Valve Issues Statement on Steam Christmas Malfunction

Valve Issues Statement on Steam Christmas Malfunction

Steam Logo - Social

About 34,000 users were affected.

Valve has issued a statement today, addressing a "configuration error" that exposed private information for about 34,000 users on Christmas day. In the lengthy statement, Valve writes that it is still attempting to identify affected users, and will contact them once the identification is complete.

According to the statement, Steam was the target of a DoS attack early December 25th. Valve also reports that there was a 2000% increase in traffic during the Steam Sale. The combination of these two factors caused caching issues that resulted in users seeing account information, libraries, and Steam Store responses that belonged to other users. Compromised data included users' billing addresses, the last four digits of their Steam Guard phone number, purchase history, the last two digits of credit card information, and email addresses. Not included were full credit card numbers or passwords.

You can read the statement, in full, below:

"We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service."

Permalink

[RETRACTED]

Do Steam, PSN and XBL just get DDoS'd daily or something? It really feels like it.

Fappy:
Do Steam, PSN and XBL just get DDoS'd daily or something? It really feels like it.

Odds are yes, but there are tons of people who do their best to keep the server hamsters running so it only really affects end users in cases such as this.

Diablo1099:
I knew that it was some seasonal hacker BS.

I mean, don't get me wrong, Valve dropped the ball there but I'm personally saving my ire for the people who were trying to bring down the Steam service rather then the people who failed to stop them.
Network Administration is hard and as a student of the craft myself, I hope I don't have to deal with an attack that bad.
2000% above the average userbase during peak sale hours? Not exactly how I'd imagine they'd want to spend Christmas :/

Nah, still fully an error on Valve's end. A DoS attack should, at the most, stop the store from processing requests in a timely manner. That is the extent of damages that the attack should do. Only incompetence on someone's part on Valve's end creates the problems we saw here.

A DoS attack is expected for anything major relating to the internet nowadays. To fail like they did is completely irresponsible, and Valve should be held responsible.

Xeorm:

Diablo1099:
I knew that it was some seasonal hacker BS.

I mean, don't get me wrong, Valve dropped the ball there but I'm personally saving my ire for the people who were trying to bring down the Steam service rather then the people who failed to stop them.
Network Administration is hard and as a student of the craft myself, I hope I don't have to deal with an attack that bad.
2000% above the average userbase during peak sale hours? Not exactly how I'd imagine they'd want to spend Christmas :/

Nah, still fully an error on Valve's end. A DoS attack should, at the most, stop the store from processing requests in a timely manner. That is the extent of damages that the attack should do. Only incompetence on someone's part on Valve's end creates the problems we saw here.

A DoS attack is expected for anything major relating to the internet nowadays. To fail like they did is completely irresponsible, and Valve should be held responsible.

Oh....Fuck, kinda shows how well I'm learning my trade, huh? ^^;

*Hastly retracts comment*

Diablo1099:
Oh....Fuck, kinda shows how well I'm learning my trade, huh? ^^;

*Hastly retracts comment*

Hey, if popular media has taught me anything, it's that everyone thinks they know about security, and never want to listen to the security people until it's too late. This counts double for internet security.

You've got a long road ahead of you.

Xeorm:

Diablo1099:
Oh....Fuck, kinda shows how well I'm learning my trade, huh? ^^;

*Hastly retracts comment*

Hey, if popular media has taught me anything, it's that everyone thinks they know about security, and never want to listen to the security people until it's too late. This counts double for internet security.

You've got a long road ahead of you.

Yeah...Guess I was just feeling sorry for them because that sounds like something *I'd* do.
That and getting fired over something like this on Christmas day would suck a lot

Well, at least valve will have an out if the sale isn't very good: everyone got scared off by caching errors; it absolutely had nothing to do with the lack of flash sales or any really interesting gimmick.

That said, this caching error is pretty stupid: I'd have thought valve had their ducks in more of a row than that.

flying_whimsy:
Well, at least valve will have an out if the sale isn't very good: everyone got scared off by caching errors; it absolutely had nothing to do with the lack of flash sales or any really interesting gimmick.

That said, this caching error is pretty stupid: I'd have thought valve had their ducks in more of a row than that.

