It seems to be caching snafu
Going to https://store.steampowered.com/checkout/?purchasetype=updatebillinginfo will give you the address and details of a random steam user.
Video game marketplace Steam is leaking people's personal information – including their payment details and billing addresses – to strangers. Gamers browsing the online store have found themselves logged into other people's accounts, revealing strangers' profile settings and other sensitive details, such as addresses, PayPal …
“I hope they have cached up on legal insurance, because lawyers need to hit this one hard."
Yes of course, the answer to all of life's problems is a lawyer isn't it. Please get some perspective, it's a minor privacy breach not someone taking nude pictures of you unawares in your bathroom and posting them online.
"Hey I didn't say it was right did I, it still sucks and shouldn't happen. Like I said though, perspective..."
No, I just think your perspective and those of many others, is distorted. This isn't minor, the details which were leaked are very sensitive in the wrong hands. Details such as name, address, email, last four credit card numbers and recent purchase history are more than enough to commit fraud or phishing attacks.
It was also hugely inconvenient, like many people who logged on during that period and discovered they were looking at another persons account I immediately called my bank and cancelled my card. There was no information from Steam about what was happening and I wasn't going to risk some stranger racking up purchases on my account* - even if they might have been refunded later. So now I'm without access to my current account for the next few days until a replacement card arrives, during the holiday season ...
* Yes, it would seem that this wasn't likely to occur now that the cause of the problem has been revealed (albeit not directly by Steam in a message to their customers), however it was impossible to know that at the time.
the payment screen when you buy a game through steam the same as I do
Fill in name, yupp, address,. yupp... phone number? nope dont get that one, CC number... then notice the box underneath that says "Save CC info? " with its little tick box.
And you untick that box, and you untick that box because Valve is a big company and fekking useless at security just like everyone else on the internet.
And even if you save CC info, whats wrong with having a debit card from the bank as well and only ever use the CC for on-line purchases... that way, if the company disappears between you buying and the stuff not arriving, at least you can call the CC company and cancel the payment.
Gawd help us if you ever have to deal with a real crisis.... it'll be 'pull all the breakers and cut the cables because the amber light on the power supply board has gone out" only to find out the bulb has blown...
I used Bing to find the store pages for two games, and logging on to the them, I found myself logged on, simultaneously, to the Steam accounts of two different people. I accessed their "Account Details" pages and could have gone further than that but I did not actually do so. I would imagine any other search engine would have gotten me the same results.
It made me wonder if someone was logged on to my account but I wasn't able to access it. Although, as I write this, Steam is off-line entirely, I will have to check on that when they're up again, to see if anything has been changed. Steam only has my Paypal account; pretty sure that that doesn't get them any credit card info...
Whatever shitty webpages Steam creates and sets to "public" when a new account is created were set to "private" by me a long time ago. Although I once had to (temporarily) set a few to "public" to do some trading, those too were reset to "private".
Did that provide me with any protection, I wonder?...
If it was a caching issue, then most likely you would have been safe - you should worry if you saw your page ( as that would be cached and displayed to everybody for the next few minutes* until the cache expired )
* depending on the cache ttl, or what triggers flushing the cache
I never really understood "save payment details" options (and why it's checked by default). It's like the merchants want the trouble of maintaining a database every hacker was after (Amazon, you better don't snooze). Same with regard to other personal info that's not required to complete one time payment.
Bunch of hoarders.
Well, if they don't include that check box by default, they can get in serious trouble with their credit card processing company.
Last time I was involved with it (which was over 10 years ago) you had to destroy the information no more than 60 days after the transaction was completed (including you receiving the money). I don't imagine that number has gone up. If you have a cockup like this, it's only bad PR and sodding users you piss off. If you don't have that check box you'll get your credit processing dropped immediately. That's some serious bad karma.
"Where is Gordon Freeman when you need to break something?"
