• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hey Guest. Check out the NeoGAF 2.2 Update Thread for details on our new Giphy integration and other new features.

Steam security issue revealed personal info to other users on XMas Day (fixed)

Nov 16, 2011
2,757
0
600
Totalbiscuit uploaded a video talking about this.

I'm sure people have seen it, but sharing it anyway. Hopefully Jim Sterling does one too to increase awareness and all that, force a response out of valve, etc.

What amazes me is we'll probably see a bunch of people who (don't) watch this video and spend their time explaining how TB isn't a consumer advocate.

It's a good watch.
 

Beefy

Member
Nov 8, 2013
26,806
1
0
Totalbiscuit uploaded a video talking about this.

I'm sure people have seen it, but sharing it anyway. Hopefully Jim Sterling does one too to increase awareness and all that, force a response out of valve, etc.

Yeah I have watched it. I have also contacted ICO(uk).
 

KZXcellent

Member
Oct 1, 2014
5,981
1
290
TX
Totalbiscuit uploaded a video talking about this.

I'm sure people have seen it, but sharing it anyway. Hopefully Jim Sterling does one too to increase awareness and all that, force a response out of valve, etc.

Good video on the subject as expected of TB.

I still find it absolutely ludicrous that Valve hasn't at least apologized for this nonsense. Absolutely disgraceful.
 

Lucumo

Member
Dec 19, 2013
5,676
388
525

What he says here is wrong though:

For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.
Even without a Steam account, you were able to see all of this (I did).
 

Nohar

Member
Dec 24, 2011
3,967
0
650
Totalbiscuit uploaded a video talking about this.

I'm sure people have seen it, but sharing it anyway. Hopefully Jim Sterling does one too to increase awareness and all that, force a response out of valve, etc.

Very good video! I invite everyone to view it.

I'll keep an eye on this thread and on others. Valve is guilty of negligence. How they acted was irresponsible. This should never have happened. If they finally decide to apologize (which will account for nothing: they should have contacted everyone directly to inform them of what happened, in details, day one), I won't care: too little, too late. I am done with them.
 

DMczaf

Member
Jun 6, 2004
86,669
4
1,790
Origin customer service in my handful of times dealing with them has been EXCELLENT. I usually get my issue resolved in under 30 mins.

Valve? It really feels like talking to a wall.
 

Lalalandia

Member
Oct 27, 2013
2,091
0
0
All I know is if this happened in the healthcare field, shit would hit the fan and then some.
Yup it's tragi-comic reading people trying to dismiss this as minor if you have any familiarity with the legal obligations on companies that hold PII. Where's hoping that the silence of the press is a Christmas thing (Kotaku/Destructoid excepted ofc)
 

Dunkley

Member
Jun 17, 2014
5,335
0
0
Totalbiscuit uploaded a video talking about this.

I'm sure people have seen it, but sharing it anyway. Hopefully Jim Sterling does one too to increase awareness and all that, force a response out of valve, etc.

I just wanted to say I finished listening to this and definitely it is worth listening to, if you're aware of the issues and the the effects of personal information leaking out, at least listen to the end of it, he makes some really good points.

I completely agree that Valve is too big of a company to continue pulling shit like this without receiving any criticism, and the stonewalling from dedicated fans trying to defend their lack of communication really needs to stop.

The only thing is... Didn't someone already say they have been getting phone calls and sign-ups for various accounts using their emails due to this? I think it's already too late to only speak of the theoretical people getting harassed due to their information leaking out due to this and the tragedy of that; that's supposedly already happening.

All I know is if this happened in the healthcare field, shit would hit the fan and then some.

Exactly, I'd get my ass kicked into the next universe if I gave out any information about my patients. I'm not even allowed to tell their relatives (even if they verify themselves) on how the patient is doing since I am legally obliged to not do that if I don't have the permission from the patient to do so.

If I gave out personally identifiable information like that to strangers or alone just stuff like E-mail addresses or phone numbers, I'd be sitting in jail.
 

