Steam security issue revealed personal info to other users on XMas Day (fixed)

Morrigan Stark said:
I see. Thanks for the correction. I had no idea the account name was a private identifier that was completely separate than the public username. I thought the profile name was just a displayed thing and you still needed to add someone via their username.

So I haven't read all 30 pages that I missed during the day, but I saw the edits to the OP claiming there was no evidence of compromised CC info. So what's with the people saying they had suspicious transactions on their credit card? Unrelated, or Valve giving us BS platitudes?
Click to expand...

I'm not aware of any substantiated information of unsolicited purchases on compromised Steam accounts. From what we've been told by multiple credible sources, including Valve, is this should be impossible.

Financial institutions are slow, especially around the holidays. My guess is, people purchased some games over the course of the sale, checked their bank, and then jumped to conclusions when the deduction showed the 25th.
 
sersteven said:
My bad. Looked like a drive by defense post from first read. My point still stands that it is barely a response. They don't even say they're investigating. It's very upsetting as someone with thousands of dollars vested in Valve and steam.
Click to expand...

I own over 700 games on Steam and think you are blowing this completely out of proportion. Everything outside of credit card information is freely available on the web. If you don't believe that you are being naive.

Also if you don't want your information potentially released you shouldn't be storing it on a digital format online. I say this as a person has been involved on multiple sites with security breaches.
 
Well I just got home from work. Nice to see my Wallet still having the same amount I saw it had last.

Can't wait for my free Undertow HD Remastered gift.
 
Seems like whomever saw my account managed to compromise it and modified it so my password reset was sent to them... oops.

Contacted Steam Support and contacted my bank to block the transactions. I'll see what happens next!
 
hipsterpants said:
I don't think so, probably not.

Needless to say I've learned a valuable lesson in account security. Currently updating all my online accounts everywhere lol
Click to expand...

Yeah, definitely get the Steamguard up and running it will send you an email to confirm your account if someone tries to access from an unauthorized location I think it would have saved you from them being able to change your email in this case.

SuperBanana said:
I'm not sure time that would be for me but I logged in about 30 minutes ago and before that I logged out probably 12 hours ago.
Click to expand...

From what I understand, they could only see some store pages that you went to so if you went to your account page or went through check out you could have been but if you just logged in and played a game or whatever afaik you should be ok but it's kinda up in the air until Valve actually details what the cause was.
 
ctw0e said:
Not really related to 64-bit though.
Click to expand...

Sure it is related. The reason it runs like crap is that it's not properly threaded and can't utilize decent amount of RAM, i.e. its 32 bit. Well, they could have coded a decent client in 32-bit, but that's obviously beyond their capability (or caring). Going to 64bit gets you some automatic gains.
 
I didn't log in during the vulnerability period, I don't have any steamguard alerts or unwanted purchases and I don't even have a payment method saved - but I'll change my password just in case, I think. You can't be too careful about these things.
 
RM8 said:
I didn't log in during the vulnerability period, I don't have any steamguard alerts or unwanted purchases and I don't even have a payment method saved - but I'll change my password just in case, I think. You can't be too careful about these things.
Click to expand...

Eh, the one thing that did not get compromised was the password. I mean, it doesn't hurt to change it, but unless Valve got completely hacked, its not really necessary.
 
SuperBanana said:
I might have missed it in the OP but is there anyway to see if someone got access to your account or found any info? Or no clue yet?
Click to expand...

someone emailed me and told me my account was "shown to the world during the Great Christmas Leak". anyone else get an email like that?


someone also deleted my CC number from my account, so thanks for that, whoever
 
Interesting. Got a security code sent to my phone. Looks like someone was trying something I guess? All my info is fine on my account, nothing changed, still have Steam Guard enabled, no email alerts though and no CC on file. Hmmmm.

I haven't received a text code since I added my phone number. Odd.
 
Took my CC info off just to be safe when I got word, think I'll keep it off until I buy my next game that doesn't use a giftcard balance.
 
Fixed it, looks like there was some fuckery going on with the password recovery process. Like I entered my e-mail address for recovery, but it then had me send a recovery message to the wrong phone. Oh well.
 
akira28 said:
someone emailed me and told me my account was "shown to the world during the Great Christmas Leak". anyone else get an email like that?


someone also deleted my CC number from my account, so thanks for that, whoever
Click to expand...

No, but I probably would have done the same if I saw someone's account info. Awesome that they were willing to let you know that your stuff was exposed.
 
hipsterpants said:
Fixed it, looks like there was some fuckery going on with the password recovery process. Like I entered my e-mail address for recovery, but it then had me send a recovery message to the wrong phone. Oh well.
Click to expand...

So you weren't hacked at all in the first place?

If so that's a relief :)
 
Arcia said:
So you weren't hacked at all in the first place?

If so that's a relief :)
Click to expand...

Yeah, first I entered my username (which turns out wasn't the right one, lol). Then I entered my e-mail, which gave me a different phone number for whatever reason. Then I finally tried it with my phone number. I'm fortunate I sorted this all out now too because I got a new provider today and got a new phone number! At least I'm like super security man now lol. Decently complex password, 2-step authentication everywhere, etc.
 
Wow, 73 pages! Talk about a mistake.

tumblr_n1da0h5gU71rrx588o1_500.gif
 
Thank the Lord, no payment methods associated with my account and steam guard is on.

What a clusterfuck.

I knew long ago as to why I shouldn't ever tie a payment method to shit like this. Look what happens.
 
I didn't use Steam for quite a while but started it up and checked my accounts details when i heard it started showing details from others. Wish i didn't do that...

Regardless. Steam Guard was up. I have no phone numbers listed
No payment methods linked to my account. No billing address shown from what I can see.
My e-mail ,Steam account name and country is the most they could of seen apparently.

Still. This was pretty scary.
 
Dunkley said:
Quick summary:

  • Viewing the Account Details page on Steam showed you as logged in as another user and allowed you to see their account details, including amongst other things the last 4 digits of their card number, their Steam account name and the E-Mail the account is attached to.
  • People start testing it and realize it does work; people become nervous about being affected and their account information being shown.
  • Couple of people report there have been purchases made causing people who have attached payment methods to panic
  • Huge demand that Valve takes down the servers and criticism for taking so long to do so.
  • SteamDB offers their theory on what happened, says it's not safe to log in or even view Steam pages making those who have been checking if the issue was still ongoing even more nervous
  • "Yeah yeah we're working on it" statement made by a Community Manager on Steam, declining a hacking attack
  • 1 hour later Steam servers go down (finally)
  • It is revealed that you could also see people's addresses and their full phone number(s) due to this issue. (if saved to the account due to the payment option)
  • Servers come back up without Valve saying anything
  • Valve releases short non-apology confirming SteamDB's theory but doing jack to inform people about their personal information being exposed.
  • Discussion about Valve's handling of the situation mixed with a bunch of people coming in thinking it's still an ongoing issue

I think that's the gist of the thread, sorry if I missed something.
Click to expand...

Nice, thanks.

I use Paypal for payment with 2-Factor, so I'm not stressing.

By the way, have I mentioned how awesome 2-Factor is?
 
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

So being able to remove paypal, CC and change email notifications is not "unauthorised actions"? People were able to do this if when they did they weren't redirected a new person's page.

Such a bullshit response of dancing around it, they don't acknowledge that people seeing information like your paypal email as an unauthorised access that you may have not wanted to be known for example. Just a simple brush off the shoulder "they could see randomly pages of users". They don't even apologise.

I like many others have 2-3 different email addresses, my paypal email that is related to other stuff is unique and unknown, my email used for services like steam is unique and I have another personal email I use for forums and the like. There are emails that I've never exposed on the Internet publicly and exist solely in their systems/databases but now two of them are will be in some data dump that'll be used at some point for spam, brute forcing, etc. But yeah Valve, totally okay. There's a reason why I don't use a single address for everything and why I'd like some email addresses like my paypal one to be completely private.
 
Lost Fragment said:
Your data is probably already out there from a different leak. You just don't know about it and therefore aren't as likely to be proactive about it.
Click to expand...

Well not that much different from card skimming and people who most likely refreshed steam 1000 times to sell to dodgy eastern europeans crime gangs.
 
blankempathy said:
People have to remember that this isn't like a standard data breach. Depending on if your info was seen and by who you may be perfectly safe. While I'm sure there may have been a few people taking notes it would taken time to do so and I doubt they'd get to a lot of people. Most people that saw others info will forget what they saw by tomorrow. Just something to think about. As far we know this wasn't the result of some group trying to get your personal info for malicious intent.
Click to expand...

