• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hey Guest. Check out the NeoGAF 2.2 Update Thread for details on our new Giphy integration and other new features.

Steam security issue revealed personal info to other users on XMas Day (fixed)

cyba89

Member
Feb 22, 2015
4,875
3
0
I can totally see Valve trying to ride this out without informing costumers. Which is super scummy and probably also illegal.

Valve definitely lost the last bit of respect I still had left for this company.
 
Aug 13, 2015
1,016
0
250
I think they will ride this out with no mention of the incident again.

It seems like the fiasco had died down in various parts of the Internet.

That seems to be the best PR strategy of many companies right now: ignore the issue and it goes away. If they are actually getting rid of information about this incident on forums, I do think that it is a part of the radio silence strategy. Every time there is a graphics downgrade or microtransactions Ubisoft just sits tight and it always goes away. Same with Riot Games: every time they fuck up they just sit tight and it dies out. There is little communities can do to enforce anything. The only difference now is that there are laws, especially in EU, that Valve should obey.

Edit: If steamguard is experiencing issues right now, then this isn't just a caching issue that was resolved within hours.
 

catapult37

Member
May 25, 2009
1,792
0
0
That's not how cached pages work. If you didn't access the pages a few hours prior to the issue (the two pages of identifiable personal info were already cached and would be revealed when the issue begins) or during the issue, there is no way for your personal data to have been at risk, let alone shown to another user. Assuming 2 hours for both or even more, I doubt that reaches a million people, however there is no info to go on regardless



Yeah I agree, if you stating the potential there isn't anything wrong, but it isn't a factual statement yet

See, that would have been great to great from Valve.
 

Saintruski

Unconfirmed Member
Nov 11, 2014
556
0
0
So where are the locked threads? Link them.


They are not locked, they are totally gone, deleted.


i cropped it for size purposes its a large image, but i has a URL that is no longer existing for your proof of pudding. i found one of the screens i took of the forum mods down playing and playing damage control of the significance of the issue. He gave a knee jerk reaction when i said how important an email was these days by posting that, like seriously, no dont just give it to everyone and anyone one LIKE YOU DID VALVE. Especially when its linked to to everything you use, the things you hold dearest, and a lot of people these days use passwords across the same sites even though thats stupid of them and that is their fault.

Social engineering, driveby malware and phising is a serious problem

 

Dunkley

Member
Jun 17, 2014
5,335
0
0
I think they will ride this out with no mention of the incident again.

It seems like the fiasco had died down in various parts of the Internet.

Which is why it's so important that we keep bringing this to attention.

We can't be just left by ourselves on figuring out what happened and how many were affected, and Valve can't keep silencing anyone who tries to inform the potentially affected but also not say anything on the matter themselves.
 

Ludens

Banned
Feb 5, 2014
6,900
0
0
Which is why it's so important that we keep bringing this to attention.

We can't be just left by ourselves on figuring out what happened and how many were affected, and Valve can't keep silencing anyone who tries to inform the potentially affected but also not say anything on the matter themselves.

Even because if we do it, it will create a precedent. So if something like this will happen again in the future, more corporations will think "ehy, maybe if Valve did it, I can go away with this".

Never give up on your rights, never. Because what happened here it's a clear violation of customer's rights.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
Where's the proof it isn't?

It's Christmas day the peak for redeeming Steam vouchers so an estimate of 1 million is not unreasonable. More to the point if it was a single users details the response would be pathetic and unacceptable. This is not Steam 1.0 this is Steam the company worth 100s of millions that can't be arsed with customer service.

This is exactly my point - there is none, hence why I ask the question.

Using a bit of logic I took an uneducated guess earlier of an upper bound at around a million. Purely based on Steamspy saying there are 33 million new owners from the summer sale, which ends up around 10hrs per million. If you lazily take that and assume similar checkout page and account page views, you'd get that in 5hrs, same time frame of the vulnerability from precached info prior to the issue and during - again total guess work with massive errors but at least some logic.

