• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hey Guest. Check out the NeoGAF 2.2 Update Thread for details on our new Giphy integration and other new features.

Steam security issue revealed personal info to other users on XMas Day (fixed)

DeaviL

Banned
Sep 11, 2013
3,189
0
0
Belgium
i love how corporate apologists are still peddling their shit even in this situation

I'm sorry for not trying to stoke the fires.
For not claiming you can see full CC info (You can't)
For not claiming you can see phone numbers (You can't)
For not claiming you can get everyones password (You can't)

You can however
- See e-mail addresses
- Purchase with steam credit
- Purchase with any one click purchase method (if you have to give any extra info, it's a no go)

And that's only if you don't switch to a new account by clicking any button.
 

dity

Member
Jul 13, 2015
8,831
0
0
Because I was sent an email regarding it.

Hello 19 & 21
A phone number (ending in 0000) has been removed from your account.
If you did not do this, your account may have been compromised. Please change your password immediately, or contact Steam Support.

Well damn.

I've received no emails at all, but I was also completely offline when this whole debacle started. Hopefully that means I'm safe.
 

ramoisdead

Member
Feb 21, 2013
21,918
0
450
Do you hear that? It is the noise of stomping feet from folks buying a Wii U the day after Christmas since it's the only gaming platform that has never received something this fucked up.
 

Feichaw

Member
Mar 25, 2013
788
0
0
How the hell is Steam still up?! Holy shit, this is big!

I've never used my CC on Steam (only used PayPal and BoaCompra, a Brazilian website similar to PayPal), so I don't think I have CC info store on it, but I'm still upset about this.

What the hell are you doing, Steam?????
 

gofreak

GAF's Bob Woodward
Jun 8, 2004
43,345
2
1,645
What? How?

Yeah I'm curious about that too.

Unless it's an implicit threat about liability to you if you accidentally unlink SOMEONE ELSE'S paypal/cc info.

Which Valve can fuck right off with - it's entirely its fault if someone accidentally did so in trying to remove their own info. Putting it on the users would be shameless.

Anyway, I can't log in now to the account page, get an error back.
 

DMTripper

Member
May 14, 2015
644
0
0
UK


I've just done this!!

Edit.. Though my PayPal account!
 

LurkerPrime

Member
Jan 6, 2014
18,003
1
0
ok so it's not a security intrusion type breach but a security lapse/data exposure breach? well then, that makes a lot of difference.

I have no proof of this or anything, but I refuse to believe that it happening today is a coincidence. Not even Valve is that magical.
Do you hear that? It is the noise of stomping feet from folks buying a Wii U the day after Christmas since it's the only gaming platform that has never received something this fucked up.

Xenoblade Chronicles X is pretty hype. It's the sort of thing that can make you forget Steam-related woes, for sure.
 

DrM

Redmond's Baby
Jun 6, 2004
13,856
0
0

Having such amount of money in your wallet... and this is not the biggest number
 

Grief.exe

Member
Jul 11, 2012
43,857
0
0
Denver
backloggery.com
Even though you can't breach an account with just this information, it's a massive info dump of "puzzle pieces" for hacking groups, especially if people use the same password or weak passwords or their email address and Steam account.

Agreed, that's why I was pleading with people at the beginning of the thread not to post usernames.

I can't believe it was even an argument, the other side has no reason for violating someone's security and privacy like that.

Er... just a thought, but maybe the steam twitter has been hacked too and just saying that to prevent people from doing it? :X

Not associated with Valve in any way.
 

Fhtagn

Member
Jan 27, 2014
3,062
0
365
ageoffire.tumblr.com
What? How?

If it's a cache problem, it's loading info into a cache and then that cache is being shown to the wrong end user.

So if you haven't logged in recently, it's likely you aren't in the cache. Logging in to change stuff introduces your account to the cache... making it be in the available pool of accounts that are exposed.
 

TronLight

Everybody is Mikkelsexual
Oct 2, 2011
3,318
0
775
.......how does that work.

I'm going to go out on a limb, trying to update your account in anyway just updates the cache and puts you on top of some kind of stack in where they're stashing things. Being on top means that you're the next to be picked if somebody tries to look at a profile page.
 

DiscoShark

Banned
Jan 14, 2010
2,877
172
840
Charlotte, NC
Jesus I was looking at some random dude's account minutes before it was taken down. What an absolutely massive fuckup. I am so so sooo sooooooo glad that I never saved any of my credit card information, learned my lesson quick after the PSN debacle years back. Nothing in my inventory was touched and whatever I had in my wallet seems fine as well.

Christ.
 
Aug 24, 2009
8,988
0
0
.......how does that work.

If you are doing it from the steam facing side, unlinking via steam means private security credentials are probably exchange in that request. If you initiate it, those security credentials could be sniffed by less upstanding internet folk.
 

GuardianE

Santa May Claus
Aug 23, 2005
24,587
0
1,260
I kind of find SteamDB's tweets a little suspect. It's hard to believe this is some caching issue.
 
D

Deleted member 80556

Unconfirmed Member
Valve will never be defined as communicative.

Wasn't this one of the reasons the demand against Sony was successful? Because they didn't communicate it in a timely manner? Although that was after days, not minutes like this is happening. We might get a release soon after they finish their investigation.
 

oroboros

Member
Feb 19, 2009
342
0
730
Arizona
I just unlinked my Paypal from Valve Inc on the Paypal website, probably a good idea for anyone who had that setup. I guess it's lucky the credit card I have connected to my Steam is already maxed out haha.
 

benny_a

extra source of jiggaflops
Apr 25, 2009
17,350
1
0
Wonder if changing PayPal password would be a bad idea?
No, changing your passwords is never bad idea unless you deliberately go for a weaker one.
If you do it, do it on PayPal.com

Sounds like hackers broke into @SteamDB, LoL

"No really guys, deleting your info makes it worse! Don't delete!"
The idea is that if this is a caching issue then doing any account action means you also get cached and are in the pool of accounts that get erroneously served up.
 

Jeramii

Banned
Oct 15, 2009
2,198
0
0
SLC, UT
dude. what the fuck.

I just ran into this issue, I visited Steampowered.com and I was able to view way more account information for a random user than anyone should be able to view. :O

Every time I refreshed the page it loaded a different persons profile.
 

stan423321

Member
Jul 24, 2014
4,817
0
0
Yeah I'm curious about that too.

Unless it's an implicit threat about liability to you if you accidentally unlink SOMEONE ELSE'S paypal/cc info.

Which Valve can fuck right off with - it's entirely its fault if someone accidentally did so in trying to remove their own info. Putting it on the users would be shameless.

Anyway, I can't log in now to the account page, get an error back.

If you don't do anything on the store, your info won't get cached. If your info won't get cached, your info won't get exposed.
 

MilkBeard

Member
Jun 20, 2013
9,220
2
0
This is why I don't store my credit card info in any service. Not PSN, not Live, not Steam. Even stupid things like "my baby brother just purchased a lot of games on PSN by mashing X, I'm pissed!" I've seen.

I'm sure that info can still be hacked otherwise, but it doesn't hurt to be a little cautious about stuff like this.

And if it's displaying the info because you purchased something on the site, then it's time to just wait it out, I guess...