-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Steam security issue revealed personal info to other users on XMas Day (fixed)
- Thread starter Quirah
- Start date
Count me as well, no verification email after 3 trys. Sort it out valve!
Marmaladefire
Member
This whole thing is pretty disgraceful. I had a whole list of games I panned on getting from the winter sale, but I ended up just putting that money towards buying games on PSN. Not solely to make a point either. The store has been totally unreliable. Valve is even pushing away people who were still willing to buy from them this week after that pathetic explanation with these continuing issues, no fixes, and no communication.
hardcastlemccormick
Banned
That sort of response articulates exactly what's wrong with Valve right now. Just tinker away, fix the issue and pretend that communication doesn't need to happen.
Grayson is absolutely correct in this article. You can't just engineer/develop/fix away the need to communicate to your customers. Valve's eccentric nature simply cannot apply to security breaches, storefront problems and everything else that Steam encapsulates.
You'd have to be signed in and switch to Steam Guard Mobile instead of Steam Guard Email
I completely agree with them; not their fault if customers are too irrational to realize that the time would better be spent just fixing the issue. If they lose customers because of it, I guess its their problem, but I have a feeling that their core business is strong enough that they probably won't feel a hit.
Evolution of Metal
Member
What are you talking about? IT specialists aren't doing PR, nor PR/Support does anything to fix the issue. Valve does not need to shift resources from fixing problems to give an official statement of the situation.
hardcastlemccormick
Banned
Valve can't just fix the security breach and walk away like nothing needs to be said. Half the "fix" in this situation is informing users of the breach as soon as possible - especially the ones known to be affected - and telling them what was accessed and how bad or good the situation looks. This takes priority over getting the store back up.
This isn't just playing around with a little hobby website on the side, where technical issues are no big deal. This involves a storefront, with monetary value and personal data involved. Proper channels of communication is bare minimum stuff when playing with big boy software, something Valve might want to pretend they're not involved in producing.
Disaster Nebraska
Banned
This attitude is fine for a while if you have a stranglehold on a market like Valve does, but eventually it just leaves you open to smaller innovators who will copy what you did but provide it cheaper or with better service.
Business 101.
With every day that passes without any direct communication from Valve to their users this situation just gets shittier.
I can forgive some unforeseen (and admittedly weird) caching issue catching them out at the worst possible time, but I can't forgive this radio silence (and what appears to be an attempt to sweep the problem under the rug).
I can forgive some unforeseen (and admittedly weird) caching issue catching them out at the worst possible time, but I can't forgive this radio silence (and what appears to be an attempt to sweep the problem under the rug).
Does Valve even have dedicated PR? Last I checked they did not, so yes, you're asking them to shift resources that could otherwise be allocated to more support, IT or development.
Sure they can. If the issue is fixed, that's that. You can't un-breach the information, and informing users has of it has already occurred. Any sort of messaging afterwards is simply a PR requirement and nothing more; if they choose not to do it, fine. If people want to be compensated for the breach or some shit, that will happen regardless of whatever message they put out. If people want to stop using Steam because they want to hear PR, fine, that's obviously a risk Valve is willing to take. All this outrage over how they run their business is ridiculous.
Definitely, but that's Valve's problem. People saying they're angry on a personal level and 'Valve needs to get their shit together' make no sense to me.
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
Informing your customer base their information has been leaked by your shoddy storefront within an acceptable timeframe is a requirement of many governing bodies around the world and I hope they drag Valve's feet over molten rakes.
There's no defending this level of 'swept under the carpet', especially with an absurd line like "well Valve hasn't bothered to pay a PR/Customer Support outlet a wage, so what can you do!!".
If this was any other corporation they would be getting it both barrels right now. Shameful.
They released a statement within hours, did they not? Or am I misinformed? What is an acceptable timeframe to you / these governing bodies?
Pie and Beans
Look for me on the local news, I'll be the guy arrested for trying to burn down a Nintendo exec's house.
They replied to a games website when quizzed for a quote. They sent out no blanket email to their millions of customers to make sure those not dick-deep into internet messageboard culture were aware anything happened whatsoever.
Basically they're going to be in deep embarrassing shit and deserve to get a 6 figure fine just to buck their ideas up.
hardcastlemccormick
Banned
The users have not been informed. They released a statement to Kotaku that went against most users experience of the breach and answered no questions. I mean, on this very page we have Stump contacting Tech Support with very reasonable questions about the nature of breach that he has yet to have answers for.
This isn't a PR requirement. This is a technical requirement that resolves around people's right to know what happened to their formerly private data - which they gave to Steam with the understanding that it would remain private. The data cannot be unbreached, therefore the next fix on the agenda is to contact the users involved and/or release a public statement. Informing the users is part of the technical fix for security breaches.
In situations like this, it provides exactly 0 security, same as steam guard. I kinda regret I gave Valve my mobile number, it's the first time I did such a thing willingly. That will teach me.
That statement contains false information, basically ignores the exposure of personal user data and was not put out through any of their official channels.
They released "a statement" to Kotaku and then that statement was either released to or picked up by other gaming websites.
