• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Steam security issue revealed personal info to other users on XMas Day (fixed)

DeaviL

Banned
i love how corporate apologists are still peddling their shit even in this situation

I'm sorry for not trying to stoke the fires.
For not claiming you can see full CC info (You can't)
For not claiming you can see phone numbers (You can't)
For not claiming you can get everyones password (You can't)

You can however
- See e-mail addresses
- Purchase with steam credit
- Purchase with any one click purchase method (if you have to give any extra info, it's a no go)

And that's only if you don't switch to a new account by clicking any button.
 

Dryk

Member
people need to stop with the damage control kool aid, its a security breach because of the information that can be viewed
Even if it's not as bad as it first appears, any information constitutes a serious breach and I hope Valve get roasted for it. How does this even happen?
 

dity

Member
Because I was sent an email regarding it.

Hello 19 & 21
A phone number (ending in 0000) has been removed from your account.
If you did not do this, your account may have been compromised. Please change your password immediately, or contact Steam Support.

Well damn.

I've received no emails at all, but I was also completely offline when this whole debacle started. Hopefully that means I'm safe.
 
Do you hear that? It is the noise of stomping feet from folks buying a Wii U the day after Christmas since it's the only gaming platform that has never received something this fucked up.
 

Feichaw

Member
How the hell is Steam still up?! Holy shit, this is big!

I've never used my CC on Steam (only used PayPal and BoaCompra, a Brazilian website similar to PayPal), so I don't think I have CC info store on it, but I'm still upset about this.

What the hell are you doing, Steam?????
 

gofreak

GAF's Bob Woodward
What? How?

Yeah I'm curious about that too.

Unless it's an implicit threat about liability to you if you accidentally unlink SOMEONE ELSE'S paypal/cc info.

Which Valve can fuck right off with - it's entirely its fault if someone accidentally did so in trying to remove their own info. Putting it on the users would be shameless.

Anyway, I can't log in now to the account page, get an error back.
 

DMTripper

Member
e7543af2a9.png


I've just done this!!

Edit.. Though my PayPal account!
 
ok so it's not a security intrusion type breach but a security lapse/data exposure breach? well then, that makes a lot of difference.

I have no proof of this or anything, but I refuse to believe that it happening today is a coincidence. Not even Valve is that magical.
Do you hear that? It is the noise of stomping feet from folks buying a Wii U the day after Christmas since it's the only gaming platform that has never received something this fucked up.

Xenoblade Chronicles X is pretty hype. It's the sort of thing that can make you forget Steam-related woes, for sure.
 

Grief.exe

Member
Even though you can't breach an account with just this information, it's a massive info dump of "puzzle pieces" for hacking groups, especially if people use the same password or weak passwords or their email address and Steam account.

Agreed, that's why I was pleading with people at the beginning of the thread not to post usernames.

I can't believe it was even an argument, the other side has no reason for violating someone's security and privacy like that.

Er... just a thought, but maybe the steam twitter has been hacked too and just saying that to prevent people from doing it? :X

Not associated with Valve in any way.
 

Fhtagn

Member
What? How?

If it's a cache problem, it's loading info into a cache and then that cache is being shown to the wrong end user.

So if you haven't logged in recently, it's likely you aren't in the cache. Logging in to change stuff introduces your account to the cache... making it be in the available pool of accounts that are exposed.
 

TronLight

Everybody is Mikkelsexual
.......how does that work.

I'm going to go out on a limb, trying to update your account in anyway just updates the cache and puts you on top of some kind of stack in where they're stashing things. Being on top means that you're the next to be picked if somebody tries to look at a profile page.
 
Jesus I was looking at some random dude's account minutes before it was taken down. What an absolutely massive fuckup. I am so so sooo sooooooo glad that I never saved any of my credit card information, learned my lesson quick after the PSN debacle years back. Nothing in my inventory was touched and whatever I had in my wallet seems fine as well.

Christ.
 
D

Deleted member 80556

Unconfirmed Member
Valve will never be defined as communicative.

Wasn't this one of the reasons the demand against Sony was successful? Because they didn't communicate it in a timely manner? Although that was after days, not minutes like this is happening. We might get a release soon after they finish their investigation.
 

oroboros

Member
I just unlinked my Paypal from Valve Inc on the Paypal website, probably a good idea for anyone who had that setup. I guess it's lucky the credit card I have connected to my Steam is already maxed out haha.
 

benny_a

extra source of jiggaflops
Wonder if changing PayPal password would be a bad idea?
No, changing your passwords is never bad idea unless you deliberately go for a weaker one.
If you do it, do it on PayPal.com

Sounds like hackers broke into @SteamDB, LoL

"No really guys, deleting your info makes it worse! Don't delete!"
The idea is that if this is a caching issue then doing any account action means you also get cached and are in the pool of accounts that get erroneously served up.
 

Jeramii

Banned
dude. what the fuck.

I just ran into this issue, I visited Steampowered.com and I was able to view way more account information for a random user than anyone should be able to view. :O

Every time I refreshed the page it loaded a different persons profile.
 
Yeah I'm curious about that too.

Unless it's an implicit threat about liability to you if you accidentally unlink SOMEONE ELSE'S paypal/cc info.

Which Valve can fuck right off with - it's entirely its fault if someone accidentally did so in trying to remove their own info. Putting it on the users would be shameless.

Anyway, I can't log in now to the account page, get an error back.

If you don't do anything on the store, your info won't get cached. If your info won't get cached, your info won't get exposed.
 

MilkBeard

Member
This is why I don't store my credit card info in any service. Not PSN, not Live, not Steam. Even stupid things like "my baby brother just purchased a lot of games on PSN by mashing X, I'm pissed!" I've seen.

I'm sure that info can still be hacked otherwise, but it doesn't hurt to be a little cautious about stuff like this.

And if it's displaying the info because you purchased something on the site, then it's time to just wait it out, I guess...
 
Top Bottom