In beta, possibly. In the link given by Mr Flibble, https://steamdb.info/blog/recent-caching-issues-on-steam/ , we read the following entry in the comments:
"A month ago or so HL3's existence on steam in beta was leaked https://steamdb.info/sub/66300/ " (but there is a following comment disputing its authenticity.)
I can only imagine some gentile wort in marketing absolutely had to have some new ridiculous doohickey on the site and it absolutely had to be done on Christmas Day because it was super serial. So some poor sap somewhere rolls it in because "it's not impacting" so demands the marketing director who is well known for his knowledge in such thing and he's very busy stomping his big clown feet. Probably some intern getting chewed out right now.
Only saying because it's the kind of dumb shit my company does. Mmmmyuugg "it's just a minor CMS change"
We all know IT 'Professionals' with MCSE's,Netware (remember how important that one was back then?), Cisco etc etc certs that are completely useless because reality isn't always covered in Microsoft's KB's. Business owner's sons who didn't know dick about IT yet got paid for it and my all time favorite: The Office IT Guru Who_Installed_Office_That_One_Time...
IT has been and will increasingly become a commodity with increasing Great Ideas That Are Horribly Bad decisions as a result.
Frankly, I can't understand why a should install of those crappy software - and give it all those personal details - just to install and play a damned game. I'm very sorry they put their greedy fingers on FSX also - guess it's better to pay for Prepar3D and avoid all that useless Steam cloudy toxic vapor on my machine...
Being a Valve customer for 10+ years - although not a massively heavy gamer - I can probably say the reason this is being brushed off is because:
Valve are a good company. They were first to market with digital-distribution and have provided a very good, non-intrusive service with few hickups. Add to that they also seem to want to make good games/software rather than just be profitable - Portal etc. is awesome, but cheap. There are few software companies I trust to take pride in their software, but Valve is one of them. If you've ever dealt with setting up a Source Dedicated Server on Linux, the process is seamless - again a credit Valve.
While yes, this lapse sucks, it happens and will happen again, to Valve and almost every other company that runs long-term. What matters is not what happened, but how Valve responded to it. They took the service down, identified the cause, provided a fix.
The measures they've already taken have protected my card details (excl. the last 4 digits), so I'm not too worried about that - I'll probably get a new card ordered to be safe. I don't like the idea that someone could have my address, but if anyone does, it's a random gamer who's probably more pissed at not being able to play his games than interested in me. It's certainly not some malicious hacker group about to release it on the net. Ultimately, this is small scale compared to the Sony hack etc. where having your details exposed meant you were actually the victim of a targeted attack by a malicious group.
Ummm....you SHOULD be worried. Ever see a credit check? It contains YOUR credit card numbers EXCEPT for the last 4. Now the if the hacker gets the credit report (which is super easy to do), it won't take them long to figure out the whole number, Since a lot of places to not verify the CV code, or someone makes a credit card up, then this will affect you!
You should change the card. I deleted mine after the first time mine was stolen - I do not recall checking to save the data but apparently, Valve still had it,
I also recently discovered that Facebook keeps ALL of your old passwords. Try logging in with an old password and they let you know it is an old one and to please enter the current password.
"Ummm....you SHOULD be worried."
Yes, if this had been a hack by malicious people and my card number and address were splattered all over the Internet, but it wasn't, there were no hackers/malicious persons involved.
It was a system balls up, which means if someone out there was lucky enough to be issued the same session ID which matched my cached session ID, they *may* have seen my address. This is a very low possibility, and even if they did, they're more than likely just going to whine to Valve about it, since they loaded Steam to play a game, not steal identities. So no, not too worried.
And I did say: "I'll probably get a new card ordered to be safe." - but this to me is purely a precautionary measure, I don't feel it's a requirement given the conditions around the bug.
Really? - there were threads full of screenshots on 4chan showing peoples details, several people actually sent texts or emails to people just to get a reaction.