At no point did they deem it necessary to inform their actual customers, and they still haven't. If those customers don't read Kotaku/Gamespot/[insert site here], they will be none the wiser about what has happened.
That's not to mention the actual statement was woefully inadequate, contained misinformation, and omitted crucial details (possibly deliberately?). Valve's statement:
Things that are wrong with this statement:Valve said:
- No mention of the fact personal information was compromised. "Pages generated for other users" could mean anything (wishlists? Marketplace?), and I suspect it has been left deliberately broad to attempt to sweep the issue under the carpet.
- "A period of less than an hour" - There was evidence available well before this demonstrating the problem was around for a longer time period.
- "No unauthorised actions were allowed on accounts" - while this may be the case, no mention of the possible security implications of the leaking of personal data.
- No apology
electroflame
Member
I'd imagine that there are few positions that have recently opened up.
Think that's fine to a point but when the need to prove who you are if something goes wrong you may come unstuck but perhaps that is the point of no return if a situation like that arises. I think you could apply it easily enough for many places though.
hardcastlemccormick
Banned
I don't even think the apology is necessary. In that instance, Valve can be a little Valve-y and everyone would just move on. But the unauthorized actions bit is concerning when we had multiple reports of people's credit card information being deleted. Who did that? Valve?
Sure would be nice to, you know, get a statement about what exactly happened so we know what falls under the "you should worry about this" category.
Thankfully, most hires fresh out of college should have the common sense to contact affected users after a major systems failure.
Yep. Shit happens, but it's how you respond as a company. Their response to this has been shit, and so I will be taking my talents to Origin or whateverfuck distribution service. Or simply use Steam cards if a certain game is not available on other services.
StereoVsn
Member
I am personally very disappointed in Valve's handling of this fiasco. Here is a problem, what are the alternatives?
-GoG: limited game selection, no two-factor auth of any kind. No ability to purchase "GoG cards" if needed.
- Origin: limited game selection, sales are meh, two factor is there with phone verification I believe.
- Uplay: Hah
- Humble/Amazon/etc: not storefronts.
So it's an issue as Steam is the only solution for a lot of games. It's annoying for certain. Personally I am changing my info to fake, using steam guard on work phone vs personal and using steam cards instead (from now on).
I will also endeavor to purchase games on GoG first but they are vulnerable as well, IMO, just not targeted.
-GoG: limited game selection, no two-factor auth of any kind. No ability to purchase "GoG cards" if needed.
- Origin: limited game selection, sales are meh, two factor is there with phone verification I believe.
- Uplay: Hah
- Humble/Amazon/etc: not storefronts.
So it's an issue as Steam is the only solution for a lot of games. It's annoying for certain. Personally I am changing my info to fake, using steam guard on work phone vs personal and using steam cards instead (from now on).
I will also endeavor to purchase games on GoG first but they are vulnerable as well, IMO, just not targeted.
PLASTICA-MAN
Member
Steam doesn't send neither emails with authentification codes for different browsers nor emails with tarde confirmation. It doesn't even allow choosing an item for direct trade. Servers are messed up since almost 3 days now.
I specifically remember receiving shit for suggesting that Steam needed competition (from everywhere, not just on GAF) for the simple reason that they can fuck up and we need other major players.
Hell, it's why I hoped Microsoft would get off their ass and directly compete with them. The fact that we didn't get a store wide warning at first really pissed me off.
It's not a necessity in any legal sense, in that they won't get in any trouble over it, but they absolutely should apologise. Causing your customers' private personal information to leak and then going "Move along now, nothing to see here" isn't acceptable, and they should be acknowledging that along with the rest of the points people have raised since their piss-poor 'statement'.
StereoVsn
Member
Well, GoG and Origin are working on it but both have issues. Not sure EA is better then Valve but they are at least more professional.
Fair enough -- I wonder if emails not being sent out for other things has something to do with that. With the number of users I can imagine their email servers would be taking quite a hit to send out mass email. I'd expect to see them at least trickling in though.
I'd also be interested to see what the law says about this in various countries. In my country (Canada) users must be notified 'as soon as feasible', and they must be given adequate information, but that's about it.
At this point, it's not looking like either of them will ever get there. I mean, we're talking about over 7000 Steam games, with over a hundred million users. At the very least, Valve need to shake up their upper management.
hardcastlemccormick
Banned
Humble Store isn't a client but their DRM-free games are a good way to fly.
But I came to the conclusion a while ago that using the internet securely means not using the whole internet, unfortunately. If you want PC games, it's hard to avoid Steam right now.
I agree. I'm only emphasizing that it's not necessary in the most technical sense.
What Valve needs to do, the barest of bare minimums:
-Email all customers who were involved in the security issues.
-Issue a public email or bulletin to all Steam users about the issue and what it entailed.
-Contact every game news outlet and give them the same information, and answer all follow up questions from journalists about the issue.
What Valve should do if they were run like an actual professional company:
-Issue an apology.
-Offer affected users some sort of protection plan similar to the one offered by Target during their breach.
-Open a tech support communication venue, hosted separate from Steam, that communicates constantly about even small downtime issues. Start a Twitter/Tumblr/Facebook page for this task as well.
