Support NeoGAF

[Quantum]

Surprised no one has realized that this is normal when dealing in 'valve time'



- I'm glad they responded, glad my account isn't borked, glad I use steam guard and my 1.5k games remain (relatively) safe.

- I'm sad I didn't get to play a robot clicker game or collect coal or play an arg during this sale, and have actually for the first time ever spent more on the microsoft/xbone sale than on the steam sale.

 

[Shenmue]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

Are you some kind of immortal? 5 days is absolutely too long for this kind of response?

 

[Falk]

"some users" lol, anyone who hit refresh while logged in more like.

Are you talking about people who saw other account's details, or people whose account details were exposed? Because those are two wildly different categorizations.

34k is both a large number and a small fraction of the total userbase at the same time.

 

[KZXcellent]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

For a service and company of this magnitude yes.

 

[Durante]

Are you talking about people who saw other account's details, or people whose account details were exposed? Because those are two wildly different categorizations.

34k is both a large number and a small fraction of the total userbase at the same time.

You might even say it's "some users"

 

[Willy Wanka]

5 days to inform users that their personal information may have been potentially compromised is a long ass time, spinning it as a quick response is utterly bizarre.

Exactly. Valve deserve little praise here.

 

[Dunkley]

...Yes. Why is that unreasonable?

Pretty much, 5 days is a lot of time to misuse someone's personal information or gather other information from what was compromised without the affected customers even knowing and bracing themselves for it.

 

[Hylian7]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

I expect a "Something happened, we don't know all the details. We are investigating. We apologize to those that had information exposed."

I don't think that is too much to ask.

 

[Joqu]

On the other hand I'm not convinced they would've given out a response in the first place if they weren't called out on it so I do have to admit my confidence in Valve is at an all time low now.

I just hope they'll improve on their customer support as a result of this, it's long overdue.

 

[cyba89]

Surprised no one has realized that this is normal when dealing in 'valve time'

And how does that make this acceptable?

Stupid "valve time" internet jokes do not apply when we talk about serious security issues of billion dollar companies.
Valve is operating a storefront with over 100 million users and not some personal webblog or banana stand.

 

[DeaviL]

You should not wait five days to say anything when personal user data is exposed. They should have informed their costumers asap about this and give a more detailed explanation later.

Yes, sow some panic.
I guess you missed the triggered and hyperventilating crowd in the previous thread?

 

[DeathoftheEndless]

They should have mentioned at least something about it earlier, but fortunately the released info was pretty harmless.

 

[UnemployedVillain]

...Yes. Why is that unreasonable?

Because it probably leads to posts like this

Er why is everyone automatically taking their word for the 34k number?

Do you guys not remember they also said the caching issue lasted under an hour when that was patently false?

Where they end up mistakenly reporting something because they (presumably) don't have information on the full extent of the issue and are forced to revise what they've said when they do, causing people to get "suspicious" and assume they're lying.

But I dunno, maybe 5 days is a long time. Some people are also incorrectly assuming the issue lasted 5 days

 

[UrbanRats]

Damn, i regret logging into steam in that time frame now.
I blame my parents telling me Santa wasn't real, if i had felt more of that Christmas spirit, i wouldn't have been bored on the 25th, enough to check on steam.

 

[KZXcellent]

On the other hand I'm not convinced they would've given out a response in the first place if they weren't called out on it so I do have to admit my confidence in Valve is at an all time low now.

I just hope they'll improve on their customer support as a result of this, it's long overdue.

I absolutely agree. I believe they would have tried to sweep this under the rug if people hadn't put them on blast for this. Valve hasn't done much to make me believe otherwise.

 

[Crimsonclaw111]

Glad it wasn't left at that pitiful Kotaku statement. Was looking like they weren't going to say anything for a bit.

 

[Aeana]

5 days to inform users that their personal information may have been potentially compromised is a long ass time, spinning it as a quick response is utterly bizarre.

I thought my post was obviously in jest.

 

[pj]

Yes? It's understandable that they may not have a detailed explanation on the spot for what happened and why, but their initial statement didn't offer any apology, or even acknowledge that there was a security breach.

So what? It wasn't a security breach and nothing significant happened. Considering it happened on christmas, I'd say their response to this nearly non-event has been pretty fast and extensive.

I find it very weird to demand an instant apology from a company about something as insignificant as this. Were you really that injured by it? And do you think valve corporation is actually sorry now and they weren't 5 days ago?

 

[Cth]

By comparison, Sony's 2011 attack took 6 days before notification, right?

 

[Beefy]

5 days is too long. Hopefully they get sued/fined for what happened.

 

[wanderjahr]

They couldn't have said something, anything 5 days ago?

