• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Steam security issue revealed personal info to other users on XMas Day (fixed)

Tenebrous

Member
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.

bJK2asd.png


owZ6BYU.png


I'll update this post with more information going forward.

But who forced the page caching error? The timing surely can't be a coincidence...
 
Since this is a caching error, shutting the servers down won't do anything, unless they managed to shut down the caching servers as well, and I wouldn't be too surprised if Valve's outsourced those.
 

finalflame

Gold Member
Steam's oncall engineers must be having a BLAST right now. I can't properly access my account; just get random people's account and an error when trying to logout on web browser.

667c9f3a2966f3f0a8ef6c4d15d19632.jpg
 

Prosopon

Member
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.

bJK2asd.png


owZ6BYU.png


3lbQyvr.png


I'll update this post with more information going forward.

I think they just shut down the ability to access account information.
 

Tunesmith

formerly "chigiri"
From what I can tell, here's the information that could be compromised:

last 2 digits of your credit card
Paypal email address
amount in your Steam wallet
last four digits of your phone number
account email address

+ your country of residence.

Social engineering opportunities galore with this information.
 

Skux

Member
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.

bJK2asd.png


owZ6BYU.png


I'll update this post with more information going forward.

Even though you can't breach an account with just this information, it's a massive info dump of "puzzle pieces" for hacking groups, especially if people use the same password or weak passwords for their email address and Steam account.
 

akira28

Member
ok so it's not a security intrusion type breach but a security lapse/data exposure breach? well then, that makes a lot of difference.
 

Zomba13

Member
In most cases I guess an hour response time isn't too bad in the grand scheme of things BUT when it's a 24/7 world wide online store front/games platform that has millions of users connected at all times you might want people keeping up to date on what's going on 24/7 so they can pull the plug as soon as they get confirmation something fucky is going on.
 
This is easily the worst response to a hack I've ever seen by any company. They've known for at least an hour now that people's account information can be accessed and they still haven't made the most basic and necessary move which would stop the issue dead in its tracks which is shutting down all the servers. This easily beats the PSN hack in magnitude and I hope that they're similarly raked over the coals like Sony were back then. Let's hope this event finally makes the top guys realise that the do what you want, no accountability, no responsibility, joke of a corporate structure they have over there isn't working.
 

Alucrid

Banned
What we know so far

  • Most likely an error in the way Steam caches pages.
  • People are able to access random Steam profiles and see compromising information, account names, emails, last 2 digits of credit card, paypal email address, purchases, etc.
  • No changes can be made to the effected account, no purchases can be made. Any evidence to the country is, as of yet, unsubstantiated.
  • It's been advised to not access Steam URLs, including the client, until we have more information.
  • Do not post account names you see, huge security risk.

bJK2asd.png


owZ6BYU.png


3lbQyvr.png


I'll update this post with more information going forward.

feel free to add this too

WYxdO6J.png
 

DMTripper

Member
So has anyone confirmed you can make purchases with existing store credit? Then maybe send that purchase to another account?

I've disabled paypal to my steam account but still have store credit...

Has anything like this happened before??

Shit is funked up.
 

Guess Who

Banned
If thye're running an online service like this, then someone is policing it.

I'm not so sure about this given the everyone-does-what-they-want, no-formal-hierarchy, sorry-we-can't-provide-acceptable-customer-service-because-our-company-structure-or-lack-thereof-means-nobody-gives-enough-of-a-shit-to-do-it-and-we-can't-just-make-people-do-it nature of Valve.
 

Grief.exe

Member
But who forced the page caching error? The timing surely can't be a coincidence...

It's definitely possible that this was a legitimate hacking attempt.

Steam sales are mainly automated so there may be a skeleton crew, or no one at all, at Valve headquarters currently.

Not to mention the complete radio silence on Twitter. This is FUCKED.

Valve will never be defined as communicative.
 
Top Bottom