Well, to be fair, it probably did scare off some people, so expecting slightly lower sales than normal is reasonable.

Of course, if they try to blame a 30% drop or something of that magnitude on the caching issue, then it'll be a load of BS. And I know that I didn't buy anything during the sale, though to be fair I don't buy anything during most Steam sales anyway.

Valve's got a lot of egg on their face. I'm not annoyed at them personally because I wasn't even using the service that day (and should be totally not effected whatsoever) but the fact it happened at all is no cause for celebration.

flying_whimsy:
Well, at least valve will have an out if the sale isn't very good: everyone got scared off by caching errors; it absolutely had nothing to do with the lack of flash sales or any really interesting gimmick.

That said, this caching error is pretty stupid: I'd have thought valve had their ducks in more of a row than that.

Well, given that it wasn't Valve handling the caching, but a third party provider, Valve had their ducks in as much a row as they could personally assure at the time.

Obviously something still went wrong and that's bad, but it's more complicated than "Valve failed".

The worst of the data put 'out in the open' is the email address, phone number and billing address. While definitively not stuff anyone wants seen by random people on the internet:

A) How much of that info is already posted somewhere on the internet somewhere? email address via a contact page on a social media site or forum account? Address and phone number on a publicly available resume or other public posting like phone books? I'm curious if anyone could/would do a risk analysis based on how likely the compromised info is already on publicly available pages.

B) Given that this wasn't a compromising of their databases containing the information, but a technical error, it means that the drastic majority of people who saw someone else's info were other random people just trying to access their steam account, not a malicious person or group looking out out random people a la the Sony or Target hacks.

So out of the 34k people that were *very* unfortunately compromised in this, my gut says that a very small amount - if any - are likely to have malicious action put against them because of said compromise.

Given that Valve has responded a lot faster than the norm(though as others have said, a faster initial response is something they definitely need to work on) both in spotting and stopping the issue, and correcting and apologizing for it, I'm willing to let it slide in this case. They could be faster, but as someone that's worked in a datacenter when some major bad-times go down, fact is, sometimes things just take time to work through and figure out the cause of, *especially* if a third party service is involved.

Hopefully they have a little 'heart-to-heart' with their caching provider about expanded configuration testing paradigms, and give the affected people something nice by way of apology, but nothing about this strikes me as anywhere near as bad as the other data compromises we've seen the past few years.

At minimum, I don't think it's warranting the hopes and calls from people that Valve be sued.

There is a valuable lesson to be learned here for anyone in the Web development business: What if the store had been set up so that accessing any page as a given user actually logs you in as them for real? What if every page just blindly served a valid session cookie, allowing users to proceed from there to do anything they wanted? I imagine it's a common rookie mistake to assume that only someone who has at some point manually logged in would ever be able to access the site as that user. But if that had happened, this could have resulted in all kinds of mayhem. Everything you can do from the site without actually logging into the client: Trolling other users through the chat system, spending Steam Wallet money on "gifts" for themselves, gifting the contents of their inventory to themselves... probably some other stuff I'm not even thinking of. But thanks to some technical wizardry, some other form of authentication is needed every time you access a new page, something that's invisible to the user, so anyone who saw someone else's store pages was effectively locked into a read-only mode and the damage was minimized.

Areloch:
So out of the 34k people that were *very* unfortunately compromised in this, my gut says that a very small amount - if any - are likely to have malicious action put against them because of said compromise.

If one malicious action is taken then it's one action too many and Valve, be it a third party subsidiaries fault, should be held accountable. These people gave Valve sensitive information under the promise that information would be secure, it was not, and now heads need to roll. Simple stuff really, holding people accountable.

Sarge034:

Areloch:
So out of the 34k people that were *very* unfortunately compromised in this, my gut says that a very small amount - if any - are likely to have malicious action put against them because of said compromise.

If one malicious action is taken then it's one action too many and Valve, be it a third party subsidiaries fault, should be held accountable. These people gave Valve sensitive information under the promise that information would be secure, it was not, and now heads need to roll. Simple stuff really, holding people accountable.

Sure, but lets also not act like this is the exact same thing as the Sony or Target breaches. That's all I'm saying.
People need to give the situation the appropriate response, and not immediately fire up the internet hatemob-pocalypse machine as is the norm.
It's a bad, but comparatively minor event. I've seen several people pulling the "I HOPE VALVE GETS SUED FOR THIS" rhetoric already.

