
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

- Valve
Click to expand...
They seriously can't just leave it at that. Leaking PII comes with huge repercussions.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
150
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
90
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom