RadioactiveLobster
Member
What amazes me is we'll probably see a bunch of people who (don't) watch this video and spend their time explaining how TB isn't a consumer advocate.
It's a good watch.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Steam security issue revealed personal info to other users on XMas Day (fixed)
- Thread starter Quirah
- Start date
What amazes me is we'll probably see a bunch of people who (don't) watch this video and spend their time explaining how TB isn't a consumer advocate.
It's a good watch.
Yeah I have watched it. I have also contacted ICO(uk).
KZXcellent
Member
Good video on the subject as expected of TB.
I still find it absolutely ludicrous that Valve hasn't at least apologized for this nonsense. Absolutely disgraceful.
What he says here is wrong though:
Even without a Steam account, you were able to see all of this (I did).
REALLY!?!?!
Very good video! I invite everyone to view it.
I'll keep an eye on this thread and on others. Valve is guilty of negligence. How they acted was irresponsible. This should never have happened. If they finally decide to apologize (which will account for nothing: they should have contacted everyone directly to inform them of what happened, in details, day one), I won't care: too little, too late. I am done with them.
Yes, using Google's cache on any browser.
Yep, it was also mentioned earlier in this thread. Simply going to this page
https://store.steampowered.com/account
was enough to see a random person's account.
MomoPufflet
Member
Yes, and you could just keep hitting refresh and see as many personal account details as your heart desired.
Can confirm, that's how even Google's bot cached someone's account details page for a few days.
For anyone curious, that cache was updated by now.
doctorcdcs
Member
All I know is if this happened in the healthcare field, shit would hit the fan and then some.
Lalalandia
Member
Yup it's tragi-comic reading people trying to dismiss this as minor if you have any familiarity with the legal obligations on companies that hold PII. Where's hoping that the silence of the press is a Christmas thing (Kotaku/Destructoid excepted ofc)
I just wanted to say I finished listening to this and definitely it is worth listening to, if you're aware of the issues and the the effects of personal information leaking out, at least listen to the end of it, he makes some really good points.
I completely agree that Valve is too big of a company to continue pulling shit like this without receiving any criticism, and the stonewalling from dedicated fans trying to defend their lack of communication really needs to stop.
The only thing is... Didn't someone already say they have been getting phone calls and sign-ups for various accounts using their emails due to this? I think it's already too late to only speak of the theoretical people getting harassed due to their information leaking out due to this and the tragedy of that; that's supposedly already happening.
Exactly, I'd get my ass kicked into the next universe if I gave out any information about my patients. I'm not even allowed to tell their relatives (even if they verify themselves) on how the patient is doing since I am legally obliged to not do that if I don't have the permission from the patient to do so.
If I gave out personally identifiable information like that to strangers or alone just stuff like E-mail addresses or phone numbers, I'd be sitting in jail.
Head.spawn
Junior Member
To be fair, they were probably only talking about it in regards to DOTA 2.
That's a weird guesstimation to take, considering you could clearly see purchasing history, activated Steam Guards, money in the wallet etc etc. Either way, I doubt their name, email address and phone number is dead/fake/forgotten or an alt.
RadioactiveLobster
Member
People have said a lot of things (and he covered this in the video) but provided no actual proof of it happening.
I guess that's true. I agree with TotalBiscuit that I hope nobody suffers harassment due to this then.
newtypepilot
Member
TB released video about this and Steam issued statement afterwards..... that timing lol.
Having barely paid attention to this when it was happening (main PC was off and I was away), was there anything outside of that list that seemed to be available? I skimmed the Kotaku article but didn't see anything.
As someone who has worked with a lot of sensitive info (namely, web systems that handled payments), those things listed aren't exactly considered super critical data. Last four is kept as a helper to users - your actual, full, CC number is never stored unencrypted or even stored at all - PCI compliance is incredibly strict and not something you screw around with. Hell you can get name and last four off of discarded CC receipts. Having your last four 'stolen' sounds scary but it's basically useless in itself.
Your email and phone is already on the internet somewhere, you've probably listed it somewhere public you forgot about.
The 'Confessions' article that talked about stealing a Netflix account was more of an implication of lousy Netflix security than anything else.
As for the BBB, they're not very trustworthy and shouldn't be your gold standard on a company's quality. They're a business, through and through, not a non-profit watchdog or part of the government. Take their ratings with a grain of salt.
As someone who keeps their Steam profile on Private, doesn't use Facebook, Twitter, etc and is generally fairly cagey with online info, having those bits of data taken doesn't frighten me in the least.
Edit: So reading their response, what could have been taken in a worst case amounted to very little, at worst your billing address/email address, both of which are typically easy to dig up via other means.
doctorcdcs
Member
PreyingShark
Member
Finally!
