![Steam bug causing user account information to appear to other customers [Update: Valve responds]](https://d1lss44hh2trtw.cloudfront.net/resize?type=webp&url=https%3A%2F%2Fshacknews-www.s3.amazonaws.com%2Fassets%2Farticle%2F2015%2F12%2F25%2FSteamOS-Logo_1200x500_1200x500.png&width=1032&sign=b4KaFy_2hc0i92w_-c90RcrRzyO7Wr-bVRxN-hYXfEs "Steam bug causing user account information to appear to other customers [Update: Valve responds]"){kind=logo}
Steam bug causing user account information to appear to other customers [Update: Valve responds]
It's as bad as a bug can get. Attempting to access user info is causing other people's account information to pop up, including their buying history and Wallet information.
It's Christmas Day and while people were watching Xbox Live and PlayStation Network for any possible issues, it appears that the biggest problem today is with Steam. It's coming in the form of a bug and quite a nasty one.
It's been reported on Reddit, as well as from our own Chatty community, that attempting to log into Steam and access account information will cause the account information for a different user to pop up. This is allowing people to see other customers' account information, buying history, Wallets, and even credit card numbers (albeit blocked out).
An official cause has not been issued, but speculation (including from the diligent Valve followers at Steam Database) is pointing to a caching issue gone horribly wrong.
By the way, this is not a security breach. This is page caching gone rogue. Most likely not respecting Cache-Control headers.
— Steam Database (@SteamDB) December 25, 2015
Logins have been disabled for the time being, but the damage is already being done. Shacknews is reaching out to Valve for comment and any additional instructions, but in the meantime, users are advised to brace for the worst. Those that have not visited Steam today, do NOT visit Steam until this is all sorted, or else you could be caught in the caching web.
Update (2:33PM PT): There is more speculation coming in from the community-run, unofficial site, Steam Database, offering further insight into what might have happened, in regards to the rogue caching issue. More importantly, the site is offering sound advice on unlinking your PayPal information from your Steam account, if absolutely necessary. There is still no official word from Valve at this time, but Shacknews will continue monitoring this situation.
Update (3:40PM PT): There is a sense of cautious optimism that the issue has been resolved, with no issues indicated on the unofficial Steam Database. However, there is still no official statement from Valve in regards to this issue, so be careful out there.
Update (5:33PM PT): Valve has issued the following statement to Shacknews:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
-
Shacknews
replyOzzie Mejia posted a new article, Steam bug causing user account information to appear to other customers
-
lolllllll gg valve
-
i'm getting random shit in steam: http://chattypics.com/files/Screenshotfrom20151225130339_y4n8nnzom2.png
logging in seems to be disabled now.-
and now i'm looking at someone elses /account/ page.
http://chattypics.com/files/Screenshotfrom20151225130738_zk7wefg3ji.png (yep, that's their paypal email account that i blurred out there) clicked on purchase history... and i got someone elses account: http://chattypics.com/files/Screenshotfrom20151225130806_hpedk1b9go.png
valve, you dun goofed.
-
-
-
How can I temporarily freeze my Paypal account? And should I temporarily freeze my Paypal account
-
Not sure, but don't unlink. That sounds unwise.
https://twitter.com/SteamDB/status/680497713885102082
-
-
[deleted]
-
What if you were already logged in yesterday? Does it still mean I'm caught up in all this?
-
Ah, nevermind, issue stems from loading account pages, not being logged in (I hope)
-
Won't really know until Valve says what happened. Just hang on to your butts 'til they say it's a-ok, then change your password.
They ought to have database backups if anything fucked up happens and should be able to put things right for anyone that didn't make a purchase while the bad things were happening.-
-
-
I reached out to the Valve reps, but I'm not holding my breath on a response today.
-
-
-
-
-
-
There are so many different ways for companies to communicate with customers these days and their first official statement will probably come from GabeN responding to some buried random Reddit thread
-
-
[deleted]
-
Fuck.
-
-
The Valve statement to Shack:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.-
Any ramifications to other people viewing my cached information?
-
[deleted]
-
Realistically, yeah, probably. All they'd get would be your email address, last 4 of credit card and whether or not you have steam guard enabled. They shouldn't be transmitting anything to the client that is sensitive information after it's been secured on their side. All credit card transactions are done with tokens and the actual credit card information would be stored on servers that aren't directly accessible from the server you'd get your account details from.
Assuming they're not insane.
