• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Steam security issue revealed personal info to other users on XMas Day (fixed)

Tenebrous

Member
Nov 24, 2014
9,283
0
0
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.





I'll update this post with more information going forward.

But who forced the page caching error? The timing surely can't be a coincidence...
 

Delusibeta

Banned
Feb 18, 2012
10,873
0
0
delusibeta.tumblr.com
Since this is a caching error, shutting the servers down won't do anything, unless they managed to shut down the caching servers as well, and I wouldn't be too surprised if Valve's outsourced those.
 

finalflame

Member
Oct 3, 2013
6,962
0
0
California
Steam's oncall engineers must be having a BLAST right now. I can't properly access my account; just get random people's account and an error when trying to logout on web browser.

 

Prosopon

Member
Sep 27, 2014
475
0
0
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.







I'll update this post with more information going forward.

I think they just shut down the ability to access account information.
 

Tunesmith

formerly "chigiri"
Oct 16, 2004
9,638
0
1,420
From what I can tell, here's the information that could be compromised:

last 2 digits of your credit card
Paypal email address
amount in your Steam wallet
last four digits of your phone number
account email address

+ your country of residence.

Social engineering opportunities galore with this information.
 

Skux

Member
Aug 28, 2014
9,904
8
430
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.





I'll update this post with more information going forward.

Even though you can't breach an account with just this information, it's a massive info dump of "puzzle pieces" for hacking groups, especially if people use the same password or weak passwords for their email address and Steam account.
 

akira28

Member
Aug 31, 2010
43,227
0
715
ok so it's not a security intrusion type breach but a security lapse/data exposure breach? well then, that makes a lot of difference.
 

Zomba13

Member
Sep 27, 2009
19,651
7
705
In most cases I guess an hour response time isn't too bad in the grand scheme of things BUT when it's a 24/7 world wide online store front/games platform that has millions of users connected at all times you might want people keeping up to date on what's going on 24/7 so they can pull the plug as soon as they get confirmation something fucky is going on.
 

Horse Armour

Member
Jan 28, 2012
2,036
0
490
This is easily the worst response to a hack I've ever seen by any company. They've known for at least an hour now that people's account information can be accessed and they still haven't made the most basic and necessary move which would stop the issue dead in its tracks which is shutting down all the servers. This easily beats the PSN hack in magnitude and I hope that they're similarly raked over the coals like Sony were back then. Let's hope this event finally makes the top guys realise that the do what you want, no accountability, no responsibility, joke of a corporate structure they have over there isn't working.
 

Alucrid

Banned
May 30, 2009
46,839
0
0
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.







I'll update this post with more information going forward.

feel free to add this too

 

DMTripper

Member
May 14, 2015
644
0
0
UK
So has anyone confirmed you can make purchases with existing store credit? Then maybe send that purchase to another account?

I've disabled paypal to my steam account but still have store credit...

Has anything like this happened before??

Shit is funked up.
 

Guess Who

Banned
Oct 21, 2012
10,409
1
0
If thye're running an online service like this, then someone is policing it.

I'm not so sure about this given the everyone-does-what-they-want, no-formal-hierarchy, sorry-we-can't-provide-acceptable-customer-service-because-our-company-structure-or-lack-thereof-means-nobody-gives-enough-of-a-shit-to-do-it-and-we-can't-just-make-people-do-it nature of Valve.
 

Grief.exe

Member
Jul 11, 2012
43,856
0
0
Denver
backloggery.com
But who forced the page caching error? The timing surely can't be a coincidence...

It's definitely possible that this was a legitimate hacking attempt.

Steam sales are mainly automated so there may be a skeleton crew, or no one at all, at Valve headquarters currently.

Not to mention the complete radio silence on Twitter. This is FUCKED.

Valve will never be defined as communicative.