I haven't logged into Steam or its website for at least half a year so I guess I'm good. Sucks for those affected though.
Such as? People post that info to Facebook regularly, on public profiles. Whitepages can net you a phone and address. A name can find you an email address. An exposed database (of which there are countless) can reveal that and more and you'll never know. Valve's failure here was visible, but most are not, many go uncaught for years.
Your name, email address, and phone number are not that valuable to anyone out there that actually cares about stealing your personal info.
it was just a caching issue for the image host. For an hour giant bomb pics were randomly switched with other gaming journo sites pics.
this whole debacle is funny, sad and premise for deep concern
SchrodingerC
Member
I was more talking about the total steam account numbers, not the ones that were affected.
doctorcdcs
Member
Forgive me, having to type this on a cellphone since my PC is disconnected so this might look messy.
So? Those people chose to put out their personal information. Steam users didn't give valve permission to display it for people on the internet to see. Like I said earlier, if this was in the healthcare field, this would be on the evening news. There's a reason why acts like HIPPA And PHIPPA exist.
Do you not have the option to unlist yourself from the whitepages? I think there is. Also, if you use multitple email addresses with fake names, I don't know if it would be as easy as you are implying.
Im not really sure where youre going with this.
Its nice to see that you don't think social engineering isn't a big deal but I would disagree.
Lets use stump as an example. His personal information was shown (I have no idea if he had items in his cart which would have shown even more information apparently).
Now, as a mod for neogaf, I'm sure he's made his fair share of friends and not so friends. He used the same user name and avatar for both steam and GAF so associating the two coming from the same person wouldn't be that hard. Now we know people on GAF had seen his personal information from earlier. Who knows if one of them has an axe to grind against him?
From something minor like a bunch of pizzas being sent to his house to a swatting incident could occur, not to mention the potential identity theft issues.
In the end, agree to disagree with you on this one.
So? Those people chose to put out their personal information. Steam users didn't give valve permission to display it for people on the internet to see. Like I said earlier, if this was in the healthcare field, this would be on the evening news. There's a reason why acts like HIPPA And PHIPPA exist.
Do you not have the option to unlist yourself from the whitepages? I think there is. Also, if you use multitple email addresses with fake names, I don't know if it would be as easy as you are implying.
Im not really sure where youre going with this.
Its nice to see that you don't think social engineering isn't a big deal but I would disagree.
Lets use stump as an example. His personal information was shown (I have no idea if he had items in his cart which would have shown even more information apparently).
Now, as a mod for neogaf, I'm sure he's made his fair share of friends and not so friends. He used the same user name and avatar for both steam and GAF so associating the two coming from the same person wouldn't be that hard. Now we know people on GAF had seen his personal information from earlier. Who knows if one of them has an axe to grind against him?
From something minor like a bunch of pizzas being sent to his house to a swatting incident could occur, not to mention the potential identity theft issues.
In the end, agree to disagree with you on this one.
it wasn't even a pop-up from the client, which was happy to inform me of the new tweaks for the steam controller i didn't buy earlier, but if it wasn't for this thread, and actually witnessing what happened first-hand, i would have no clue that anything like this had occurred.
i didn't even know that the password hack had happened over the summer until i saw a pop up interrupting my attempts to play ffxiv.
i think from now on, it's time to just buy gift cards to load into the steam wallet. i only just recently stored my information because of the sale. needless to say, i regret this immensely.
really disappointed in how this was handled overall. this has definitely soured my opinion of Valve.
All I see is can, can can. Yea, all of that PII possible could be found else were, but the fact is it was exposed through Stream, who has a duty to protect that data, no matter how trivial you are trying to make it.
There are actually legal ramifications to not protecting PII.
Also saying no one cares about the info that was exposed is totally wrong. Advertising companies pay big bucks for this type of stuff
paperspace
Member
Made a new thread on Valve's response : http://www.neogaf.com/forum/showthread.php?p=190820207#post190820207
See Valve, it wasn't that difficult.
Saintruski
Unconfirmed Member
Reading there official release, the TL;DR is we are investigating fully and gathering all information before releasing conclusions and information...that should have been said hour one...
Blah blah DoS, blah blush blah identifying users, blah blah blah, working with cache partner, blah blah blah working on it.
Blah blah DoS, blah blush blah identifying users, blah blah blah, working with cache partner, blah blah blah working on it.
Lalalandia
Member
Much better, would have preferred if it had been a pop-up announcement as if not for Chaobreaker I wouldn't have seen it all. Attacks happen, mistakes happen but Valve's poor communication has made this worse I hope they learn from this (he said more in hope than expectation).
Roland1979
Junior Member
I had not yet, so thank you.
Good. Maybe not a slow response but it's not exactly fast either.
Dreams-Visions
Member
Communication is not Valve's strength.