-Massively scale up their tech support team.
VibratingDonkey
Member
It's almost impressive how many faults there is with that short statement.
A more accurate statement would be: "a caching issue allowed anyone with internet access to see pages generated for random Steam users"
Comes across as an attempt to downplay the significance. Limiting it to users. And only some users? Guess it's not that big of a deal then.
charlequin
Banned
This is really not a knowledgeable response to an issue like this. There's no really useful sense in which "the issue" with a security breach is the actual cause of the breach; it's important to address whatever technical problem led to the info leak in the first place, but the actual "issue" is that people's information was accessed, which you can't actually solve and can only triage by actually engaging with the problem.
Just in general, the shitty Silicon Valley attitude that why should a company waste time on "soft skills" when they could be writing code is why Steam has godawful support and a bizarre feature roadmap, and why Valve has completely stopped shipping actual games.
It wouldn't protect against this issue (although literally nothing individual users could do would have protected against this issue) but it's a good idea in general. Everyone should have Steam Guard turned on, and the phone version is much more convenient overall than the email-based one.
The problem is that every time this comes up, there are a bunch of posters claiming Steam is a monopoly (it's not) and suggesting that people arbitrarily buy from random other stores to push back on said "monopoly" (this is useless and won't accomplish what people are hoping for.)
The reality is, when you have a market where one player is doing a dramatically better job than their competition, it's going to be heavily lopsided. Random consumers can't actually fight that by buying worse products on purpose, there has to be a serious effort at competition first. As long as Steam's best-funded competition is stuff like Origin/uPlay (company stores that transparently exist for reasons that are of no benefit to their customers) nobody's going to be able to make a serious run at the throne.
Valve is inevitably going to compete with Oculus in PC VR realm and for my money.
I'm not wishing for Oculus to dominate it like Valve had for PC gaming, more like having a PS360-like mkt split where if one screw up, you can always hop to the other.
Because I know both companies will go on cruise mode once they ran away as by far the mkt leader.
cartographer
Member
The shift in attitudes has been slow. Suggesting that Steam needed competition five years ago (or even three) resulted in being labeled entitled or ignorant of how PC gaming used to be. A few years later and people are coming around a bit more, but not by much and not by a significant amount, it seems.
Even people that are pretty dedicated fans of Steam should want competition. Valve being pushed to make Steam a better platform (and in some cases like CS, a competent platform) is good for everybody.
the only problem with competition is people expect you to use it, and so far none of the alternative gaming services have been worth a damn.
But steam hasn't made the best of this, and I'm not happy with what happened or how Valve has responded.
mugurumakensei
Member
Eh, I think Origin's pretty good, and the occasional on the house game is pretty sweet. Customer Service is also light years beyond Steam and GoG.
when everybody hates you, and you actually get a phone call? you damned well better be sweet on the phone.
charlequin
Banned
Oh sure, the problem is just that the only way there can be competition is for some other company to actually compete with them. People can't just wish it into being by pretending things like uPlay or whatever are actually in the same market as Steam is. As it is GOG (and to a partial degree Humble) is the only real outfit trying to offer a substitutionary good.
Origin's a company store with a minuscule selection of other people's games on it, it's not viable as a substitute for Steam in any meaningful way.
EA has decent customer service and origin is fine. I hope I never have to use vavle's customer service.
I read on the steam community hub a lot of people started receiving phone calls and spam mails after this mess, and still Valve says nothing.
The fact is Valve turned out to be greedy as hell, they want stay small.
Otherwise they would hire people from third parties in order to offer a decent support in the first place.
What they did was automatizing EVERYTHING: this can be ok when you want refund a game, but that's it, because if you face a real issue, all you get is an answer from a bot which won't solve your problem. I had minor issues with Steam I tried to contact support, but in the end I just gave up, because after literally weeks or even months, they replied me with a non-sense thing by a bot linking me some standard procedures to follow.
The fact is Valve turned out to be greedy as hell, they want stay small.
Otherwise they would hire people from third parties in order to offer a decent support in the first place.
What they did was automatizing EVERYTHING: this can be ok when you want refund a game, but that's it, because if you face a real issue, all you get is an answer from a bot which won't solve your problem. I had minor issues with Steam I tried to contact support, but in the end I just gave up, because after literally weeks or even months, they replied me with a non-sense thing by a bot linking me some standard procedures to follow.
The spam E-mails definitely have been a known issues (along with people signing up the affected for other websites using their e-mail addresses), but the phone calls are definitely new to me.
This whole thing has been a disaster and I can't believe Valve still hasn't released a statement informing users about the compromise of their information. Absolutely disgusting.
Finally got around to submitting complaints to the relevant parties.
All those defending Valve make me sick, it's almost as if they have invested so much into steam and have such a large library that requires steam to operate that it's almost a Stockholm syndrome effect.
The sad part is defending them isn't helping, if they don't learn humility from this fuck up - it's only going to get worse.
All those defending Valve make me sick, it's almost as if they have invested so much into steam and have such a large library that requires steam to operate that it's almost a Stockholm syndrome effect.
The sad part is defending them isn't helping, if they don't learn humility from this fuck up - it's only going to get worse.