Steam Hacked?

[balloonshark]

Yes, I did get a message a few days ago from Steam itself to verify my account

I appreciate your confirmation. Thank you.

 

[StinkyPinky]

I can't even log into the client

 

[CuriousMike]

Try logging into the website, as a test.

 

[Dankk]

Statement from Valve: http://www.gamespot.com/articles/steam-issue-allowing-access-to-other-users-account/1100-6433371/

Steam is back up and running without any known issues," a Valve spokesperson told GameSpot. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

 

[jpiniero]

Who the hell makes configuration changes on Christmas Day?

 

[cbrunny]

Who the hell makes configuration changes on Christmas Day?

People that don't celebrate Christmas.

 

[ShintaiDK]

Its a regular working day for many people. That's something a lot of people tend to forget. Its not like society stops due to a holiday.

 

[nageov3t]

Who the hell makes configuration changes on Christmas Day?

presumably they base it around traffic load, could be that Christmas morning (or the overnight hours between the 24th-25th) is a notably slow time.

 

[jpiniero]

Its a regular working day for many people. That's something a lot of people tend to forget. Its not like society stops due to a holiday.

I'm sure there were a lot of people at Valve who took it off, but that's not the problem... the problem is that Christmas Day is probably Steam's busiest day of the entire year. Making major changes like this that could screw things up on their busiest day is a really bad idea.

Nevermind the whole private information exposed problem...

 

[ShintaiDK]

The change may have been done due to excessive pressure on the site. So something had to be done.

 

[PrincessFrosty]

Statement from Valve: http://www.gamespot.com/articles/steam-issue-allowing-access-to-other-users-account/1100-6433371/

They've massively downplayed this, as you can tell from the language in statement. The fact is that full email addresses, names, and the last 4 digits of your credit card were available for the world to see.

One of the first issues I see with this is that the last 4 digits of your credit card are used in many places across the web as a form of authenticating who you are if you wish to reset access to online accounts, in fact in steams own account reset procedure you have to tell them pieces of information such as:

The title and date you bought a game.
The last 4 digits of the card you used for purchase.

Essentially you could use this information to reset a steam account of someone who was exposed, and because you have their email you can check a number of other services, such as apple, amazon etc, and attempt the same things.

The fact that this has been downplayed is absolutely diabolical by Valve, they haven't taken this seriously at all.

 

[spaceman]

its doing smth similar again

 

[ronbo613]

During the last holiday Steam sale, I bought a bunch of games and did not receive most of the games. Very long story short; Steam customer support was super difficult to deal with and had to get my money back through my credit card company. Since that experience, I will never trust Steam again.

I will never leave financial information, like credit card/Paypal info on my Steam account. Email is an account made strictly to deal with Steam. To me, Steam is a gamble; I never put more money into it than I am willing to lose. When situations like this come up, all I can lose is a couple games and nobody is going to get much out of a PO Box.

When one corporation or company controls everything, that makes me nervous.

 

[Fanatical Meat]

During the last holiday Steam sale, I bought a bunch of games and did not receive most of the games. Very long story short; Steam customer support was super difficult to deal with and had to get my money back through my credit card company. Since that experience, I will never trust Steam again.

I will never leave financial information, like credit card/Paypal info on my Steam account. Email is an account made strictly to deal with Steam. To me, Steam is a gamble; I never put more money into it than I am willing to lose. When situations like this come up, all I can lose is a couple games and nobody is going to get much out of a PO Box.

When one corporation or company controls everything, that makes me nervous.

What were you doing? I can't imagine it was a straight up sale and the games didn't appear and you were charged. There has to be more to this tale.

 

[ronbo613]

What were you doing? I can't imagine it was a straight up sale and the games didn't appear and you were charged. There has to be more to this tale.

Bought a third party game, DCS World(no longer on Steam), a flight sim. Pretty expensive as games go. Bought about $100 worth of aircraft modules, none of which would work in the Steam-installed game. No refunds. After a couple complaints to Steam support without a single response, access to my account and all my other games was denied. No access to my account, no response from Steam until I got an email about a month later stating my Paypal account was banned from Steam. I'm not a hacker or even a "hardcore" gamer, this was my first experience with Steam. Disputed the charges and got the money back.

I don't really know what happened, but not responding to a support request about it, not even a canned response, is strike one, two and three in my book. Of course they did not need to respond since they already had my money.

So what happened? I have no clue. Maybe I'm the one in a million, but I learned that if Steam decides to suspend you, deny access or sell your personal information, there isn't a damn thing you can do about it.

 

[Artorias]

They've massively downplayed this, as you can tell from the language in statement. The fact is that full email addresses, names, and the last 4 digits of your credit card were available for the world to see.

