UnemployedVillain
Member
I have a feeling "Here are some free games! Hope no one SWATs you!" won't exactly help
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Valve releases statement on Steam's Christmas issues
- Thread starter chadskin
- Start date
I have a feeling "Here are some free games! Hope no one SWATs you!" won't exactly help
I hope they get some sort of insurance to cover them just incase some dodgy people do get hold of their info.
if people didn't have a problem, they wouldn't have picked up my original post how waiting five days for a detailed response over the christmas period is reasonable.
it's all well and good telling me about valve's failure to respond properly to the right parties earlier on, and i agree, but it has nothing to do with what i originally posted.
dave is ok
aztek is ok
There isn't much stopping someone from doing that anyway. If you own a home, it's public record. If you own a business, it's public record. If you rent, your address is known by many third parties who already sell that shit to whoever.
This sucks for those 34k people, but I would be shocked if any significant harm came to them as a result of this.
UnemployedVillain
Member
I don't see any significant harm coming from this either. It's more peace of mind that's hard to ensure people. Unless there are users out there who decide they don't like someone based on their name and specifically target them. Hopefully cases like those remain purely hypothetical, but assholes sadly exist and are plentifal
Your reason b is bullshit. If you are open for business on Christmas you don't get to use that as an excuse.
Companies don't get to have it both ways. You want to keep making money during Christmas then you better respond just as fast as any other work day.
Reason a is fine but they still should have given an apology in the first statement and told people that are diligently working to get all the facts.
Maiden Voyage
Gold™ Member
I accessed my purchase history around the time frame they are suggesting. I don't know if my information was out there, but I do want to know for certain. I don't want a Valve Complete pack to make up for it if it did happen.
Because that's a piss-poor response time by any industry metric. The business I manage issues responses to outages and emergency situations the same day, any day of the year. If I can manage that for a company with a paltry revenue of 20 mil/year, surely someone with the pockets and resources of Valve can do just as good, if not better.
five days for a detailed follow up explanation, with consultation with a tech partner for a solution, over christmas where you could be facing reduced staff on both fronts, is not an insane amount of time.
Corvo Jensen
Banned
2000% of a regular winter sale? got dam
cyber attack confirmed?
cyber attack confirmed?
Ivan Amiibo
Banned
in my day, we got undertow when shit blew up and we liked it---er, no, nevermind, we bitched to high hell about that one.
Turin Turambar
Member
How many people do you think were looking at that specific user detail page during the period of time? And hell, I suppose most of the cases were people who read in reddit about the problem.
This apology is a good start but valve really needs to contact everyone that had their information leaked and set them up on fraud protection payed for by valve. I don't know why some people think this information leak is not important. When signing up for a credit card they often ask to verify an address to where you live. If that information is now on the internet for everyone to see I really need to be aware.
You misunderstood my post. "Why is that unreasonable?" was in response to "Do you expect a response as it's going on and they're figuring out wtf happened?" Yes, I do expect a response as it's going on.
Do people really think my kudos post on page 1 was serious? C'mon, sons.
UnemployedVillain
Member
I'm pretty sure you need more than a name and address to sign up for a CC under someone's name...
chrominance
Member
No one knows yet what Valve plans to do, but they are at least working on the first part as per their statement:
toddhunter
Member
Correct, this response is completely reasonable.
The complete lack of notification during and just after the event is what is messed up. They knew the problem, it was fixed after all, so even a "it is safe now, more details to come" email would have been fine.
From a practical view point, valve's published privacy policy does not cover details like notifications of breaches. Like most of the things they do, this is very unlikely to hold up under scrutiny in the different countries they deal with.
AHA-Lambda
Member
Wait, was it a configuration error or a ddos attack then? :/
benicillin
Banned
For some people, like that dude whose page got cached by Google, the information is "still online." For a lot of people it was viewable for a short period of time and now it's gone unless people saved it. That's sort of why I'm less concerned about this in general. When Patreon got hacked a few months ago and all of peoples payment shit leaked as well as their billing addresses, etc, like you can still look that up. The whole database is out there floating freely.
For the vast majority of the 34k accounts affected by the cache it's unlikely anyone saved their information, and it's significantly less risky because this wasn't a targeted attack. It's like the difference between a hacker purposefully hacking in to your phone company and stealing a database for nefarious purposes and a random person getting your phone bill instead of theirs - yeah they could do something shitty with it and you should take it seriously, but the vast majority of people who get the wrong bill would just close out of the window or throw it away and not do anything.
dave is ok
aztek is ok
Both
charlequin
Banned
There was a ddos and they misconfigured something while trying to address it.
Having dealt with issues like this at work, I will say that it is entirely believable that the initial analysis was incorrect.
Happens all the time. It is part of why some companies wait before making press releases about this sort of thing.
I did read it I just missed that part
I think the issue is that you can't guarantee that someone didn't save the information. I know if I was looking for easy money I would save as much information as I could and sell it on darknet. It is basically free money, someone out there would pay for it and combine it with other security breaches and you really start to have a nice data set of personal information.
