• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Steam security issue revealed personal info to other users on XMas Day (fixed)

How is it better that Valve's own internal systems allowed this to happen?

Steam is now asking me about adding a phone number? I wouldn't think it.
 

DarKshodaN

Member
I guess valve is done after this, this is even worser then the psn debacle.

Shut steam down, i can't believe i can still see accounts from other guys when i refresh my account
 

FStubbs

Member
The store parts of the client haven't worked for me and others for months. I guess Valve doesn't care if I buy things or not.
 
Someone just removed my phone number from my account. Thing is I've got email steam guard turned on.. so they shouldn't be able to do shit w/o my email password right? No saved CC info here.
 

Grief.exe

Member
WhiUvI3.jpg



*Yet you can purchase items on other people's accounts and view personal information....Merry Christmas.

Steamdb is not associated with Valve in any way, but you cannot purchase items in someone else's account.
 

Kalor

Member
Well, I don't think I saved my purchase stuff to Steam but I should be fine. This is a crazy security flaw and on Christmas Day as well where purchases likely are higher.
 

DeaviL

Banned
This isn't a "shit happens" sort of thing. They have a responsibility to make SURE this doesn't happen, ever.

They do, and yet It is a "shit happens" moment.
No frothing at the mouth is gonna help you.

Log out, check your e-mails, wait for a Valve response.
No ones got your passwords, no ones got your CC's 3 number safety code (only the last numbers).

so should i not be playing any games right now? even in offline mode?
Offline should be fine?
Disable your Wifi so it doesn't even try to connect.
 

Vilifier

Neo Member
I had the same thing happen to me, I am using the steam client and it started to act strange and it ended up showing me someone else account and I was still logged into my account. I just signed out immediately and went and played xbox instead. I didn't realise it was this serious.
 
If you can see pages constructed for other people it's cache failure which is bad.

But if you can/could DO stuff under someone else's account it isn't just that, it's duplicate/overlapping/broken security tokens, which is much worse.
 

Geg

Member
I just tried opening steam again and it can't connect me to the network. Maybe they're finally shutting things down?
 

gofreak

GAF's Bob Woodward
So they're saying not to go to Steam links, or not to go on Steam at all?

I'd rather like to log on to my account to get rid of my CC information, please and thanks.
 

obear

Banned
Holy crap.

Can anyone actually buy stuff though? I can't seem to remove my details :(

I think if you had money stored I would think someone could spend it. But if you had 0 money I wouldn't think they could use your card...it would try and ask for verification I think.

They need to pull the plug now
 
The thing that makes me the most angry is the fact that they are electing to keep this issue online letting others access a ton of potential accounts allowing for compromised information.

Very disappointed and dissatisfied with Valve currently. The only silver lining is hopefully this teaches them a lesson and they get their shit together.
 

Palculator

Unconfirmed Member
The "Security breach" thing is poorly phrased. They just mean it's not hackers compromising Valve's security, but a huge cock-up on their end.
 
Not buying it. Cache-control headers would not give you the authorization to go to other pages in the account. Once you get someone's account page you can go anywhere and (I suppose) change anything. That's not caching and even if it is, it's a colossal security fuck up.

Yeah, also SteamDB isn't affiliated with Valve so they are probably guessing? My guess is a session-handler bug, in which case logging out is a very good idea.
 

MageBoySA

Member
Not buying it. Cache-control headers would not give you the authorization to go to other pages in the account. Once you get someone's account page you can go anywhere and (I suppose) change anything. That's not caching and even if it is, it's a colossal security fuck up.
I clicked on the account link on my phone not logged in and got an account starting with "z." Clicking on other links got me account names starting with different letters.
 
Top Bottom