It seems to be caching snafu
Going to https://store.steampowered.com/checkout/?purchasetype=updatebillinginfo will give you the address and details of a random steam user.
Gaming souk Steam spews credit card, personal info in Xmas Day security meltdown
Video game marketplace Steam is leaking people's personal information – including their payment details and billing addresses – to strangers. Gamers browsing the online store have found themselves logged into other people's accounts, revealing strangers' profile settings and other sensitive details, such as addresses, PayPal …
-
-
-
Saturday 26th December 2015 12:15 GMT Martin Summers
“I hope they have cached up on legal insurance, because lawyers need to hit this one hard."
Yes of course, the answer to all of life's problems is a lawyer isn't it. Please get some perspective, it's a minor privacy breach not someone taking nude pictures of you unawares in your bathroom and posting them online.
-
-
-
Saturday 26th December 2015 23:43 GMT Anonymous Coward
"Hey I didn't say it was right did I, it still sucks and shouldn't happen. Like I said though, perspective..."
No, I just think your perspective and those of many others, is distorted. This isn't minor, the details which were leaked are very sensitive in the wrong hands. Details such as name, address, email, last four credit card numbers and recent purchase history are more than enough to commit fraud or phishing attacks.
It was also hugely inconvenient, like many people who logged on during that period and discovered they were looking at another persons account I immediately called my bank and cancelled my card. There was no information from Steam about what was happening and I wasn't going to risk some stranger racking up purchases on my account* - even if they might have been refunded later. So now I'm without access to my current account for the next few days until a replacement card arrives, during the holiday season ...
* Yes, it would seem that this wasn't likely to occur now that the cause of the problem has been revealed (albeit not directly by Steam in a message to their customers), however it was impossible to know that at the time.
-
Sunday 27th December 2015 00:54 GMT Boris the Cockroach
But you read
the payment screen when you buy a game through steam the same as I do
Fill in name, yupp, address,. yupp... phone number? nope dont get that one, CC number... then notice the box underneath that says "Save CC info? " with its little tick box.
And you untick that box, and you untick that box because Valve is a big company and fekking useless at security just like everyone else on the internet.
And even if you save CC info, whats wrong with having a debit card from the bank as well and only ever use the CC for on-line purchases... that way, if the company disappears between you buying and the stuff not arriving, at least you can call the CC company and cancel the payment.
Gawd help us if you ever have to deal with a real crisis.... it'll be 'pull all the breakers and cut the cables because the amber light on the power supply board has gone out" only to find out the bulb has blown...
-
-
-
-
-
-
Friday 25th December 2015 22:59 GMT Turtle
Or Log On To Other People's Steam Account Via Bing...
I used Bing to find the store pages for two games, and logging on to the them, I found myself logged on, simultaneously, to the Steam accounts of two different people. I accessed their "Account Details" pages and could have gone further than that but I did not actually do so. I would imagine any other search engine would have gotten me the same results.
It made me wonder if someone was logged on to my account but I wasn't able to access it. Although, as I write this, Steam is off-line entirely, I will have to check on that when they're up again, to see if anything has been changed. Steam only has my Paypal account; pretty sure that that doesn't get them any credit card info...
Whatever shitty webpages Steam creates and sets to "public" when a new account is created were set to "private" by me a long time ago. Although I once had to (temporarily) set a few to "public" to do some trading, those too were reset to "private".
Did that provide me with any protection, I wonder?...
-
Tuesday 29th December 2015 12:57 GMT Anonymous Coward
Re: Or Log On To Other People's Steam Account Via Bing...
If it was a caching issue, then most likely you would have been safe - you should worry if you saw your page ( as that would be cached and displayed to everybody for the next few minutes* until the cache expired )
* depending on the cache ttl, or what triggers flushing the cache
-
-
-
Saturday 26th December 2015 16:01 GMT joed
I never really understood "save payment details" options (and why it's checked by default). It's like the merchants want the trouble of maintaining a database every hacker was after (Amazon, you better don't snooze). Same with regard to other personal info that's not required to complete one time payment.
Bunch of hoarders.
-
Wednesday 13th January 2016 20:08 GMT Tom 13
Re: I never really understood "save payment details" options
Well, if they don't include that check box by default, they can get in serious trouble with their credit card processing company.
Last time I was involved with it (which was over 10 years ago) you had to destroy the information no more than 60 days after the transaction was completed (including you receiving the money). I don't imagine that number has gone up. If you have a cockup like this, it's only bad PR and sodding users you piss off. If you don't have that check box you'll get your credit processing dropped immediately. That's some serious bad karma.
-
-
Friday 25th December 2015 23:34 GMT Mr Flibble
SteamDB's view of what happened – they think that it was a cache problem. I've seen and heard enough to agree with that.
-
-
This post has been deleted by its author
-
Saturday 26th December 2015 00:04 GMT Turtle
In Beta, Possibly: "Where is Gordon Freeman...?"
"Where is Gordon Freeman when you need to break something?"
In beta, possibly. In the link given by Mr Flibble, https://steamdb.info/blog/recent-caching-issues-on-steam/ , we read the following entry in the comments:
"A month ago or so HL3's existence on steam in beta was leaked https://steamdb.info/sub/66300/ " (but there is a following comment disputing its authenticity.)
-
-
-
This post has been deleted by its author
-
Saturday 26th December 2015 04:11 GMT Anonymous Coward
I can only imagine
I can only imagine some gentile wort in marketing absolutely had to have some new ridiculous doohickey on the site and it absolutely had to be done on Christmas Day because it was super serial. So some poor sap somewhere rolls it in because "it's not impacting" so demands the marketing director who is well known for his knowledge in such thing and he's very busy stomping his big clown feet. Probably some intern getting chewed out right now.
Only saying because it's the kind of dumb shit my company does. Mmmmyuugg "it's just a minor CMS change"
-
-
Saturday 26th December 2015 19:56 GMT 404
Re: I can only imagine
Untrue statement.
We all know IT 'Professionals' with MCSE's,Netware (remember how important that one was back then?), Cisco etc etc certs that are completely useless because reality isn't always covered in Microsoft's KB's. Business owner's sons who didn't know dick about IT yet got paid for it and my all time favorite: The Office IT Guru Who_Installed_Office_That_One_Time...
IT has been and will increasingly become a commodity with increasing Great Ideas That Are Horribly Bad decisions as a result.
-
-
-
Biting the hand that feeds IT