Just because it wasn't a hack doesn't mean that they didn't just spew personally identifiable information all over the net
"Just because it wasn't a hack doesn't mean that they didn't just spew personally identifiable information all over the net"
I'll go back to the numbers again. Yes, some Valve customers may be associated with hacker groups. I'd be even less lucky if my details ended up with one of them, which is even less likely than a random gamer seeing my details. So no, still not too worried. (I have ordered a new card now anyway).
These idiots posting to 4chan are your usual Anonymous idiots, stupid adolescent males looking for attention who haven't considered Valve very likely can correlate the cached session data with the current session data, and determine which users had access to which accounts. I imagine this will be the first thing done if a customer complains of fraudulent activity to Valve off the back of this.
So if a few 4chan users manage to get themselves banned from Steam and arrested for leaking personal details, then at least some good has come from this. :-)
Being a Valve customer for 10+ years - although not a massively heavy gamer - I can probably say the reason this is being brushed off is because: ...
A very complacent attitude, particularly in the light of statements such as "Valve have proven multiple times that they’re unable to keep their security standards to a high level." [https://steamdb.info/blog/recent-caching-issues-on-steam/ ]
If this really is down to a caching issue then I suspect some other project (open source?) has just gained a security headache...
My point was, the PSN hack, no card details were accessed (not that this is that clear due to the rabid fill in the blanks with made up info reporting). It's also very likely no actual customer data was accessed either, as nothing has ever appeared online. The problem Sony had was they had no way to prove customers data wasnt taken (due to insufficient logging) and had to therefore paint a worst case picture on advice of their lawyers (downplaying and it coming to light it was worse would have been a litigation nightmare). Sadly the media crucified them for this. It was headline news on BBC for a month. No doubt due to Microsoft fueling the fire and benefitting from the Sony backlash.
This stream issue (whilst not a hack) affects REAL people , over 10m, and REAL payment details and yet didn't even get picked up by the mainstream press at all. Not even the BBC tech page, which has loads of non stories.
Makes you wonder if the whole Industry is on payola
So my Wife was out shopping yesterday with my girls and she used a new card when out
At the same time wingman and I were gorging on Borderlands and yes I ignored the phone when it rang, but we picked up the message from Santander's fraud department. Somebody had been shopping at Argos on-line with our card details.
The cogs start whirring as we go through purchases with the bank and where those purchases were made, Tesco, Aldi, Lidl, Argos, Tesco pay at pump and Tesco's cash machine, whilst wondering where the hell the details were got from. Home PC and network is way more secure than TalkTalk.
So fraudster, yesterday at Argos spends £24 £60 £150 gone through then we're told by Santander that they'll be cancelled paperwork in the post then a few for £350-£400 all declined, as luckily new card was actioned during their shopping spree.
New card was unadulterated in the envelope & been sat for a week or so (old one expires Jan 2016)
I call the police in town to see if there have been reports of a skimming device in the town (Cupar) and blank drawn here.
Roll through with Santander what was bought by us and where, nobody behind me in Argos or Tesco or Lidl or Aldi & yeah I even went out for a look at the petrol pump and the ATM at Tesco.
Then I read about the Steam issues and sure enough last Steam purchase in November was on this card & from what I've seen everything they fraudster needed was slurped up by steam during the snafu, to facilitate an online purchase and account creation on Argos's web-site.
Santander have duly been informed of this & we await the outcome
so putting 2 & 2 together & with two other accounts and cards completely unadulterated (hence figuring network not hacked or slurped) It is nice to know Valve and Steam hold enough info for somebody to use my card to buy stuff on my ££, they did kindly wipe all payment info from my account, but somebody still got it though.
I've never quite trusted them with my card details. I've always entered my details every time, never saving them “to save time next time”, and this vindicates my cautious approach here: stuff the convenience when there's too much risk involved.
Kind of kicking myself over that.....
