Pewpewlazors99
Member
Reading through the thread, but I may have missed it. How has it been narrowed down to less accounts, and how do you know your account was leaked?
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Steam security issue revealed personal info to other users on XMas Day (fixed)
- Thread starter Quirah
- Start date
Reading through the thread, but I may have missed it. How has it been narrowed down to less accounts, and how do you know your account was leaked?
Did you use the checkout or the account details page either a few hours prior to the issue occuring or during the issue?
If yes, then your personal information was vulnerable and may or may not have been seen by someone else venturing to see those pages
If no, there should be no way for you personal information to have been seen, since those pages of yours were never cached in the period where they could become vulnerable.
BlackBuzzard
Banned
Several neogaffers posted a picture without details of his account.
Just keep an eye on your account, if you feel extra paranoid - change passwords. If you weren't online at the time of the issue, you'll be fine tbh.
Unknown Soldier
Member
The US and EU could get involved and then Valve wouldn't be able to remain silent anymore.
The real question is if they care enough to do this. I hope someone there is a PC gamer.
Keep an eye on your Steam account and the e-mail account you verified it to. Think about reinforcing your passwords or changing them to something unique if you use the same password somewhere else, you might never know what other website might have a security breach and I think you'd want to avoid people using the info they gathered from this accident to get a hold of the affected accounts once they have any information on what their passwords might be.
On that note, if you're affected I'd also watch out for some phishing emails. Pretty sure someone could easily take advantage of knowing e-mail addresses those Steam accounts are attached to to attempt phishing the password outta them by pretending to be Valve.
I know I might come across as paranoid when it comes to this but at the same time you can never be too sure about protecting yourself.
ss_lemonade
Member
When things started blowing up left and right, I saw someone here post a picture of stumpo's account appearing
yep
Just refreshed and...
It's okay stumpo, your account is safe with me!
Well, it would be more like avoiding an airline company for having a crash yesterday because they were modifying the way the wings work while flying, and then not explaining exactly what happened nor recognising said crash.
lol, perfect
Lost Fragment
Obsessed with 4chan
Pretty sure some law was passed that mandates that companies contact their customers whenever their information is breached. I think they have like a month or something to comply.
Edit: Oh, it's been introduced, but not passed yet.
Edit: Oh, it's been introduced, but not passed yet.
Morrigan Stark
Arrogant Smirk
This guy gets it.
ss_lemonade
Member
Anyone having trouble logging in to the steam website? Mine has been stuck loading after entering in my login details and after a while, I get an invalid login error. I know it works because I get an email with the Steam Guard code to type in but the login screen does not get me to that screen.
EDIT:
Great, now it tells me I've had too many login failures (and I think that's preventing the steam client from logging in as well? Get a network error this time)
EDIT:
Great, now it tells me I've had too many login failures (and I think that's preventing the steam client from logging in as well? Get a network error this time)
Thank you Valve, I got several emails on the day of this issue stating people had access to my Steam account on a new system, having dealt with the issue myself on the day I know how easy it was to see someones email address.
Just got an email from hotmail today stating someone in America attempted to get into my email account, this is far too soon after the Steam fiasco to not be related.
Just got an email from hotmail today stating someone in America attempted to get into my email account, this is far too soon after the Steam fiasco to not be related.
Sure would be nice to, I dunno, get an email from Valve stating something like this in some sort of official capacity.
The fact that they aren't a pubically traded company means they don't have to say a damn thing about it.
There are laws in certain countries and states for this, and Valve has actually followed them in the past - http://store.steampowered.com/news/7323/
They should do the same if it is significant enough. If not they still should but probably won't as most companies do, which as far as I am concerned isn't ethical.
Unless they managed to convince CS to let them in, that has nothing to do with this at all. And it certainly has nothing to do with your hotmail account. You couldn't interact with the pages that let you actually do anything.
Comparing this to previous data breaches is beyond silly. A million people seeing a million other people's info is nothing...it's egg on their face, but not a serious data breach...a bad actor being able to scrape a million accounts is where the issue is. There is no evidence whatsoever that there was any way to control/manipulate what you saw. We're talking like tens of people (potentially) at risk...not millions.
