• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hey Guest. Check out the NeoGAF 2.2 Update Thread for details on our new Giphy integration and other new features.

Steam security issue revealed personal info to other users on XMas Day (fixed)

Ourobolus

Banned
Feb 27, 2008
18,518
14
1,200
Ok, ok, I think it might have been a false alarm on my end, my bank had the purchases I made a few days ago somehow attributed to today for some reason. Won't know til tomorrow for sure though.
 

JeTmAn81

Member
Jul 3, 2008
9,925
164
1,210
BTW, all this is software issues and can be fixed remotely so nobody has to be in the office for this issue.
 

Skux

Member
Aug 28, 2014
9,904
8
430
STEAMDB IS NOT RELATED TO VALVE!

They are not Steam tech or customer support. They are a third party site. Please understand this guys.
 

Kvik

Member
Apr 18, 2013
2,096
0
0
I imagine from their end they will have to Flush the cache(s) and invalidate all OAuth tokens.
 
Feb 24, 2008
9,648
1
920

I suspect doing any action will refresh your account as "page used in the last minutes" so it will stay in their cache system, which seems what it's really broken, the cache of pages that serves to boost the site. So when someone visits the details account, Steam serves the wrong cache link, taken from the cache available.

If you don't visit Steam, yours will have less chance to be in that cache pool.


My speculation.
 

dity

Member
Jul 13, 2015
8,831
0
0
Steam should hire me for Steam Support because I'd have driven in to work by now and just pulled the ethernet cables.
 

megalowho

Member
Jan 3, 2009
6,126
0
1,005
Anyone else get incorrect password errors? Trying on mobile. Was getting them before it was "down," if it is now. Kind of freaking out.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
Not sure if anyone remembers but this has happened before during one of the sales (the year that had the upsidedown page setup of a different season)

Back then you could also access other people's profiles via a variety of buttons that should have lead to your own pages - basket, wishlist, account, profile. You could see stuff but not go any further.
 

TheTux

Member
Oct 19, 2013
1,607
0
490
Some people say it's a caching issue, but what's the point in caching the transaction list from a server point of view? Every user has got its unique page and I doubt it is a page with heavy traffic.

Does that mean that if I haven't visited that page in a while my account details will be safe?
 

Cyrano

Member
Dec 20, 2010
5,431
6
800
No. You're effectively logged into their account.
Not actually sure this is the case. What seems more likely, since people are still getting functioning security verification emails, is that whatever is causing this is changing the overlay to display as though it were another account, but in actuality you may still be looking at your account.

Not sure of course, but the behavior seems strange otherwise.
 

Kouriozan

Member
Mar 22, 2012
28,515
1
445
France

Having such amount of money in your wallet... and this is not the biggest bnumber

Merry Christmas!
/s
 

Valkrai

Member
Sep 30, 2013
3,298
0
0
I should be ok if I didn't have paypal info saved automatically for purchases right? Signed in every time I bought previously and changed my PP password.
 

TimFL

Member
Nov 3, 2013
2,053
502
685
Germany
Can you guys change your email or password in the Steam client? I just opened the settings menu for the fun of it and the buttons are disabled.

Valve slowly locking down certain features?
 

2Crisis

Member
Dec 4, 2009
1,443
0
0
I'm going to go out on a limb, trying to update your account in anyway just updates the cache and puts you on top of some kind of stack in where they're stashing things. Being on top means that you're the next to be picked if somebody tries to look at a profile page.

Yea, The tweet isn't very clear but I think they mean not to do this from STEAM side, blocking valve from the paypal site itself should be fine.
 

Doc Holliday

SPOILER: Columbus finds America
Jun 12, 2004
11,947
0
0
Wow, I can see someone's else's account. I can't even change my email or credit card info because I can't see my own account.

Craziest security breach I've ever seen, wow. I just checked all my credit cards and changing my passwords. Such bullshit.
 

trh

Nifty AND saffron-colored!
May 23, 2006
1,780
0
0

Having such amount of money in your wallet... and this is not the biggest bnumber

I got into an account that had purchased literally several thousands of Euros worth of games as gifts.


This is bumming me the fuck out. Come on, Valve.
 

Fireblend

Banned
Jul 22, 2006
20,645
1
0
Again, what SteamDB was saying is don't login to Steam because then the pages you visit will enter the cache rotation, which is where those breaches are comming from.
 

duckroll

Member
Jun 7, 2004
114,734
4
0
39
Just checked on the Steam mobile app. Now going to Account Details throws an error message back. Looks like they shut it down. Still, completely unacceptable response time.
 

Brashnir

Member
Dec 31, 2005
17,646
0
0
They don'the have a " shut it down " button?

As a person who works on a large enterprise network, it's highly unlikely that they have a single button capable of shutting things down. A large-scale commercial venture like this would likely have multiple redundancies and failovers in place to prevent a single-site issue from taking down the entire thing.

If this truly is a software issue somewhere, the engineers would need the back-end systems to continue running in order to troubleshoot and correct the issue, so the answer would likely be to shut down routes in the front-end DMZ routers and/or firewalls to prevent access from the outside. And then hopefully they have some way to VPN in outside of these front-end network components, or a bunch of software guys are going to have to head on-site to fix this.
 
Feb 3, 2014
594
1
280
I had to log in to paypal when I wanted to buy something. Should be fine I think.

Shouldn't have procrastinated on getting the stuff I wanted though.
 

kAmui-

Member
Oct 20, 2012
1,650
0
0
Finland
Not sure if anyone remembers but this has happened before during one of the sales (the year that had the upsidedown page setup of a different season)

Back then you could also access other people's profiles via a variety of buttons that should have lead to your own pages - basket, wishlist, account, profile. You could see stuff but not go any further.

Something like this definitely happened at some point. I remember seeing other peoples wishlists.
 

Smash88

Banned
Dec 6, 2008
5,867
0
0
Canada
They finally shut it down!

FUCKING CHRIST VALVE, MY EMAIL IS NOW IN THE WILD AND ANY FUCK CAN SEE IT AND POTENTIALLY COMPRISE ME.
 

Adnor

Banned
Feb 22, 2011
3,924
0
535
I didn't get any confirmation e-mail for anything in Steam, does that means that no one bought anything with my account? Can't check the bank account ATM.
 

Xamtheking

Member
Mar 26, 2014
7,840
1
0
As a person who works on a large enterprise network, it's highly unlikely that they have a single button capable of shutting things down. A large-scale commercial venture like this would likely have multiple redundancies and failovers in place to prevent a single-site issue from taking down the entire thing.

If this truly is a software issue somewhere, the engineers would need the back-end systems to continue running in order to troubleshoot and correct the issue, so the answer would likely be to shut down routes in the front-end DMZ routers and/or firewalls to prevent access from the outside. And then hopefully they have some way to VPN in outside of these front-end network components, or a bunch of software guys are going to have to head on-site to fix this.
Quoting for reality
 

Bumpers

Member
Sep 4, 2012
269
0
380
United Kingdom
If it's truly just a caching error, then doing those actions may just expose your account pages to the pool of what's being shared if it already isn't there.

If it's a chaching issue, that means the page that you were trying to get (your account) get shown to other person. If you don't try to login to remove your payment info, it wont be shown.

My speculation.
Surely it's better to have my page re-cached with no details than wait for it to be cached with my remaining details still on there?

It seems to be down now, but I've already had a Steam guard sign in attempt from 15 minutes ago.