Support NeoGAF

[DrM]

I just saw an account with about €173 in his wallet...

I am getting random Czech accounts instead of mine

 

[akira28]

ahhh its those people who ddos the game networks apparently. how strange. waste of electricity.

 

[Psyrgery ES]

https://store.steampowered.com/account


Wtf. I got a Norwegian persons account there.

Doesn't let me visit other profiles now. Are they shutting everything off?

 

[Sleeping Lesson]

Has anyone actually had a purchase made using their account?

 

[Lkr]

I can view accounts here - https://store.steampowered.com/account

And im not logged into steam at all

holy shit this is even worse than i thought

 

[SpartanSlayer117]

KILL THE SERVERS for the love of God Valve this is pathetic!

 

[Cleve]

I guess valve is done after this, this is even worser then the psn debacle.

It's not as bad as the PSN debacle, but it really is bad. Valve certainly isn't done, but the developer that pushed this live might be.

 

[Terbinator]

Wow.

 

[TunaMarshmallow]

I tried logging in a few mins ago, and now Steam's pumping me out a few Steam Guard emails (with code) per minute. Very nice. Smooth as silk this shit is.

 

[Real Hero]

argghh, I can't check if I had my paypal log in saved

 

[stryke]

Well this is fucking great. And I'm about to go on a road trip as well, I won't have time (or the reception) to keep an eye on this.

 

[TheSpoiler]

So the things that CAN happen are:

People buying things with your Steam credit
Changing your emails to something else
Looking at whatever information is saved to your card, including your phone number and address

What else?

 

[Soyongdori]

Guy in reddit said people can de-authorize someone else's computers and mobile devices.

 

[Robot Pants]

Yo they need to shut down steam asap. This isn't good

 

[Demon Lizardman]

 

[Lagamorph]

I just get page load errors now. Looks like Valve might have just pulled the plug until they fix it.

 

[Rebel Leader]

I was trying to delete my CC.... I think I deleted someone elses


Holy Shit

 

[Bunta]

Steam is down now

Not for me, still the same shit.

 

[Qassim]

So, if I haven't touched Steam today at all, I should probably keep it that way?

Yes, it appears to be a session caching issue. Given I keep seeing people posting a few usernames (which I have also seen), it may be limited to a relatively small amount of people (or something else is going on), it's best to not try and login - to avoid having your saved session being brought up into memory. (All speculation, of course).

 

[Vincent4756]

Holy shit my Steam guard just kicked in. Some one trying to log in from NY. I'm in ohio. Holy fuck.

 

[Enter the Dragon Punch]

argghh, I can't check if I had my paypal log in saved

go change your paypal password

 

[Zalman]

I can view accounts here - https://store.steampowered.com/account

And im not logged into steam at all

wow

 

[chrominance]

From what I can tell, here's the information that could be compromised:

last 2 digits of your credit card
Paypal email address
amount in your Steam wallet
last four digits of your phone number
account email address

 

[DNAbro]

The "Security breach" thing is poorly phrased. They just mean it's not hackers compromising Valve's security, but a huge cock-up on their end.

it's more like steam blew open the a hole from the inside.

 

[Panda Rin]

https://store.steampowered.com/account


Wtf. I got a Norwegian persons account there.

Was able to view accounts before, but that's not the case anymore.

 

[Vilam]

I can view accounts here - https://store.steampowered.com/account

And im not logged into steam at all

Holy shit, yeah... That's seriously fucked. Now I'm worried about what I had saved on my account and who's looking at it. What a completely fucked security screw up.

 

[Lautaro]

Ok, maybe I won't get my card used but I guess I can say bye bye to the sales of my game that I expected during this Christmas... fuck this is the worst year to became an indie dev.

 

[FoneBone]

I'm not even able to login to edit my account info.

 

[owasog]

Now all the prices are in British Pounds! WTF is going on?!?!?

 

[Grief.exe]

I was trying to delete my CC.... I think I deleted someone elses


Holy Shit

Sounds like that's impossible.

 

[Vibranium]

People are going to be demanding compensation from Valve after this, that much is certain.

Free TF2 hats for everyone?

 

[ItIsOkBro]

Okay it seems like they're redirecting people to the login page instead of someone else's account.

 

[ss_lemonade]

Is there any point to logging out if entire pages are cached on a server and being randomly served to people? I mean, it looks like you don't even have to be logged in to view the account pages

 

[TronLight]

DUDE thank fucking god Steam decided to crash just the moment before I decided to add my CC details this evening! Jesus.

What the hell.

 

[FACE]

I can view accounts here - https://store.steampowered.com/account

And im not logged into steam at all

Seems like that doesn't work anymore.

 

[gofreak]

Security breach or not, personal info exposed like this, in particular email addresses, is a VERY serious matter.

That makes it a breach. Doesn't matter whether the vector was a deliberate hack or a inadvertent delivery of data via 'normal' browsing - the leak of personal info is a security breach.

Perhaps they mean to say it's not a deliberate/explicit hack. But that reflects even more poorly on the system if it was a system mess-up.

 

[Mihos]

Has anyone actually had a purchase made using their account?

According to their purchase history of the ones I saw, no. No purchases at all snice November

 

[Kezen]

I don't have any payment information saved on my account but I'm feeling very uncomfortable about the fact that someone could very well be accessing my account as I'm writing this.

This really should not happen when you have billions in the bank.

 

[commissar]

Well the steam store account now says to login so thats something i guess.

This is so fucked

 

[Tainted]

I cant even login to Steam at the moment, every time I try to....I get a steamguard code verification email

Damn, I've never seen something like this before

 

[Palculator]

argghh, I can't check if I had my paypal log in saved

You can on your PayPal account settings. On the PayPal website, I mean. Not Steam.

 

[Fitts]

So if someone else purchases something with the funds in my steam wallet it will just be added to my library, yes? I'm sure they'll be inundated with refund requests due to fraudulent activity, but at least there seems to be a level of recourse.

 

[dity]

I'd trust these guys, so if you're having fun looking up random profiles, maybe don't

I only clicked one link for the account details to see if something did show up without being logged in at all, but other than that I'm just going to completely avoid Steam until this clears up.

 

[mugurumakensei]

Not buying it. Cache-control headers would not give you the authorization to go to other pages in the account. Once you get someone's account page you can go anywhere and (I suppose) change anything. That's not caching and even if it is, it's a colossal security fuck up.

It is possible. If it was caching as they say, it could be that they have proxy servers sitting in between the main steam server and users. Alternatively, whatever application container that forms the basis of the steam back-end is possibly being proxied over a different port through apache, and apache is caching content from the application container/server.

 

[lifa-cobex]

Not for me, still the same shit.

wtf

 

[Relaxed Muscle]

Steamdb is not associated with Valve in any way, but you cannot purchase items in someone else's account.

Someone is this thread got charged on his CC, unless is a coincidence or he's lying which both are doubtful.

 

[Zombegoast]

I just transfer out whatever I had left in my E-checking luckily no transaction were made.

 

[Twinduct]

Outside of the personal info breach, they still need the CVV/ CVC number to make a purchase with a linked card don't they?

 

[CoG]

Was able to view accounts before, but that's not the case anymore.

Right click, open link in incognito mode... Still getting someone else's account.

 

[Nocturno999]

Shit, I think someone just bought $20 of games on my account.

If that's the case, change password and ask for a refund.