Head.spawn

Junior Member
Sep 3, 2013
6,745
2
320
Yes, they did say that in March when they got an F by the Better Business Bureau.

Valve Is Not Psyched They Got An 'F' In Customer Service

To be fair, they were probably only talking about it in regards to DOTA 2.

Maybe 0.5%, considering the attention it got from social media. I wouldn't be surprised if a lot of those accounts are dead, fakes, alts, forgotten, etc.

That's a weird guesstimation to take, considering you could clearly see purchasing history, activated Steam Guards, money in the wallet etc etc. Either way, I doubt their name, email address and phone number is dead/fake/forgotten or an alt.
 
Nov 16, 2011
2,757
0
600
The only thing is... Didn't someone already say they have been getting phone calls and sign-ups for various accounts using their emails due to this? I think it's already too late to only speak of the theoretical people getting harassed due to their information leaking out due to this and the tragedy of that; that's supposedly already happening.

People have said a lot of things (and he covered this in the video) but provided no actual proof of it happening.
 

Steejee

Member
Mar 12, 2015
2,237
0
0
What he says here is wrong though:

For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.

Even without a Steam account, you were able to see all of this (I did).

Having barely paid attention to this when it was happening (main PC was off and I was away), was there anything outside of that list that seemed to be available? I skimmed the Kotaku article but didn't see anything.

As someone who has worked with a lot of sensitive info (namely, web systems that handled payments), those things listed aren't exactly considered super critical data. Last four is kept as a helper to users - your actual, full, CC number is never stored unencrypted or even stored at all - PCI compliance is incredibly strict and not something you screw around with. Hell you can get name and last four off of discarded CC receipts. Having your last four 'stolen' sounds scary but it's basically useless in itself.

Your email and phone is already on the internet somewhere, you've probably listed it somewhere public you forgot about.

The 'Confessions' article that talked about stealing a Netflix account was more of an implication of lousy Netflix security than anything else.

As for the BBB, they're not very trustworthy and shouldn't be your gold standard on a company's quality. They're a business, through and through, not a non-profit watchdog or part of the government. Take their ratings with a grain of salt.

As someone who keeps their Steam profile on Private, doesn't use Facebook, Twitter, etc and is generally fairly cagey with online info, having those bits of data taken doesn't frighten me in the least. Valve needs to be open and transparent about what happened, what's being done about it, and what concerns people should have, but this isn't the OPM theft or voter records leak by any stretch.

Edit: So reading their response, what could have been taken in a worst case amounted to very little, at worst your billing address/email address, both of which are typically easy to dig up via other means.
 

Steejee

Member
Mar 12, 2015
2,237
0
0
Lol What an absurd thing to write.
Much of what you wrote is, but this in particular.

Such as? People post that info to Facebook regularly, on public profiles. Whitepages can net you a phone and address. A name can find you an email address. An exposed database (of which there are countless) can reveal that and more and you'll never know. Valve's failure here was visible, but most are not, many go uncaught for years.

Your name, email address, and phone number are not that valuable to anyone out there that actually cares about stealing your personal info.
 

Vinland

Banned
Jun 27, 2015
597
0
0
Hey cool they rehosted the support ticket image from Kotaku without attribution or permission. Great investigative journalism guys.
it was just a caching issue for the image host. For an hour giant bomb pics were randomly switched with other gaming journo sites pics.

this whole debacle is funny, sad and premise for deep concern
 

SchrodingerC

Member
Apr 16, 2014
5,294
0
0
To be fair, they were probably only talking about it in regards to DOTA 2.



That's a weird guesstimation to take, considering you could clearly see purchasing history, activated Steam Guards, money in the wallet etc etc. Either way, I doubt their name, email address and phone number is dead/fake/forgotten or an alt.