-
-
-
-
I'm sure Valve will survive without your collection of anime sims
-
-
-
-
-
[deleted]
-
-
-
No direct link, but will you accept the email reply I was sent?
http://chattypics.com/files/iPhoneUpload_qw9viqtk78.jpg-
How the hell do you know who its from? There's no names? ( ͡° ͜ʖ ͡°)
-
[deleted]
-
I need to see D's birth certificate.
-
-
-
-
-
-
[deleted]
-
-
[deleted]
-
-
-
-
It's a Christmas miracle!
-
Scary stuff.
The way valve doesn't communicate at all is even scarier. -
So can we please stop pretending like Steam is the greatest thing since sliced bread?
I've been saying Steam actually sucks for a while now, and this incident proves they are run like a Popsicle stand.
Been off the Steam bandwagon for a while now and it feels pretty good.-
-
I still play the games I bought in the past (haven't logged in today though because I repurchased the id stuff off GoG today and been having a blast with it) because yeah, I paid for them. As long as I have an internet connection I can be reasonably sure I can access that content.
But future purchases are going to GoG, if GoG doesn't have it I'll play more Dwarf Fortress.
-
-
Lol. So hipster of you.
-
not a dirty hipster, just tired of DRM these days. Steam's offline mode doesn't work 100% of the time.
...hipster. lol. Look at the other comments. This isn't the first time Valve has come under heavy scrutiny. Remember when they wanted to charge for mods?
-
-
Is there really a viable alternative though? I mean a lot of games bought retail require you to have a steam account to play, it seems to be the preferred method of DRM right now.
They hold the monopoly but if they didn't, someone else would take over and I don't really trust any of the potential candidates. I like GOG and it looks like they handled Witcher 3 well, but I can't see DRM-free being acceptable for new releases across the industry anytime soon. -
[deleted]
-
-
[deleted]
-
Like I said, I have a pretty decent library and I'll continue to play those games for obvious reasons. I'm just not buying anything else and haven't for months now.
I don't think DRM-free is going to happen industry wide, pipe dream and all that, but it feels good supporting GoG at every opportunity because I feel like they truly love PC gaming and aren't out to make money over enjoying good games, DRM free. I feel like they truly provide a product, a real product. Steam makes me feel like I'm playing PC games on Netflix. Once the service (Netflix) goes, so does my ability to play the games I 'bought'.-
[deleted]
-
-
-
best thing since sliced bread was Carmack and Romero in the same room making games...
-
Remember Valve's Employee Handbook?
No one's telling you what to do. This the result.
-
-
-
[deleted]
-
Lol no
-
Yea I really miss the days when I had to keep track of multitudes of CD's and serial numbers. Wasting my time with that shit was so much fun.
-
I really do miss the boxes and manuals and stuff, yeah.
-
-
some of you guys are locked into 1999 and can never escape
-
It's pretty great man, come on.
-
[deleted]
-
Yeah, no.
-
Steam is run by a company that:
- Rarely fucks up
- Is quick to rectify it if they do.
- Doesn't dig it's feet in when it's makes a bad decision (paid mods)
- Almost single handed saved PC gaming.
- Heralded the beginning of digital distribution
- Resurrected the PC indie scene
- Has driven the price of PC games down.
Steam IS the greatest thing to happen to PC gaming.-
[deleted]
-
It's definitely a legitimate mistake. The real test will be how they follow it up. I've received emails from many other sites when the only "personal" information that was compromised might have been an email address.
In this case it could have been email address, full name, full address, credit card last 4, phone last 4, and steam guard participation. That's not a small amount of stuff.
If valve goes out of their way to communicate this to their users, then good. If they just sit back and hope it blows over or hope the media covers it and the one response they have on their forums is good enough, then they fucked up big time. Your dad who was adding his info to register the game you just bought him isn't going to know to go check forums or some gaming websites to find out why something was weird for a few minutes. He'd likely not even know anything was wrong other than "something was weird but now it's working".
So yeah, if Valve doesn't address this publicly and doesn't inform the users that could have been affected by it, that'll be pretty telling about their security policies.
-
It's kept PC gaming afloat during the day of the console and for that I'm thankful, but I want Valve to continue to strive to improve customer service and it would also be nice if it gave us the option to run games separately from the Steam client (GoG gives us that option).
-
-
-
Lol if this were Origin people would be out-hyperbolizing each other to come up with the sickest burns on EA while furiously reading Wikipedia's legal section to see what class action they could start via online petition for upvotes on reddit. But it's Steam and Le Gaben King so it's fine. Just some personal info. If I did this I think I'd end up in front of a grievance panel
-