Multiple millions is unlikely but not proven either. There are no official numbers only estimatrs which is my point.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
They are not locked, they are totally gone, deleted.


i cropped it for size purposes its a large image, but i has a URL that is no longer existing for your proof of pudding. i found one of the screens i took of the forum mods down playing and playing damage control of the significance of the issue. He gave a knee jerk reaction when i said how important an email was these days by posting that, like seriously, no dont just give it to everyone and anyone one LIKE YOU DID VALVE. Especially when its linked to to everything you use, the things you hold dearest, and a lot of people these days use passwords across the same sites even though thats stupid of them and that is their fault.

Social engineering, driveby malware and phising is a serious problem


Okay, pardon me for not believing but there should be a massive reaction to this if it is the case.

- can only you see these now deleted threads?
- show the content of what you actually posted?
- can you do the same with the other 4 threads you made that you say were sequentially deleted?

If you can post them fully you can probably get something done and make a big deal out of this. If the content of your posts (which you haven't shown) are actually ridiculous or offensive or something, perhaps I would understand the moderators position, but I can't do that without the full context and the of 4 threads that are also deleted.

For what it is worth, that is a moderator, not Valve, and the moderators are not associated with Valve which is why the earliest info in this thread was disregarded when coming from their mods.
 

Beefy

Member
Nov 8, 2013
26,806
1
0
Least Steam had a good sale right?....

I was tempted to get Football Manager in the sale. But couldn't be fucked due to how this has been handled.
 

Saintruski

Unconfirmed Member
Nov 11, 2014
556
0
0
Okay, pardon me for not believing but there should be a massive reaction to this if it is the case.

- can only you see these now deleted threads?
- show the content of what you actually posted?
- can you do the same with the other 4 threads you made that you say were sequentially deleted?

If you can post them fully you can probably get something done and make a big deal out of this. If the content of your posts (which you haven't shown) are actually ridiculous or offensive or something, perhaps I would understand the moderators position, but I can't do that without the full context and the of 4 threads that are also deleted.

For what it is worth, that is a moderator, not Valve, and the moderators are not associated with Valve which is why the earliest info in this thread was disregarded when coming from their mods.

i cant see them, they are gone i took the screen shot the day i made the post because the MOD was being an absolute idiot, i really only have a screen shot of that one thread because that was the thread he was in that and it grinded my gears, im sure if you search around in the community you can find confused and angry thread titles of "why were my threads deleted." I really wish i took more screenshots had i known it was going to turn into this (a total pruning of legit threads). I guess you can only take what i say at face value but its some serious BS.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
i cant see them i took the screen shot the day i made the post because the MOD was being an absolute idiot, i really only have a screen shot of that one thread because that was the thread he was in that and it grinded my gears, im sure if you search around in the community you can find confused and angry thread titles of "why were my threads deleted." I really wish i took more screenshots had i known it was going to turn into this (a total pruning of legit threads). I guess you can only take what i say at face value but its some serious BS.

I gota go to bed, ill post more of that thread when i wake up though lol.

Well here is where I am sceptical, I have no idea of the content of your posts or if 4 other threads of yours ever existed.

More on point, there is plenty of discussion of the issues in the Steam forums, with many threads being merged into the stickied thread of some subforums or are just everywhere else - http://steamcommunity.com/discussions/forum/0/458604254431478327/#c458604254442048802

This isn't abnormal behaviour for the Steam forums, such as during the modding fiasco, but whether your posts were ligitametely taken down or for good reason or not, I'll never know by the looks of it
 

Saintruski

Unconfirmed Member
Nov 11, 2014
556
0
0
Well here is where I am sceptical, I have no idea of the content of your posts or if 4 other threads of yours ever existed.