 

[Hylian7]

They should have mentioned at least something about it earlier, but fortunately the released info was pretty harmless.

Then go right ahead and post your home address and phone number on GAF, and see how "harmless" that is.

 

[MikeDown]

5 days is too long for them to wait to acknowledge this though. But it's valve so hail gaben and all that bullshit...

they acknowledged it the day of.

 

[MNC]

I wonder if I get a notification. Not sure whether I was logged in at that time.

 

[fallout]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

The level of detail in what they just posted is pretty good and I can see why it took them a few days to get it put together. That said, I would have liked a response indicating at least where they were at in their investigation and that a full response was forthcoming.

 

[KZXcellent]

They couldn't have said something, anything 5 days ago?

IIRC they only made a statement to Gamespot about the issue. Which in itself seems ridiculous. Like, why not make a message on your platform with "There's been in issue, we're investigating ect."

Seen a lot of people wanting to give them a free pass on this but I just can't. This shouldn't have happened and they've handled this poorly.

 

[Par Score]

Well, it took them long enough, but they got there in the end.

I was really starting to expect they'd try to sweep this under the rug, so they've gone way up in my estimations by releasing this full and frank statement on their main news channel and confirming they're looking to identify and help the affected users.

 

[Slayven]

Wow only took them a week

Their customer service is improving.

 

[BiggNife]

So what? It wasn't a security breach and nothing significant happened. Considering it happened on christmas, I'd say their response to this nearly non-event has been pretty fast and extensive.

I find it very weird to demand an instant apology from a company about something as insignificant as this. Were you really that injured by it? And do you think valve corporation is actually sorry now and they weren't 5 days ago?

We had no idea what the true extent of the breach was except a bunch of hypotheses from external sources. Don't you think it's pretty understandable to want more information on what happened as quickly as possible, especially if your account was affected?

And depending on who you ask, having a stranger get your address, part of your phone number and the last two digits of your CC is not "insignificant," because that stuff can be used in reverse engineering to access other accounts online.

e: corrected

 

[cyba89]

So what? It wasn't a security breach and nothing significant happened. Considering it happened on christmas, I'd say their response to this nearly non-event has been pretty fast and extensive.

You're really calling the exposure of personal data an insignificant non-event?

 

[Basileus777]

I thought my post was obviously in jest.

It was. There are others who seem to be serious.

 

[jgwhiteus]

And here I thought they'd just sweep it under the rug

Would that even be permitted? There are laws in almost every state that mandate that if there's a data security breach that involves customers' personal information that the company is required to notify the affected users (as well as state governments) as soon as reasonably possible.

Forty seven states plus the District of Columbia have data breach notification laws, to say nothing of other territories like the EU, etc., who might have even stricter regulations:
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

I guess it's debatable as to whether the breach here amounted to the kind requiring notification (usually the breach has to involve social security / drivers' license numbers or financial account numbers, and I'm not sure if the last four digits of a credit card plus email / address info is enough), but given how many countries / states have these laws, Valve would be taking a pretty huge risk by sitting on the info and later claiming they didn't have to disclose the issue because the particular information exposed wasn't personal enough, only to find there's a state or country out there that disagrees and finds them in violation of the law.

I'm assuming the delay in issuing this statement was because they had to do an internal investigation to figure out what happened and how many people were affected, and then have their legal and technical teams craft a statement together.

 

[Instro]

Pretty much, 5 days is a lot of time to misuse someone's personal information or social engineer other information without the affected customers even knowing and bracing themselves for it.

Not that I disagree, but I'm not sure the customers affected would be aware either way until they complete the full investigation. How would Valve notify them without identifying the affected users first?

 

[UnemployedVillain]

So they did actually post that there was an issue on Christmas as it was happening. Strangely, it was only on Gamespot (I have absolutely no idea why)

 

[HadesGigas]

You're really calling the exposure of personal data an insignificant non-event?

You that scared someone has 2 digits of your credit card number?

 

[pj]

Pretty much, 5 days is a lot of time to misuse someone's personal information or gather other information from what was compromised without the affected customers even knowing and bracing themselves for it.

Wtf is anyone going to do with your billing address or the last two digits of your credit card?

If someone wanted to be an asshole to a random person they could just as easily point to an address on google maps and send them a bunch of little caesars.

We had no idea what the true extent of the breach was except a bunch of hypotheses from external sources. Don't you think it's pretty understandable to want more information on what happened as quickly as possible, especially if your account was affected?

And for a lot of people, having a stranger get your full name, address, phone number and the last four digits of your CC is not "insignificant."

