Just a heads up, steam is beyond fucked right now, the store launches in different languages and its logging you into other peoples accounts where you can see random peoples credit card and personal info.... I logged out after realizing this and cant even log back in. No official response from valve on what the hell is going on yet but this is going to be very bad.
Steam
Concept »
A digital distribution service owned by Valve Corporation. Originally created to distribute Valve's own games, Steam has since become the de facto standard for digital distribution of PC games.
Steam is completely screwed up right now....
If you look at your account details in the Steam client, it isn't you anymore. In fact for me it's a different person everytime I access it and I can see their entire purchase history and account details
And it's not just me, the issue appears to be incredibly widespread
http://www.neogaf.com/forum/showthread.php?t=1162196
https://www.reddit.com/r/Steam/comments/3y7le9/im_logged_in_as_someone_random_on_steam/
Beyond the exposure of personal detail like CC info and emails to random strangers, Since Steam recently introduced the ability to permanently remove games from your library this is extremely frightening problem
This looks to be a massive hack. I hope nobody has their CC info stored on steam
There doesn't appear to be much you can do to protect yourself atm, just watch your credit cards.
This looks to be the big one :(
It's most likely some bad server setting got put into production. Chances are some bad caching problem where it's caching random people's pages and serving those.
Just stay off of Steam for now.
I was trying to login from my laptop and getting the Korean page. I've had localization errors from Steam before, so I figured it was just a fluke. Here's to hoping sending four login requests didn't up my chances of exposure.
EDIT: @moab said:
Yikes, I'm glad I use PayPal and don't save my info on Steam.
I did that a long time ago for PSN and XBL. I really shouldn't have excepted Steam, and as soon as this debacle is over I'm going to fix that mistake.
Every time I hit "View Account Details" I was seeing someone else's account information. Steam is fuuucked at the moment.
@rongalaxy: Hoping so as I have the same. Guess we will have to wait and see.
From the Steam section of Reddit:
It's a problem with their caching-server (varnish), caching pages that should not be cached (such as Account-Details, Cart, etc.). It invalidates after some time and is re-cached when the next user visits the page with their profile. You are not actually logged in (as in, you take over the session of the user), you just see pages rendered for others than yourself. This is why different parts of steam appear as different users.
Which page you see is probably dependent on the edge node (first server you connect to) closest to you, hence why different users see different profiles.
My guess to how this could've happened is that an untested configuration got activated when steam went down earlier, e.g. due to an auto-conf service (puppet, chef) pulling an untested config or some of their live servers being replaced by staging / development servers. It's also possible that they were under heavy load and the engineer on duty reconfigured all their edge nodes to cache more aggressively.
Let's hope they fix this fast, because this is a major data leak. I can see private E-Mail and account names. Let's hope their cache server is not delivering internal pages.
Credit to: /u/mrallon
It seems bad in regards to potential access to user info such as personal e-mail addresses, funds, country, etc... but so far no one has reported seeing actual credit card info, just speculation that one potentially could. Purchasing does not seem to work right now.
It also may only be showing users who are logged in, so log out. Otherwise, people should come out of this relatively okay.
That includes attempting to logout. Just don't touch ANYTHING.
— John Bain (@Totalbiscuit) December 25, 2015
Do NOT attempt to login to Steam atm. Just, don't touch anything, that's the safest thing you can do.
— John Bain (@Totalbiscuit) December 25, 2015
Not much to do in the meantime, though if you use Paypal to purchase, go to Paypal and unlink your pre-approved Steam acc as a precaution
— John Bain (@Totalbiscuit) December 25, 2015
There is no evidence that this is a breach, or that anything not displayed on account pages was leaked. You can bet people will try.
— Rami Ismail (@tha_rami) December 25, 2015
Do *NOT* click on links that tell you they'll fix or secure your Steam account. Do *NOT* follow steps that include direct links to Steam.
— Rami Ismail (@tha_rami) December 25, 2015
@zolroyce : If you try to login you will just get someone else's info, you can't access your own. At least that is what happened to me. Edit: So then I just logged out and am going to wait it all out.
@zolroyce: It's actually better to not do anything through the site. If you have paypal linked to it you can unlink it from the paypal site.
By the way, this is not a security breach. This is page caching gone rogue. Most likely not respecting Cache-Control headers.
— Steam Database (@SteamDB) December 25, 2015
.@ZylusDota The best way to protect yourself is to completely avoid Steam websites for now.
— Steam Database (@SteamDB) December 25, 2015
Do NOT attempt to unlink PayPal, remove your credit card details or anything else. Doing so will put you at risk instead.
— Steam Database (@SteamDB) December 25, 2015
Important addendum that @slag brought up:
Once again, unlinking your PayPal account from Steam via the PayPal site alone is fine. Unlinking through Steam is NOT.
— Steam Database (@SteamDB) December 25, 2015
@officer_falcon: @rockyboyussr: Okay, thanks for the advice duders, I'll just log out and not touch anything besides Paypal. Though I think luckily I don't have it linked together, pretty sure I just sign in every time.
Fingers crossed nothing happens to my (or any of you all) CC's.
If you have paypal linked to it you can unlink it from the paypal site.
@viking_funeral: Important clarification
@SteamDB It is fine to unlink Steam using https://t.co/zlBegj03Gp itself. Just don't do it via the Steam store.
— Steam Database (@SteamDB) December 25, 2015
@slag: Good catch.
Apparently playing games online might be okay. It could also prevent anybody else from logging into your account through the desktop client.
I have already received 2 e-mails on the account linked to Steam.
1:
Hi,
I don't know if you knew about Steam being hacked or whatever it was, but I got logged into your account at one point and saw you had a lot of money in there. Please let me know if nothing got stolen! I feel so bad for everyone that has steam money in their wallet, I am afraid people might steal it :( I don't know if it was possible to buy anything, I hope it isn't! I got logged out of yours again so i can't keep track of it anymore sorry.
I hope everything is well!
Kind regards,
Fran
2: (From a throwaway Guerrillamail account.)
your money is safe now
thank you
:|
@hassun: holy shit. I really hope that someone is just fucking with you. If not I'm sure valve would refund anything that came out of yr wallet today, right?
As it's a caching error it seems that people never had control of your account at all, they just had access to some of your account info. Credit card numbers etc should be safe as they're not visible, but email accounts were visible so PayPal is probably the biggest weakness right now.
Heard a rumor from my brother that they might refund all purchases made within a certain time frame. Don't take that as gospel but if it is true anyone who had their accounts compromised might have a ray of hope.
This whole situation is beyond fucked.
Edit: If someone had bought a game on my account with my CC info it would have emailed me right. I don't think I got hit but... I'm paranoid.
Well.... Shit
Man. How did he get Half-Life 3? I want to believe
@alwaysbebombing: It would be nuts if it was literally that... HL 3 came out and totally fuckered the Steam servers. But that could very easily be a clever photoshop.
Wow. I don't think anything of mine was compromised, but now I'm paranoid. Staying off Steam for a while until these problems are fixed.
@planetfunksquad: Yeah I'm confident that if money does disappear, Valve will refund it.
@alwaysbebombing: It would be nuts if it was literally that... HL 3 came out and totally fuckered the Steam servers. But that could very easily be a clever photoshop.
(I know, I was replying to a message that has since been deleted so the joke was ruined)
Please Log In to post.
This edit will also create new pages on Giant Bomb for:
Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.Comment and Save
Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.
Log in to comment