Support NeoGAF

[Protome]

wait wait WAT

I just cancel the aprobed payments option from my paypal account, that can't affect me, right?

They meant don't try to do it from your own accounts page. Doing so just adds you to the cache and increases the chance of other people seeing your data.

 

[obear]

They need to provide direction on their verified twitters. It's a joke that they don't use those for real information

 

[daxgame]

Steam's website isn't opening anymore thankfully, at least to me

An error occurred while processing your request.

Reference #97 bla bla

 

[RyanW]

having emailadresses and usernames is quite a thing

I'm more referring to CC Info but ya that can still be a problem

 

[Auxiliary Bro]

you can still unlink via paypal

 

[StereoVsn]

As a person who works on a large enterprise network, it's highly unlikely that they have a single button capable of shutting things down. A large-scale commercial venture like this would likely have multiple redundancies and failovers in place to prevent a single-site issue from taking down the entire thing.

If this truly is a software issue somewhere, the engineers would need the back-end systems to continue running in order to troubleshoot and correct the issue, so the answer would likely be to shut down routes in the front-end DMZ routers and/or firewalls to prevent access from the outside. And then hopefully they have some way to VPN in outside of these front-end network components, or a bunch of software guys are going to have to head on-site to fix this.

For more fun its very likely most or at least substantial part is cloud based (pick your cloud provider of choice) plus distributed through CDN, making "shut it down" all the harder. That said, this is a major fuck up on Valve's part. The issues bypassed their account security measures and revealed substantial amount of personal information:

Originally Posted by chrominance

From what I can tell, here's the information that could be compromised:

last 2 digits of your credit card
Paypal email address
amount in your Steam wallet
last four digits of your phone number
account email address
+ your country of residence.

Social engineering opportunities galore with this information.

 

[Deleted member 80556]

Lots of Steam users are going to get spam mails after today.

 

[jacobeid]

Well that was up to 77 million accounts compromised. We don't quite know the severity of this yet.

I mean in terms of the actual data compromised rather than the number of people affected.

 

[7DollarHagane]

false


false

There is nothing to worry about. Credit card companies refund billions to customers for fraudulent charges every year. It's not up to steam, unless they want to lose their credit card processors or breach contract with them.

 

[TheSpoiler]

It's weird how people are playing this off.

A security breach normally is done by a bunch of hackers who either keep that info or put it on a pastebin or something. It's not normally publicly available.

A security breach here is incredibly public, since all it takes it for you to look at a Steam thing. There's a big difference and this one is incredibly shitty and indefensible.

 

[SplitYourInfinities]

It only took less than a hour to pull the plug. Not bad compared to the PSN outage, IIRC it took Sony 3 days since the first attack.

 

[dickroach]

we should all be with our families right now, but nooooOOOoo! Steam had to ruin Christmas!

 

[Rarius]

Their (lack of) response is completely unacceptable, even poking around in normal use had me accessing like five different accounts, this is a breach of security like I've never seen before, though at least no Payment Details were entirely taken

 

[Striek]

thanks kotaku

In a pinch I'd take Kotakus advice over doing nothing and waiting on Steam with their brilliant response times.

 

[iNvid02]

thanks kotaku

kotaku behind the leak confirmed, needed to show people important info

 

[mullet2000]

You can only see the last 4 numbers of your phone number used for the security check.

If you looked at other parts someone's page you could see their full address, name, postal code, and phone number. I saw it myself.

 

[davidwhangchoi]

What we know so far

• Most likely an error in the way Steam caches pages.
• People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
• No changes can be made to the effected account, no purchases can be made. Any evidence to the contrary is, as of yet, unsubstantiated.
• It's been advised to not access Steam URLs, including the client, until we have more information.
• Do not post account names you see, huge security risk.
• Do not log into Steam to unlink your Paypal. If you feel the need, can be done from the actual Paypal website.
• Reminder: Steamdb is not affiliated with Valve in any way.

I'll update this post with more information going forward.

what's the point of updating this?

 

[Forsythia]

Pfft, I'm glad it's shut down.

 

[BHK3]

Why did it take them + 45 minutes to shut down the servers ?

Wtf Valve WTF ???

It didn't, they were shut down very early on. What we saw was the front end, that was only just now shut down, the back end was shut down a while ago cause they added error code pages. So far I still haven't seen evidence of money getting jacked or games being bought with credible evidence.

 

[Hektor]

Yet every christmas everything gets taken down and shit gets slowed down on all fronts. PSN nothing was stolen, just no online for a month, chill out.

You forgot the security breach form 2011?

 

[AyaisMUsikWhore]

Well that was up to 77 million accounts compromised. We don't quite know the severity of this yet.

Nothing was compromised and no one was able to see everyone's full accounts and able to purchase stuff. And Sony shut things down immediately. This is definitely not the same the thing and it's worst 100%. Aren't there more people on steam as well?

 

[Steel]

I assume if anybody buy anything with your wallet/stored info those will be added to your library and could be refunded but I'm not sure about gifts. Can gifts be refunded?

Anything done to your account during this period is pure lawsuit fodder. So, I wouldn't worry about not getting a refund or getting gifted games to the right place.

