• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Steam security issue revealed personal info to other users on XMas Day (fixed)

akira28

Member
Aug 31, 2010
43,231
0
715
ahhh its those people who ddos the game networks apparently. how strange. waste of electricity.
 
Oct 2, 2007
2,079
0
0
UK
I tried logging in a few mins ago, and now Steam's pumping me out a few Steam Guard emails (with code) per minute. Very nice. Smooth as silk this shit is.
 

stryke

Member
Oct 1, 2011
10,922
1
760
Well this is fucking great. And I'm about to go on a road trip as well, I won't have time (or the reception) to keep an eye on this.
 

TheSpoiler

Member
May 2, 2011
19,504
0
865
So the things that CAN happen are:

People buying things with your Steam credit
Changing your emails to something else
Looking at whatever information is saved to your card, including your phone number and address

What else?
 
May 20, 2011
3,982
0
0
 

Qassim

Member
Jul 6, 2012
6,854
2
590
United Kingdom
qassim.uk
So, if I haven't touched Steam today at all, I should probably keep it that way?

Yes, it appears to be a session caching issue. Given I keep seeing people posting a few usernames (which I have also seen), it may be limited to a relatively small amount of people (or something else is going on), it's best to not try and login - to avoid having your saved session being brought up into memory. (All speculation, of course).
 

chrominance

Member
May 24, 2013
9,369
2
0
From what I can tell, here's the information that could be compromised:

last 2 digits of your credit card
Paypal email address
amount in your Steam wallet
last four digits of your phone number
account email address
 

Lautaro

Member
Aug 8, 2013
3,796
2
0
Ok, maybe I won't get my card used but I guess I can say bye bye to the sales of my game that I expected during this Christmas... fuck this is the worst year to became an indie dev.
 

Vibranium

Banned
Feb 20, 2013
5,926
0
0
People are going to be demanding compensation from Valve after this, that much is certain.

Free TF2 hats for everyone?
 

ss_lemonade

Member
Feb 23, 2010
4,313
45
925
Seattle, WA
Is there any point to logging out if entire pages are cached on a server and being randomly served to people? I mean, it looks like you don't even have to be logged in to view the account pages
 

TronLight

Everybody is Mikkelsexual
Oct 2, 2011
3,317
0
775
DUDE thank fucking god Steam decided to crash just the moment before I decided to add my CC details this evening! Jesus.

What the hell.
 

gofreak

GAF's Bob Woodward
Jun 8, 2004
43,345
2
1,645
Security breach or not, personal info exposed like this, in particular email addresses, is a VERY serious matter.

That makes it a breach. Doesn't matter whether the vector was a deliberate hack or a inadvertent delivery of data via 'normal' browsing - the leak of personal info is a security breach.

Perhaps they mean to say it's not a deliberate/explicit hack. But that reflects even more poorly on the system if it was a system mess-up.
 

Kezen

Banned
Jul 28, 2014
8,919
0
375
France
I don't have any payment information saved on my account but I'm feeling very uncomfortable about the fact that someone could very well be accessing my account as I'm writing this.

This really should not happen when you have billions in the bank.
 

Tainted

Member
Jun 20, 2014
2,254
0
315
I cant even login to Steam at the moment, every time I try to....I get a steamguard code verification email

Damn, I've never seen something like this before
 

Fitts

Member
Aug 22, 2014
7,257
1
365
So if someone else purchases something with the funds in my steam wallet it will just be added to my library, yes? I'm sure they'll be inundated with refund requests due to fraudulent activity, but at least there seems to be a level of recourse.
 

dity

Member
Jul 13, 2015
8,831
0
0
I'd trust these guys, so if you're having fun looking up random profiles, maybe don't


I only clicked one link for the account details to see if something did show up without being logged in at all, but other than that I'm just going to completely avoid Steam until this clears up.
 
Aug 24, 2009
8,988
0
0
Not buying it. Cache-control headers would not give you the authorization to go to other pages in the account. Once you get someone's account page you can go anywhere and (I suppose) change anything. That's not caching and even if it is, it's a colossal security fuck up.


It is possible. If it was caching as they say, it could be that they have proxy servers sitting in between the main steam server and users. Alternatively, whatever application container that forms the basis of the steam back-end is possibly being proxied over a different port through apache, and apache is caching content from the application container/server.