I was more talking about the total steam account numbers, not the ones that were affected.
 

tomasdk

Member
Dec 5, 2008
126
4
950
So finally Valve responds. Now I'm curious whether they will contact me or not as I did exactly what I was not supposed to do during that time. :/ Hopefully not though
 

doctorcdcs

Member
May 17, 2011
3,844
1
600
Forgive me, having to type this on a cellphone since my PC is disconnected so this might look messy.

Such as? People post that info to Facebook regularly, on public profiles.

So? Those people chose to put out their personal information. Steam users didn't give valve permission to display it for people on the internet to see. Like I said earlier, if this was in the healthcare field, this would be on the evening news. There's a reason why acts like HIPPA And PHIPPA exist.


Whitepages can net you a phone and address. A name can find you an email address.

Do you not have the option to unlist yourself from the whitepages? I think there is. Also, if you use multitple email addresses with fake names, I don't know if it would be as easy as you are implying.

An exposed database (of which there are countless) can reveal that and more and you'll never know. Valve's failure here was visible, but most are not, many go uncaught for years.

Im not really sure where youre going with this.

Your name, email address, and phone number are not that valuable to anyone out there that actually cares about stealing your personal info.

Its nice to see that you don't think social engineering isn't a big deal but I would disagree.

Lets use stump as an example. His personal information was shown (I have no idea if he had items in his cart which would have shown even more information apparently).

Now, as a mod for neogaf, I'm sure he's made his fair share of friends and not so friends. He used the same user name and avatar for both steam and GAF so associating the two coming from the same person wouldn't be that hard. Now we know people on GAF had seen his personal information from earlier. Who knows if one of them has an axe to grind against him?

From something minor like a bunch of pizzas being sent to his house to a swatting incident could occur, not to mention the potential identity theft issues.

In the end, agree to disagree with you on this one.
 

Giruvegan

Member
Nov 24, 2013
103
0
320

it wasn't even a pop-up from the client, which was happy to inform me of the new tweaks for the steam controller i didn't buy earlier, but if it wasn't for this thread, and actually witnessing what happened first-hand, i would have no clue that anything like this had occurred.

i didn't even know that the password hack had happened over the summer until i saw a pop up interrupting my attempts to play ffxiv.

i think from now on, it's time to just buy gift cards to load into the steam wallet. i only just recently stored my information because of the sale. needless to say, i regret this immensely.
really disappointed in how this was handled overall. this has definitely soured my opinion of Valve.
 

Justified

Member
May 14, 2013
3,883
0
510
GA
Such as? People post that info to Facebook regularly, on public profiles. Whitepages can net you a phone and address. A name can find you an email address. An exposed database (of which there are countless) can reveal that and more and you'll never know. Valve's failure here was visible, but most are not, many go uncaught for years.

Your name, email address, and phone number are not that valuable to anyone out there that actually cares about stealing your personal info.

All I see is can, can can. Yea, all of that PII possible could be found else were, but the fact is it was exposed through Stream, who has a duty to protect that data, no matter how trivial you are trying to make it.

There are actually legal ramifications to not protecting PII.

Also saying no one cares about the info that was exposed is totally wrong. Advertising companies pay big bucks for this type of stuff
 

paperspace

Member
Jan 21, 2009
5,237
0
765
it wasn't even a pop-up from the client, which was happy to inform me of the new tweaks for the steam controller i didn't buy earlier, but if it wasn't for this thread, and actually witnessing what happened first-hand, i would have no clue that anything like this had occurred.

It's in the announcement bro.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
 

Saintruski

Unconfirmed Member
Nov 11, 2014
556
0
0
Reading there official release, the TL;DR is we are investigating fully and gathering all information before releasing conclusions and information...that should have been said hour one...

Blah blah DoS, blah blush blah identifying users, blah blah blah, working with cache partner, blah blah blah working on it.
 

Roland1979

Junior Member
Feb 21, 2013
2,512
0
0
The netherlands
myanimelist.net

Ludens

Banned
Feb 5, 2014
6,900
0
0
Did Valve contacted those 34000 people after this?
Stump or someone else, did you receive an e-mail?