If my information was exposed even for a moment then it is no longer secure and since Valve was in charge of keeping this information safe they should pay for fraud protection for all people who were exposed.
benicillin
Banned
Yeah, which is totally possible and why everyone should take it seriously, but for the short time the bug was happening and from what little information was publicly available from most of the affected accounts (barring some accounts that had more information exposed) and the fact that it wasn't a targeted attack, it's a lot less concerning than other data breaches that have occurred. I'd be much less worried that my data was compromised from this than from something like the Patreon hack earlier this year. The amount of data that could be saved and distributed from Steam's thing is pretty small.
GravityMan
Member
The timing of today's statement is acceptable. Investigating and figuring out exactly what happened takes time.
However, they should have released a brief statement along with an apology on Christmas evening. Something along the lines of "the problem has been resolved and we are investigating further to find out exactly how this happened". Specific details can (and probably should) wait since obviously they're still investigating that. Honestly this should be common sense for any business that interacts with users' sensitive data. Such a statement can be worded and disseminated in such a way that consumer panic and overreaction can be (mostly) avoided. Valve's five-day silence, aside from that lame response to Kotaku, just incited more panic and outrage, and that is 100% the fault of Gabe Newell's company. It just shows that Valve doesn't seem to care as much as they should, at least in the eyes of folks on the outside.
For now, I will still do business with Steam, since I believe Valve (and their partners) can learn from this and get better in the future. They'd better learn quick. Sometimes it damn near becomes necessary to whack a company on the head with a baseball bat to get them to wake up. Steam should have had competent customer service in place at least 5 years ago...that should have been a high priority the instant it became clear that Steam was blowing up into a very popular service.
I also hope that CD Projekt (GOG), EA (Origin), Ubisoft (Uplay), Blizzard (Battle.net) and others have paid attention to this mess, and have done or will do internal reviews to see if their own response protocols are acceptable along with those of their partners, in case they're faced with similar problems in the future. Be proactive.
I think that a LOT of tech companies, obviously including Valve, need a lot of improvement in the customer service, PR and general "soft skills" departments. They seem to be out-of-touch with the feelings of the average consumer. They spend too much time in their bubble. There are likely some cultural issues involved in some of those places.
I can think of a few companies that could seriously compete with Valve and Steam (and become highly competitive quickly) if they really wanted to and really tried.
However, they should have released a brief statement along with an apology on Christmas evening. Something along the lines of "the problem has been resolved and we are investigating further to find out exactly how this happened". Specific details can (and probably should) wait since obviously they're still investigating that. Honestly this should be common sense for any business that interacts with users' sensitive data. Such a statement can be worded and disseminated in such a way that consumer panic and overreaction can be (mostly) avoided. Valve's five-day silence, aside from that lame response to Kotaku, just incited more panic and outrage, and that is 100% the fault of Gabe Newell's company. It just shows that Valve doesn't seem to care as much as they should, at least in the eyes of folks on the outside.
For now, I will still do business with Steam, since I believe Valve (and their partners) can learn from this and get better in the future. They'd better learn quick. Sometimes it damn near becomes necessary to whack a company on the head with a baseball bat to get them to wake up. Steam should have had competent customer service in place at least 5 years ago...that should have been a high priority the instant it became clear that Steam was blowing up into a very popular service.
I also hope that CD Projekt (GOG), EA (Origin), Ubisoft (Uplay), Blizzard (Battle.net) and others have paid attention to this mess, and have done or will do internal reviews to see if their own response protocols are acceptable along with those of their partners, in case they're faced with similar problems in the future. Be proactive.
I think that a LOT of tech companies, obviously including Valve, need a lot of improvement in the customer service, PR and general "soft skills" departments. They seem to be out-of-touch with the feelings of the average consumer. They spend too much time in their bubble. There are likely some cultural issues involved in some of those places.
I can think of a few companies that could seriously compete with Valve and Steam (and become highly competitive quickly) if they really wanted to and really tried.
It felt longer than thatUnemployedVillain
Member
I don't think it's a cultural issue. For a lot of major consumer facing tech companies, a huge portion (sometimes larger than engineering) of their employees ARE customer service and support.
The thing is, there's always more customers by orders of magnitude than there are people to handle their issues. I know at least at my company, customers are ranked by tiers which determine who quickly they're helped or how around the clock help is available for them, and system wide issues are handled by the relevant engineer leads/teams.
I would wager Valve's somewhat shitty customer service isn't a result of them not taking it seriously, but more that they prioritize more to developers than consumers (this is purely speculation)
The thing is, there's always more customers by orders of magnitude than there are people to handle their issues. I know at least at my company, customers are ranked by tiers which determine who quickly they're helped or how around the clock help is available for them, and system wide issues are handled by the relevant engineer leads/teams.