 

[Ahnez]

What the fuck

It took them way too long to shut down the server

Holiday sales are more important than protecting users' information? WTF Valve

 

[fluffydelusions]

Regardless of it being Christmas day, this is a billion (or close?) dollar company. They absolutely have people working on Christmas day getting overtime. The response time was pretty bad.

Have you ever dealt with steam support? Usually takes days for any kind of response.

 

[Hale-XF11]

Not sure if anyone remembers but this has happened before during one of the sales (the year that had the upsidedown page setup of a different season)

Back then you could also access other people's profiles via a variety of buttons that should have lead to your own pages - basket, wishlist, account, profile. You could see stuff but not go any further.

This makes it even worse, knowing that it's happened before and they still haven't fixed it.

 

[abracadaver]

Are the servers really down now?

 

[dmr87]

I log off gaf for a while and damn, come back and steam is on fire.

Never log off GAF.

 

[Guymelef]

What is sad is the Steam silence.
It's Steam DB who is giving us some advices to avoid more damage.
Steam Twitter is silent...

 

[Jintor]

not having anything posted to valve's authorised media channels immediately is pretty frustrating.

 

[Lautaro]

Valve does have employees working today, I see a few of them damage controlling in this very thread.

If they were paid for it at least it would be understandable...

Nah, don't mind me, I'm just salty that I'm going to sell even less than what I expected. At least in my case I need to enter the verification code of my card to buy so as a consumer I'll be fine.

 

[Obliterator]

Do we know this isnt a hack? I mean what are the odds of such a thing coincidencently happening on Christmas Day?

 

[Castef]

Apart from the Steam Database tweets, is there any official comment by Valve?

 

[Chariot]

thanks kotaku

Goddamnit.

 

[kanuuna]

Is there any reason to expect this to be less fucked than the PSN situtiation those few years back? This seems way worse given how just about anyone can see this shit.

 

[gogogow]

They need to provide direction on their verified twitters. It's a joke that they don't use those for real information

It's more important to inform us about sales and promotions...

They never ever talk to customers on their Twitter, it's just for marketing.

Says enough about their customer support.

 

[Saty]

http://webm.host/af51b/vid.webm

 

[Jawmuncher]

It's weird how people are playing this off.

A security breach normally is done by a bunch of hackers who either keep that info or put it on a pastebin or something. It's not normally publicly available.

A security breach here is incredibly public, since all it takes it for you to look at a Steam thing. There's a big difference and this one is incredibly shitty and indefensible.

Yep, the fact that literally every person here could see info makes it even worse in a way.

 

[Tubie]

So close to 2016 and Valve manages to pull the biggest fail this year.

The final (and biggest) L of the year goes to Valve!

 

[Hop]

Well that was up to 77 million accounts compromised. We don't quite know the severity of this yet.

Steam is around 75 million accounts, so it's at least (roughly) the same size base.

 

[Cleve]

Console war or not, PSN wasn't even 1/10th as bad as this.

What? How do you know how "bad" this is already?

PSN had millions of accounts compromised and complete address details stolen. There's no evidence to show this is worse yet.

 

[legacyzero]

"This is not a security breach"

Uh, yes, yes it is. Seeing other people's information is a security breach, whether or not you can change it.

Crazy stuff. Wonder what's actually going on.

Thats not what that means. They're saying that it wasn't deliberately done.

 

[Svafnir]

It only took less than a hour to pull the plug. Not bad compared to the PSN outage, IIRC it took Sony 3 days since the first attack.

The difference here is that was publicly known and people could look at your info. PSN was an attack that happened and they weren't even immediately aware it happened.

 

[Clawww]

Never log off GAF.

it's scary isn't it

always in a pocket or within arms reach, a few swipes away

 

[Tetsuo9999]

The only thing that could happen to me is unauthorized Paypal transactions, most likely. My accounts are linked to my GMail and I have two factor authentication on that, so I imagine anyone trying to get in would be stopped by that. I haven't gotten any texts of one time passwords. It's still unacceptable that this took so long to get noticed by Valve, though.

 

[Grief.exe]

What the fuck

It took them way too long to shut down the server

Holiday sales are more important than protecting users' information? WTF Valve

False, no one had the ability to purchase items during the duration of the hack.

 

[chrominance]

You can only see the last 4 numbers of your phone number used for the security check.

Other pages showed full phone numbers. I won't say where in case the site comes back and the hole still hasn't been patched. But you could absolutely get people's phone numbers.

 

[Nzyme32]

In a pinch I'd take Kotakus advice over doing nothing and waiting on Steam with their brilliant response times.

And you'd be wrong. By the nature of the issue you put your own info at risk by visiting the page.

 

[MaddenNFL64]

Was wondering wtf was up with steam. Haven't seen any odd happenings on my Paypal or bank account, so think im good.

But fuck you Valve, for having a royal fuck up on Christmas day. Hope they get sued if anyone had their shit compromised, or stolen.

 

[YianGaruga]

At least we won't be missing out on expiring flash deals while Steam is down

 

[OldAsUrSock]

There is nothing to worry about. Credit card companies refund billions to customers for fraudulent charges every year. It's not up to steam, unless they want to lose their credit card processors or breach contract with them.

Valve has already been under fire from Credit Card companies which is why they have been putting authentication steps and wait periods for some purchases across Steam. It is supposedly their reasoning for being unable to trade marketplace items in Dota 2 for almost a month after purchase.