More on point, there is plenty of discussion of the issues in the Steam forums, with many threads being merged into the stickied thread of some subforums or are just everywhere else - http://steamcommunity.com/discussions/forum/0/458604254431478327/#c458604254442048802

This isn't abnormal behaviour for the Steam forums, such as during the modding fiasco, but whether your posts were ligitametely taken down or for good reason or not, I'll never know by the looks of it

My threads had 80-90 percent nothing to do with that one, are you like valve PR lol. It was all about potential threats valve put you at risk to. how to avoid it, how to keep yourself safe and what to watch for. Pure security aspect and how to be safe. Straight for those worried. Worthy of its own thread. I don't think they like having what they put people at risk to put out there.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
My threads had 80-90 percent nothing to do with that one, are you like valve PR lol.

No - why would I be when I am the one posting here and complaining (if you have actually seen my posts in this thread) clearly I am good PR to complain about them. That particular one is just what happens when you click a link that said merged thread. The main thread is where everything is going and is related to all the caching issues and complaints. I'm on mobile at the moment waiting for a train so forgive me for not highlighting all the correct posts.

But now you've got me curious - what was the name you put it under & the subforum? You can search deleted posts apparently, so I don't know how yours have disappeared completely
 

Lalalandia

Member
Oct 27, 2013
2,091
0
0
That's not how the burden of proof works. I can't drag you into court and make you prove you didn't steal my sandwich from the break room ..
That's how the criminal burden of proof works but data protection is the much lower civil standard and in the case of Data protection the burden is placed on the data holder to prove they have taken adequate measures. As there has been a clear breach they have to explain
What was compromised
How many were compromised
What steps have been taken to remedy the leak
Notify every compromised user
Offer services to protect users in the case of identity theft (think the credit monitoring Sony offered)
 

DeepEnigma

Gold Member
Dec 3, 2013
46,552
93,940
1,380
That's how the criminal burden of proof works but data protection is the much lower civil standard and in the case of Data protection the burden is placed on the data holder to prove they have taken adequate measures. As there has been a clear breach they have to explain
What was compromised
How many were compromised
What steps have been taken to remedy the leak
Notify every compromised user
Offer services to protect users in the case of identity theft (think the credit monitoring Sony offered)

Exactly.
 

Murkas

Member
Jan 17, 2011
3,224
2
0
Just to be clear, there is no way of knowing if my info was on of the one's accessed?

Fortunately, I don't have my payment information saved on anything after the Sony hack. Also think my profile is only accessible to friends.
 

marvelharvey

Member
Jun 23, 2004
6,299
2
1,480
Valve's lack of communication has made me:

-Contact the EU Data Commission about the security issue
-Remove my CC info from Steam
-Delete everything from my wishlist

Like other posters in this thread, I'm in the technology sector and customer communication about security problems is an absolute priority for me. Valve's handling of the situation has been shameful and I will no longer be making purchases on Steam.
 

Stumpokapow

listen to the mad man
May 21, 2006
17,232
4
0
I received a preliminary response from Steam that consisted of general information about the issue, comparable in detail and structure to the information provided to GameSpot / Kotaku. I replied informing them I did not feel this was an adequate response and restating my specific questions.
 

Beefy

Member
Nov 8, 2013
26,806
1
0
I received a preliminary response from Steam that consisted of general information about the issue, comparable in detail and structure to the information provided to GameSpot / Kotaku. I replied informing them I did not feel this was an adequate response and restating my specific questions.

So basically. They don't give a shit?
 

Jawmuncher

Member
Sep 2, 2010
61,693
17
790
Isla Nublar
I received a preliminary response from Steam that consisted of general information about the issue, comparable in detail and structure to the information provided to GameSpot / Kotaku. I replied informing them I did not feel this was an adequate response and restating my specific questions.

It's crazy how they feel just sweeping it under the rug is ok. More websites should be commenting on the matter of how they're handling. Not like they need to worry about being blacklisted by valve.
 

Ambitious

Member
Sep 4, 2011
5,581
0
0
Austria
Just to be clear, there is no way of knowing if my info was on of the one's accessed?

Fortunately, I don't have my payment information saved on anything after the Sony hack. Also think my profile is only accessible to friends.