Please don't exaggerate. The OP doesn't say full names were leaked, do you have a source that they were? It also explicitly says that only the last 4 digits of phone number and last two digits of CC were possibly displayed. Billing address is probably the "biggest" thing shown, but even with that, who cares? If someone has my address but doesn't know my name, wtf are they going to do with it? I could get more personal information on someone from the white pages. If they still exist..

You're really calling the exposure of personal data an insignificant non-event?

yes

 

[ElectricBlanketFire]

Oh cool. Some people are okay with how Valve handled this for some reason.

 

[Dunkley]

By comparison, Sony's 2011 attack took 6 days before notification, right?

I think so, then again however this isn't on contest on which company can handle the compromise of personal information the worst.

they acknowledged it the day of.

They took down the servers 1 hour after being aware of the issue and released a short statement about people being able to see pages generated for others.

Nothing about compromising personal information here, nothing on their own official channels like their twitter or the Steam news page like here since they only released that statement to gaming news websites that asked about it.

edit:

Wtf is anyone going to do with your billing address or the last two digits of your credit card?

If someone wanted to be an asshole to a random person they could just as easily point to an address on google maps and send them a bunch of little caesars.

A lot of things, I'm surprised you would remotely even think the compromise of someone's billing address (containing real name, address and phone number) is not a big deal. For beginners, you ever heard of doxxing or swatting?

 

[Schryver]

We had no idea what the true extent of the breach was except a bunch of hypotheses from external sources. Don't you think it's pretty understandable to want more information on what happened as quickly as possible, especially if your account was affected?

And for a lot of people, having a stranger get your full name, address, phone number and the last four digits of your CC is not "insignificant."

It says nothing about names that I see. And last 4 digits of your phone number only

 

[Cth]

I wonder if I get a notification. Not sure whether I was logged in at that time.

As I understand it, unless you accessed the user details area during that time, it's a moot point.

Meaning, you could have been logged in, but unless you accessed that page, your info wouldn't have been potentially displayed elsewhere.

I think so, then again however this isn't on contest on which company can handle the compromise of personal information the worst.

True.

 

[Fedora Royale]

You should not wait five days to say anything when personal user data is exposed. They should have informed their costumers asap about this and give a more detailed explanation later.

Exactly. Unacceptable to wait so long to say something. It's hard to believe how many people don't see a problem with this.

 

[Spaghetti]

five days seems reasonable considering a.) you need to be thorough in determining the problem, and b.) it happened literally over christmas

 

[Caronte]

That wasn't so hard, was it?

Oh cool. Some people are okay with how Valve handled this for some reason.

Fanboys aren't exclusive to consoles.

 

[BiggNife]

It says nothing about names that I see. And last 4 digits of your phone number only

I stand corrected. Still some vital information there, regardless.

edit: And to be clear, I was not trying to exaggerate. I could've swore I heard that names were in the leak, but that thread about the leak was a huge mess as it was happening and full of misinformation and it was hard to keep track of what was what.

 

[Shepard]

Makes sense that the amount of users affected by the bug was kinda low, as lots of people reported seeing the same account pages. Good that they released this statement clarifying the situation, and I can understand the 5 days they took (you have to be absolutely sure of what happened before telling the world), but what was pretty shitty was the damn long time they took to take the store down after the initial reports were coming.

 

[benicillin]

Makes sense that the amount of users affected by the bug was kinda low, as lots of people reported seeing the same account pages. Good that they released this statement clarifying the situation, and I can understand the 5 days they took (you have to be absolutely sure of what happened before telling the world), but what was pretty shitty was the damn long time they took to take the store down after the initial reports were coming.

I'm sure they took it down as quickly as they could once they identified the issue. It's a massive network, there isn't just some kill switch somewhere, taking anything down like that takes time.

 

[Zafir]

five days seems reasonable considering a.) you need to be thorough in determining the problem, and b.) it happened literally over christmas

It's not reasonable that they took that long to issue any decent statement though.

It would have taken them no effort at all to apologise and mention that they're investigating the issue.

 

[Wanderer5]

Good that they have responded and will contact those who been affected by this.

 

[NoblesseOblige]

Why was this response not given by mid afternoon the day it happened? That personally is the biggest issue I take with the whole ordeal. I was never that concerned about my account.

Edit:

five days seems reasonable considering a.) you need to be thorough in determining the problem, and b.) it happened literally over christmas

If you find it reasonable then you have very low expectations out of a million (billion?) dollar company. They can afford the tools necessary for a fast investigation. Business of this size don't celebrate holidays.

 

[Leafhopper]

34k users? Jesus, that's a lot.

Good to have a detailed statement though.

Of the 10 million+ accounts?

No.