It's almost like Valve gave people all the information they needed to get into other accounts!
How is it not a serious data breach when it leaked enough information for people to take a stab at socially engineering some accounts from places.
I don't think it's fair to compare it to say the PSN hack for many reasons(scale, the fact it wasn't an hack anyway and so on), they were too different, but to say it isn't a serious data breach is putting it lightly to say the least.
Damn...
RandomExpletive
Member
Its more likely they'd use the info to try and get at other services, which would be far more devastating than losing some csgo crates.
Sorry to hear that, that's bad. For me, someone is creating Disney Infinity accounts with my email address which keeps spamming me and it began the morning after the breach and it's easy to tell that someone's being a dick by the usernames they are using alone. So thanks Valve. I'm probably done with providing my real information to companies.
And still, on monday, Valve said absolutely nothing. At this point I just hope they get sued and lose ton of money for this.
When a compani ignores you, the only way to damage them is in the pocket.
Unbelievable.
Valve's Steam had been my go-to place for years and years. Didn't give a rat's ass if a game was as expensive as in retail. I loved the ease of access. Guess I took a lot for granted as this whole debacle actually made me pretty disappointed.
Can't really fathom what they could do to win me back as a paying customer. Oh, I will be a playing customer alright, and I do appreciate the cyber threats looming around and I know that nothing is waterproof, but the not knowing is about the worst kind of condition one can experience in about any matter.
I'll take my money elsewhere from hereon.
Valve's Steam had been my go-to place for years and years. Didn't give a rat's ass if a game was as expensive as in retail. I loved the ease of access. Guess I took a lot for granted as this whole debacle actually made me pretty disappointed.
Can't really fathom what they could do to win me back as a paying customer. Oh, I will be a playing customer alright, and I do appreciate the cyber threats looming around and I know that nothing is waterproof, but the not knowing is about the worst kind of condition one can experience in about any matter.
I'll take my money elsewhere from hereon.
Saintruski
Unconfirmed Member
The worst part is they leaked emails, probably the most sensitive information, make sure that's secure people, if someone gets ahold of that they have a hold of everything that uses that for recovery.
They are deleting forum posts like madmen too...
They are deleting forum posts like madmen too...
Luckily, laws still apply to private companies.
Really?
At this point I believe Valve wants just deny the evidence, otherwise why would they delete threads and posts?
Saintruski
Unconfirmed Member
Yea 5 of my threads alone were deleted one after another. They were harmless, offering what users should do if they are worried, why it is bad about what was leaked, what social engineering is and what to lookout for. Things like that. One suggested valve insure users for a sum of money for identity theft, fraud, stolen accounts and such and notify users affected, all 5 deleted, and I didn't post them all at once I posted them after one was deleted I broke no rules, no spamming nothing. Just basic PSA, heads up, valuable information and warnings.
What is weird is I've seen more of the sensible ones that make sense, and help, that aren't just salty BS trying to look to sue and get free shit and games. It's like they are trying to make it look like people are blowing it out of proportion and use it for opportunity. Idk, I've seen tons of threads about their threads getting deleted.
I have no clue what they are doing, why they are doing it, their goal, their angle, their gameplan but it's clear they want to sweep it under the rug, hide as much of it as they can while making it look like they are getting taken advantage of IMO.
Unbelievable.
At this point, I'm fully expecting the Streisand Effect to take place.
Valve made a mistake. Personal informations of an unknown number of users was leaked. They didn't inform their customers directly. They used intermediaries, and their message was barebone, lacking several infos, including what data has been compromised, and made no apology whatsoever for their blunder. They are actively trying to hide that mistake.
Well, I knew that the UFC-Que choisir in France was suing Valve over some clauses in their subscriber agreement that they consider illegal or abusive. I think it is time to bring what just happened to their attention too, if it hasn't already been done. I'm seriously wondering if I shouldn't inform the National Commission on Informatics and Liberty (Commission nationale de l'informatique et des libertés - CNIL) too (no idea what they could do, but the problem seems serious enough to notice them).