Unfortunately, because of the nature of the issue, this is irrelevant. The data didn't come from their main servers, which check ones permissions first, but from a caching server which has no concept of authentication.

If you viewed your profile after the wrong configuration went live, your data was loaded by the caching server. Anyone who then visited their profile page (not yours!) might have been served your profile instead.
 

DeepEnigma

Gold Member
Dec 3, 2013
46,552
93,940
1,380
It's crazy how they feel just sweeping it under the rug is ok. More websites should be commenting on the matter of how they're handling. Not like they need to worry about being blacklisted by valve.

Why the are sites/blogs not reporting on this?

They were all over Sony like flies on shit (rightfully so) on the same day.

Hard to not wear a tin foil hat to 'western media bias', when these things happen, and have been happening the last decade or so with the big media players. "Let's just wait it out, and let Valve eventually, if ever, explain themselves."
 

Murkas

Member
Jan 17, 2011
3,224
2
0
Unfortunately, because of the nature of the issue, this is irrelevant. The data didn't come from their main servers, which check ones permissions first, but from a caching server which has no concept of authentication.

If you viewed your profile after the wrong configuration went live, your data was loaded by the caching server. Anyone who then visited their profile page (not yours!) might have been served your profile instead.

Fuck sake, I don't think I really ever view my profile. Also think I slept through the whole thing, so hopefully I'm all right.

Still extremely scummy that Valve are remaining silent. Guess HL3 and Gaben memes are more important to a large portion of Valve fans.
 

doctorcdcs

Member
May 17, 2011
3,844
1
600
I received a preliminary response from Steam that consisted of general information about the issue, comparable in detail and structure to the information provided to GameSpot / Kotaku. I replied informing them I did not feel this was an adequate response and restating my specific questions.

If they continue to give you unsatisfactory answers to your queries, or outright ignore you (not saying this will actually happen), have you thought about whether or not you will continue to buy games through steam?
 

Ludens

Banned
Feb 5, 2014
6,900
0
0
Why videogame journalists don't talk AT ALL about this issue?
Is Valve so "protected"?

It's a very crappy thing this fact is going under radio silence.
 

jelly

Member
Oct 14, 2013
16,620
1
0
Why videogame journalists don't talk AT ALL about this issue?
Is Valve so "protected"?

It's a very crappy thing this fact is going under radio silence.

Maybe they're still on holiday. We'll have to wait and see.
 

BiggNife

Member
Aug 15, 2007
9,512
3
1,180
Why videogame journalists don't talk AT ALL about this issue?
Is Valve so "protected"?

It's a very crappy thing this fact is going under radio silence.

Dozens of major gaming news sites like Kotaku, Polygon, IGN, etc. reported the security issue as it was happening. If you're trying to say that more journalists should be calling out Valve's minimal response to the issue, I suspect that's something we'll see more of in the coming days now that christmas vacation is over.
 

Stumpokapow

listen to the mad man
May 21, 2006
17,232
4
0
If they continue to give you unsatisfactory answers to your queries, or outright ignore you (not saying this will actually happen), have you thought about whether or not you will continue to buy games through steam?

I haven't put a lot of thought into it (would have to weigh the demonstrative / moral benefits of that kind of boycott versus what I'd be giving up and whether or not they'd be likely to get the message). As I mentioned earlier in response to bjork, reacting to a security breach by updating your belief about the likelihood of future security breaches is a little silly irrespective of who it is. That's just basic inference; you don't evaluate an airline's safety based on the date of its most recent crash, but rather based on its safety record. So I don't think people are likely to be hacked tomorrow. But I think what you're driving at is not the specific security risk but rather the indignity of Valve's inability to respond in a helpful way.

The number one thing I'm thinking reflecting on this is to start using fake addresses/names wherever I register online. Providing accurate information doesn't seem to benefit me in any way and providing inaccurate information keeps me safe in the event of a breach.
 