I would wager Valve's somewhat shitty customer service isn't a result of them not taking it seriously, but more that they prioritize more to developers than consumers (this is purely speculation)
lol valve only did this after getting their arm twisted. still ain't shit
I don't doubt some people at Valve are serious, but companies smaller than them have better customer service because they don't have such a severe case of NIH syndrome that they don't hire a CS company to handle their tier 1 support cases quickly and effectively.
I don't doubt some people at Valve are serious, but companies smaller than them have better customer service because they don't have such a severe case of NIH syndrome that they don't hire a CS company to handle their tier 1 support cases quickly and effectively.
Exactly. Ideally how the situation should of been handled is with a small statement, apologising for the inconvenience and issues within the first 24hrs. With a note of a further, more detailed statement incoming after an investigation into the issue.
Possibly sending emails to customers affected too, but with the DDOS it might of delayed that somewhat.
Taking the 5 days overall for an investigation is a pretty quick turnaround tbh.
UnemployedVillain
Member
I do wonder if this reaction is part of the reason they were initially vague. If a caching error was the issue, telling people that personal info might have been leaked would have instantly caused people to attempt to check and change it, which would have inevitably exacerbated the issue/exposed more people's info to it.
And then assuming they had flushed those caches/removed caching, it would have then caused requests to take extra long, as a result of heightened traffic combined with no caching, further worrying people.
But I'm probably juat giving them too much credit.
How so? This is a fairly thorough explanation of the problem and how it was solved. How is this just the bare minimum?
hardcastlemccormick
Banned
Well Valve finally released a statement. They went from unacceptable silence to bare minimum.
I'm glad they did it. Let's hope they improve.
I'm glad they did it. Let's hope they improve.
R_thanatos
Member
It's an answer at least.. one that was easy to deduce but it's nice to have a confirmation.
I do echo the sentiments that they could have handled the communication of this issue MUCH MUCH better than they did.
But considering i didn't log-in on steam that day , i'm alright ..for me this incident is over.
I do wonder how they will contact the persons affected.. this is yet another opportunity valve shouldn't miss.
All things considered, considering the amount of traffic and their cache configuration 90 minutes to identify and fix the issue is fast
EDit : my bad misread the OP , they did shut down the store.. ok then
I do echo the sentiments that they could have handled the communication of this issue MUCH MUCH better than they did.
But considering i didn't log-in on steam that day , i'm alright ..for me this incident is over.
I do wonder how they will contact the persons affected.. this is yet another opportunity valve shouldn't miss.
All things considered, considering the amount of traffic and their cache configuration 90 minutes to identify and fix the issue is fast
EDit : my bad misread the OP , they did shut down the store.. ok then
So, reading this thread, it's a lot of trouble for Valve employees to come into work in the Christmas season. They should probably pause the Winter sale thing then.
This first and second half of this post seem like they're making fun of totally different people.
This first and second half of this post seem like they're making fun of totally different people.
LiegeWaffle
Member
That is not how real-world web companies work. Normally, you have dedicated operations engineers on call, sometimes a set of backup on-call engineers (who do not expect to be paged) and escalation do on-calls, and all engineers on-call sit home and deal with emergencies remotely. I don't think people authorized making public statements, especially relating to the partner companies, are ever on call.
Nah, Valve's customer service problems is directly related to their hiring practices. They're trying to run themselves more like a tech start-up than an established service with millions of users. Customer service on that scale needs a dedicated department.
hardcastlemccormick
Banned
I'll direct you to the post I made in the other thread about this:
Though I do note Valve did apologize, so that's nice. But Valve runs Steam as if they don't have to do basically anything except whatever they think is fun. That needs to change. They're a big boy now.
linkandzelda
Member
Er, yes. When something like this happens there should be an acknowledment immediately followed by very frequent updates on the situation and what we should do or not do until it has all been figured out.
The Lone Courier
Member
Took you long enough Valve.
Which did happen.
Via Kotaku.
Not my fault GAF has a hate boner for them.
Yes I agree that more could of been done, but the minimal was met. Plus it was Christmas. PR and Legal teams probably hard as fuck to get hold of?
Silent Chief
Member
I'm not sure how they can know the actual number unless that's 100% of the users active during the issue. Unless they are actually logging details of every access which sounds like a privacy/safety issue to me.
I wasn't buying the Christmas day configuration change, but as a DOS mitigation change, it makes perfect sense.
It takes years to investigates a plane crash or a train collision.
5 days, many of them holidays, to investigate a network issue involving several independent system is fine. People who think there is a problem with that are just showing their ignorance.
hardcastlemccormick
Banned
Valve didn't even put the statement on their own website, just one for Kotaku when prodded for a statement. The statement was also inaccurate and contained almost no useful information for affected users.
It did not meet the minimum requirements for a statement about a security breach.
If your service is open on Christmas, so is your security and security PR team.
Hip Hop
Member
UnemployedVillain
Member
Not necessarily. They could easily just be logging how many cache hits/misses there are for people checking account details, which they would have had to be logging to determine their cache expiration time anyway (unless they just picked a random time that seemed good). That wouldn't require any user-specific information