One of the first issues I see with this is that the last 4 digits of your credit card are used in many places across the web as a form of authenticating who you are if you wish to reset access to online accounts, in fact in steams own account reset procedure you have to tell them pieces of information such as:

The title and date you bought a game.
The last 4 digits of the card you used for purchase.

Essentially you could use this information to reset a steam account of someone who was exposed, and because you have their email you can check a number of other services, such as apple, amazon etc, and attempt the same things.

The fact that this has been downplayed is absolutely diabolical by Valve, they haven't taken this seriously at all.

Typical Valve response, this whole thing is going to get swept under the rug. All those people working there are so oblivious, out of touch and blinded by their arrogance they think actual customer relations is pointless. How sad is it that we were kept up to date on what this was by SteamDB who are community members not at all affiliated with Valve.

Here is a pretty good response from Totalibiscuit.

People defending them are doing so through ignorance. Here are the facts, based on Valves only statement they made through Gamespot. Some people are claiming they did the best they could. This is incorrect since they have expressly stated it was not a hack, it was a caching issue, a caching issue which they caused. They did not do "everything they could" because they should have never caused the problem in the first place. This happened because of Valves negligence and Valve owes, if not a legal duty, a moral duty of care to its userbase which includes not making their personal information available to random people on the internet. Make no mistake, what happened, based on all the information we have so far which includes a statement from Valve themselves, was Valves fault, it had nothing to do with any kind of external attack.

Some are arguing that it is not a big deal. If you do not think that giving out personal details of users which includes their real name, home address, email address as well as incomplete credit card and phone numbers (which can be used to assist in identity theft via social engineering), to random people on the internet is not a big deal, then I'm not sure which planet you are living on. The "its in a phonebook anyway" argument is phony. You need certain information to look people up in a phonebook and what is this, 1985? A bunch of people aren't listed in phonebooks anymore, you can't look up my mobile phone number or get my address from a phonebook because it isn't there. The age of landlines is long gone. Even if it that were the case, there is a clear difference between going out of your way to find someones personal information and being handed it on a silver platter. Companies aren't supposed to be giving out peoples personal information, period.

Whats the harm, you might ask. Whats the harm in doxxing? Do I really need to answer that? Perhaps I'm a little more sensitive to it than most would because I've had friends with automatic weapons pointed at their heads because they got swatted, or at the mercy of endless real life harassment, blackmail threats and much more because their personal information got out online. Claiming it is not as bad as PSNs hack where full credit card information was stolen, while true, is like saying "well its ok because it was just a regular bomb, not nuclear". Bad stuff is not binary, there is not merely one state of "bad". What Valve did was bad. What level of bad is quite frankly not relevant to the discussion. Did Valve break any laws? I am not a lawyer, dunno, though my limited knowledge of the Data Protection Act in the UK indicates they might have. That's a topic for real lawyers. The concept at play would probably be tort and determining whether through their own negligence, Valve caused potential harm to the users it had a duty of care to.

Will be interesting to see how that shakes out over the next few days. There is a key difference between user data exposed through a hack and user data exposed due to Valves own mistake. It's totally fair to be mad at companies that lose your data through a hack. They should have done a better job protecting your data. However it's also worth considering that they were attacked and no form of security is 100% bulletproof. You don't have to condone a company in that position but you can at least have a certain degree of sympathy that they were also the victim of a crime. In this case, Valve doesn't have this defense. They were not the victim of a crime, they were the perpetrator of a negligent act which has the potential to put some of its users in harms way. Hopefully that clears up some of the misconceptions surrounding this situation and clearly explains why it is entirely ok to be upset about it.

 

[ImpulsE69]

Typical Valve response, this whole thing is going to get swept under the rug. All those people working there are so oblivious, out of touch and blinded by their arrogance they think actual customer relations is pointless. How sad is it that we were kept up to date on what this was by SteamDB who are community members not at all affiliated with Valve.

Here is a pretty good response from Totalibiscuit.

Uh..does he forget who is fans are? The same people who don't care that they post 24 hours a day what and where they are even if they are robbing a store or beating up old people. This will have almost zero fallout because no one cares.

Welcome to the cloud.

 

[DeathReborn]

Just logged back into steam today and my Steam Guard was deactivated, no other suspicious activity on the account though.

Totalbiscuit is not wrong, Valve have breached at least 4 sections of the UK Data Protection Act making them liable for up to £5,000 per individual breach if investigated and found guilty. Most recent statistics put it at 53% of cases convicted, average find £450 per breach.

 

[Zodiark1593]

Soo, my question is Now What?

 

[Imp]

I was doing something else and missed the drama yesterday. Wow... Good thing I didn't save my credit card, but my email and cell are probably in the wild now.