Ludens

Banned
Feb 5, 2014
6,900
0
0
Dozens of major gaming news sites like Kotaku, Polygon, IGN, etc. reported the security issue as it was happening. If you're trying to say that more journalists should be calling out Valve's minimal response to the issue, I suspect that's something we'll see more of in the coming days now that christmas vacation is over.

Yup, I was saying exactly this, questioning Valve until they won't provide a good answer.
 

Orin GA

I wish I could hat you to death
Jun 6, 2004
5,545
7
1,570
Wait a minute. You're into IT security for large companies and say stuff like phone number or last 4 digits of credit card is worthless?


Is it? That kind of stuff is printed on receipt/consumer copies. Any place I make a purchase with my card technically has that information. Before we all got Security chips in or credit/debit card I was more worried about my card being skimmed than people seeing the last 4 digits of my card.
 
Feb 8, 2010
2,927
0
0
The number one thing I'm thinking reflecting on this is to start using fake addresses/names wherever I register online. Providing accurate information doesn't seem to benefit me in any way and providing inaccurate information keeps me safe in the event of a breach.

This is exactly what I am thinking, along with a onepass kind of deal to go along with it.
 

Rodin

Member
Mar 12, 2015
4,716
0
355
Changed my email password and activated the 2-step verification, just in case anyone wanted to try something funny.

Also changed again my steam password, removed the authorization from any other device and deleted my paypal account from it (which hopefully removed my name and billing address in the process). Steam Guard was already activated.

From now on, if i buy anything directly from Steam (which is a big if, as i will actively try to avoid doing that), it will be through the cards they sell in stores.

Valve's lack of communication has made me:

-Contact the EU Data Commission about the security issue
What did you tell them?
-Delete everything from my wishlist
Why? Is this related in any way to the account security?
 

Nzyme32

Member
May 23, 2013
18,286
1
0
I received a preliminary response from Steam that consisted of general information about the issue, comparable in detail and structure to the information provided to GameSpot / Kotaku. I replied informing them I did not feel this was an adequate response and restating my specific questions.

If that is just from customer service I guess it's kind of expected since there is no other official line, but that is still not enough. If there isn't anything today I doubt they are going to respond without goading from the more popular press and youtubers
 

LurkerPrime

Member
Jan 6, 2014
18,003
1
0
Kotaku now has another article up where the issue and the lack of communication by Valve is mentioned in the second half.
Steam Problems Linger After Christmas Fiasco

Steam Winter Fail, wow. How did I not hear of that term before.

The severity of the Steam Guard email thing didn't hit me until I read now. I cannot believe Valve has been on radio silence about the issue--it's inexcusable.


The only question I really have at this point is, what is going on at Valve?
 

Condictor

Neo Member
Apr 14, 2013
4
0
0
Sweden
Is anyone else having trouble logging in through the Steampowered site? I tried to login a few hours ago but I never received a Steam Guard e-mail. I've tried several times, of course. The Steam support page says that it can take up to three hours to recieve the e-mail, so now I'm going to contact their helpdesk. I hope it's just a bug or something and that noone has changed my Steam account's e-mail address...

edit: maybe i won't contact them after all, now that i've read that people have had lots of problem with steam overall
edit2: lol, it's even mentioned in that kotaku article *facepalm*
 

Syf

Banned
Oct 3, 2012
11,546
1
435
Canada
I cannot believe Valve has been on radio silence about the issue--it's inexcusable.
The silence is why I'm done buying games through Steam. I could forgive the original issue, but the silence makes Valve a shit company as far as I'm concerned.
 

FyreWulff

Member
Jan 21, 2010
39,740
1
0
The Internet
fyrewulff.com
The silence is why I'm done buying games through Steam. I could forgive the original issue, but the silence makes Valve a shit company as far as I'm concerned.

Same here. I also have a game on Steam, and will no longer do business with them for game sales. People need to put their money where their mouth is on this one, lest Valve thinks they can just shovel it away.