At this point, I'm fully expecting the Streisand Effect to take place.
Valve made a mistake. Personal informations of an unknown number of users was leaked. They didn't inform their customers directly. They used intermediaries, and their message was barebone, lacking several infos, including what data has been compromised, and made no apology whatsoever for their blunder. They are actively trying to hide that mistake.
Well, I knew that the UFC-Que choisir in France was suing Valve over some clauses in their subscriber agreement that they consider illegal or abusive. I think it is time to bring what just happened to their attention too, if it hasn't already been done. I'm seriously wondering if I shouldn't inform the National Commission on Informatics and Liberty (Commission nationale de l'informatique et des libertés - CNIL) too (no idea what they could do, but the problem seems serious enough to notice them).
Alright that is fucked up, not only haven't they told customers after 48+ hours their information might have been compromised, they are also deleting any posts that do that for them? Bullshit.
The "strategy" seems to be to just ignore it and let sycophants handle damage control and pr like they always do. Not surprised their forum mods fall under that category and are doing what they can to frame the conversation. Bet there's still folks out there that have no idea their data was viewable to the public and Valve seems to be going out of their way at this point to ensure they stay uninformed.
Lalalandia
Member
Duchy of Luxembourg National Commission for Data Protection
https://cnpd.public.lu/en/support/contact/index.php
Good call Beefy, I believe as Valve's registered European office is in Luxembourg as EU citizens we need to complain there, as with the Facebook case in Ireland. If any other EU Gaffers would care to register complaints let's get them a refresher on their legal obligations on the EU. They seem to be labouring under the delusion that they can hide behind the weak sauce US consumer data protection obligations.
The Streisand effect is when you say you don't want something spread and it is then exponentially spread out because of that. This is basically a company not speaking about what has happened outside of a single small statement to press
Where?
Adry9
Member
Where is the proof that this is "millions of people's" information? Valve haven't even talked about quantities yet, and even attempting to make estimations is difficult considering the time span and affected pages. How is this determined?
funkystudent
Member
So who wants to bet we finally get a response from valve the day the winter sale ends?
Adry9
Member
Proof? There's none. But Steam had around 10M active users at that moment, that's 10M potentially affected accounts,so yeah, I'm happy with my statement.
If they don't say anything today (a normal work day), they probably won't say anything at all, which would be really stupid considering there is a lot of varied information around and even still people unsure if things are safe. Stump was affected and has emailed them, I imagine if the numbers are on the low end, they are the people who will be contacted similar to in the past (as they should). But still, with the confusion a proper statement to Steam users is a simple task
There is no proof against the estimate either beyond knowing that some people got the same user, so I don't see the issue with saying that potentially a million users were affected as we got no information from Valve stating otherwise.
That's not how cached pages work. If you didn't access the pages a few hours prior to the issue (the two pages of identifiable personal info were already cached and would be revealed when the issue begins) or during the issue, there is no way for your personal data to have been at risk, let alone shown to another user. Assuming 2 hours for both or even more, I doubt that reaches a million people, however there is no info to go on regardless
Yeah I agree, if you stating the potential there isn't anything wrong, but it isn't a factual statement yet
TheSpoiler
Member
Considering a ton of people were on for the Steam sale, and Christmas morning means money/Steam cards, it wouldn't be unfeasible to assume thousands tried to access the client and webpage. Millions? Dunno about that, but it's definitely a higher number.
Considering that Steam has about 125 mln active users (at most there were ~9 mln users active at the same time), that it was holiday season and there's a winter sale going on - so it's a time when lots of people buy games and eventually reach a page that displays their billing info - how is it not possible that it could reach million people?
Large Professor
Member
That would be really scummy.
I think they will ride this out with no mention of the incident again.
It seems like the fiasco had died down in various parts of the Internet.
Lalalandia
Member
Where's the proof it isn't?
It's Christmas day the peak for redeeming Steam vouchers so an estimate of 1 million is not unreasonable. More to the point if it was a single users details the response would be pathetic and unacceptable. This is not Steam 1.0 this is Steam the company worth 100s of millions that can't be arsed with customer service.