Since news spread quickly, couldn't criminals purposely look into pages to get people's info?

There'd be more than enough for social engineering access to other accounts. And once you're into someone's email account you can reset passwords and dive into bank accounts etc
 
*wakes up* ehm can someone make a summing up what happened? I never link my paypal anyway with steam but this was another security flaw with steam?
 
Dunkley said:
Quick summary:

  • Viewing the Account Details page on Steam showed you as logged in as another user and allowed you to see their account details, including amongst other things the last 4 digits of their card number, their Steam account name and the E-Mail the account is attached to.
  • People start testing it and realize it does work; people become nervous about being affected and their account information being shown.
  • Couple of people report there have been purchases made causing people who have attached payment methods to panic
  • Huge demand that Valve takes down the servers and criticism for taking so long to do so.
  • SteamDB offers their theory on what happened, says it's not safe to log in or even view Steam pages making those who have been checking if the issue was still ongoing even more nervous
  • "Yeah yeah we're working on it" statement made by a Community Manager on Steam, declining a hacking attack
  • 1 hour later Steam servers go down (finally)
  • It is revealed that you could also see people's addresses and their full phone number(s) due to this issue. (if saved to the account due to the payment option)
  • Servers come back up without Valve saying anything
  • Valve releases short non-apology confirming SteamDB's theory but doing jack to inform people about their personal information being exposed.
  • Discussion about Valve's handling of the situation mixed with a bunch of people coming in thinking it's still an ongoing issue

I think that's the gist of the thread, sorry if I missed something.
Click to expand...

Nokterian said:
*wakes up* ehm can someone make a summing up what happened? I never link my paypal anyway with steam but this was another security flaw with steam?
Click to expand...

.
 
Pathfinder said:
Nice, thanks.

I use Paypal for payment with 2-Factor, so I'm not stressing.

By the way, have I mentioned how awesome 2-Factor is?
Click to expand...

What's ludicrous about 2-factor authentication is that Blizzard, Steam, Microsoft, etc. use it. Even things like Kickstarter and Dropbox have it.

Guess who doesn't have it? My bank, my credit card companies, and my online stock broker. We're not talking about some tiny-ass banks either, this is Chase and Citibank I'm speaking of here. It's not an exaggeration to say that the bigger and more important the site is to your finances, the less likely it is that they offer 2-factor authentication.
 
100% done with Steam after this mess.

I can't think of a way they could have fucked up their handling more. Its borderline impressive.
 
Unknown Soldier said:
What's ludicrous about 2-factor authentication is that Blizzard, Steam, Microsoft, etc. use it. Even things like Kickstarter and Dropbox have it.

Guess who doesn't have it? My bank, my credit card companies, and my online stock broker. We're not talking about some tiny-ass banks either, this is Chase and Citibank I'm speaking of here. It's not an exaggeration to say that the bigger and more important the site is to your finances, the less likely it is that they offer 2-factor authentication.
Click to expand...

It's pretty fucking sad, isn't it?
 
I do have a Steam account, but I have not accessed it in months, will I be ok?

I don't have any credit card/paypal info on there, I don't have any address/phone details either as far as I know,

What if my account was accessed, could the log-in info been have changed? How will I get back into my account? I'm going to have to check later this morning.
 
Until Steam learn to handle issues better AND improve on their level of customer support is think I'm going to spread my purchases across other DD platforms like GOG, Origin and Uplay a lot more.

It's about time they got a kick up the arse and that we as consumers exercised our rights to purchase using the competition. There is no logical reason not to anymore. I'm just going to go wherever the price is best.
 
You must log in or register to reply here.

Similar threads

PSYCHO DEAD | Gameplay Reveal Trailer (Third-person survival horror) [PS5, Steam]
23
148
Macattk15 replied
  • Poll
Steam users threaten to boycott Metal Eden for using AI voices
News Drama  2 3
117
1K
rkofan87 replied
Digimon Story Time Stranger debuts with over 70k concurrent users on Steam (~11x the launch CCU of Digimon Survive)
Sales-Age 
5
88
Liopleurodon replied
Steam hits 40m concurrent users.
3 4 5 6 7
300
16K
rodrigolfp replied
[The Verge] Xbox Ally pricing and preorders info coming today. [Update] Prices revealed: $999 Z2 Extreme; $599 Z2
7 8 9 10 11
544
1K
Duchess replied
Top Bottom