However annoying this was it is good to know that Valve shut it down and sorted it out quickly, just unlucky for me some tosser got the full card details then thought about using them for a few days and then tried it on
If they'd done it Xmas day we probably wouldn't have found out untill it was to bloody late!
Silver lining and all that
The hardest part will be getting an acknowledgement from Steam/Valve about it al
Wait, are you saying that the last time you went to the Steam account page which bore your credit card number was in NOVEMBER?
That seems to be an AWFULLY long time for Steam to have cached your purchase page, for it to then be served to a random on 25th December. You sure you didn't buy any meals at a restaurant or allow your card out of your hand card since then?
No card has not been out my or my wife's hand at all
Given the timescale it all points to steam
Unless Argos retail, Tesco retail,Aldi or Lidl have been hacked
Which is highly unlikely and the fact they waited until the 27'th to use the details makes me think they had a conscience but the lure was to much to try their luck.
I did try local Police re a card skimming device and no dice there.
Not a home hack as PayPal and the bank accounts are all untouched
So we're back to steam and yeah the card was on there last transaction Nov 14'th for a Star Wars game for my son.
I've been in and wiped just eat as well today and they had expired cards on file...
Here's the official statement - unless you made a purchase and enterted your details on Steam during the timeframe of the incident, no details, period, would have been leaked. And even then, the details would have been minimal at worst.
"On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user."
My emphasis. Because that's how caching works.
Does that excuse the snafu? Nope. Does it mean it's likely Steam is the cause of your card fraud? No, to a laughable degree, no. Get the cops to actually check your local petrol station for skimming devices, rather than just asking them if they've had reports of them, because that's - worryingly - more likely to be the case.
It's also likely that they saw the Steam shenigans and thought "Hey, if we use those deets now, they'll blame in on Steam!". Or it could just be coincidence.
OK first up if it was a skimming device the account would have been emptied
Second had it been a home snafu they'd have got all the details from the 3 accounts plus our PayPal and probable access to the credit card as well all of which are unadulterated
As we went over everything with the bank for a 2 week purchasing period it was clear as to the the date the card had been slurped
It is not "laughable" as you put it
Local community police officer is a personal friend whom I've worked with for 6 years delivering local cycle training to primary school kids, so I called her and not the station.
Remember talk talk they talked shit about customer cards not being given up and it was bullshit
The fanboys with their pants around their ankles defending steam are laughable.
Bottom line is this steam can have an official line all they want whilst they know 34,000 customer details were viewed they have no idea to what degree this has been.
Santander's fraud team have confirmed that we are not the only clients of theirs in the UK that have the same problem pointing back to steam dozens was their word,
I've also been contracted by a couple of folks in the US via twitter who've had a similar issue.
Problem being nobody in the industry quite knows what they're getting ahold of and what they're using to "complete" card numbers if they don't get the whole thing, but a bit of code and a nice algorithm with get them what they need if they did not get the whole thing.
When it happened it felt like being burgled, but it became apparent it was an opportunity for someone not to refuse,not an issue on our part or a security slip.
My wife is a charge nurse so at work its locked in her office I currently work from home so that's out and then sadly most purchases are at Tesco, Aldi, Lidl or at Tesco or Morrison's gas stations if we eat out we pay cash.
So as much as Steam want to put out the PC We're doing all we can blah blah blah nobody was compromised bullshit I'm afraid I know differently as do TalkTalk's customer's
And as a footnote Argos's fraud team have also taken this on as they can track the purchse address etc etc and Santander's been super quick to refund the payments which if you're a phishing victim they are not quick to do at all.
I enjoyed not having to keep putting in disks to play my games by having them on Steam.BUT, Maybe it's time to go back to the old ways if steam isn't even going to let it's customers know when they are in danger from something Steam employees did. This is not a EULA matter, It is a case of sloppy security and can cost customers billions of dollars. I know if my credit is compromised, My attorney's will have a field day with Steam.
Biting the hand that feeds IT © 1998–2019