Issue is fixed, with relatively few affected, and the affected will be contacted by Valve and reparations will ensue as required, if at all. This is the handling I would expect when a screw-up occurs. Trying to start an internet brouhaha doesn't help anyone/anything.

Xeorm:
Nah, still fully an error on Valve's end. A DoS attack should, at the most, stop the store from processing requests in a timely manner. That is the extent of damages that the attack should do. Only incompetence on someone's part on Valve's end creates the problems we saw here.

A DoS attack is expected for anything major relating to the internet nowadays. To fail like they did is completely irresponsible, and Valve should be held responsible.

Thought the internet had universally decided that victim blaming isn't cool.

Glibness aside, and to continue the analogy, I'm not entirely sure I believe Valve on this one. Blaming it on DDoSers seems to be the go-to excuse for any online corporate screwup these days.

Kinitawowi:

Xeorm:
Nah, still fully an error on Valve's end. A DoS attack should, at the most, stop the store from processing requests in a timely manner. That is the extent of damages that the attack should do. Only incompetence on someone's part on Valve's end creates the problems we saw here.

A DoS attack is expected for anything major relating to the internet nowadays. To fail like they did is completely irresponsible, and Valve should be held responsible.

Thought the internet had universally decided that victim blaming isn't cool.

Glibness aside, and to continue the analogy, I'm not entirely sure I believe Valve on this one. Blaming it on DDoSers seems to be the go-to excuse for any online corporate screwup these days.

They didn't though, they only explained that the DoS attack put increased strain on the store (20 times more than even the usual steam sale's demand), which they countered by more aggressively caching the website. Unfortunately they messed it up and caused this incident.

This is why I don't save my credit card, billing address and phone number on steam. The only thing people would see is my e-mail address and the amount in my steam wallet.

hearty0:
They didn't though, they only explained that the DoS attack put increased strain on the store (20 times more than even the usual steam sale's demand), which they countered by more aggressively caching the website. Unfortunately they messed it up and caused this incident.

It looks that way, but even just looking at responses here, you can see how people react: DoS attack->caching problem. Valve doesn't put much emphasis on that the caching problem was one of their own design, so people reading it don't see it either. Nor is there even an apology in the message.

I still don't like steam but in this case I have to defend it as they didn't really do anything wrong,
except hire a third company that employed an individual/team that took a shortcut in server/cache handling.

They took precautions to avoid a sales rush overloading the servers and to mitigate eventual DDoS attacks that is par for the course concerning big companies online.

The only real damage that occurred was revealing billing and email addresses for 34k users.

A lot of the times you don't hear about all the amazing and extensive stuff done to make sure everything works. ,)

P.S. Still no excuse for steam DRM and having a major monopoly on online distribution.

Areloch:

Sarge034:

Areloch:
So out of the 34k people that were *very* unfortunately compromised in this, my gut says that a very small amount - if any - are likely to have malicious action put against them because of said compromise.

If one malicious action is taken then it's one action too many and Valve, be it a third party subsidiaries fault, should be held accountable. These people gave Valve sensitive information under the promise that information would be secure, it was not, and now heads need to roll. Simple stuff really, holding people accountable.

Sure, but lets also not act like this is the exact same thing as the Sony or Target breaches. That's all I'm saying.
People need to give the situation the appropriate response, and not immediately fire up the internet hatemob-pocalypse machine as is the norm.
It's a bad, but comparatively minor event. I've seen several people pulling the "I HOPE VALVE GETS SUED FOR THIS" rhetoric already.

Issue is fixed, with relatively few affected, and the affected will be contacted by Valve and reparations will ensue as required, if at all. This is the handling I would expect when a screw-up occurs. Trying to start an internet brouhaha doesn't help anyone/anything.

Holding a company accountable for a breach of customer trust and the dispersion of private information is "brouhaha"? You and I sir or madam have very different definitions of an appropriate response then. Be it the Sony, Target, or Valve debacle, they all leaked personal information they were entrusted to keep secure. You want to take numbers and probability of malicious actin into account, I don't give a shit about either of those two things because, as you said, "People need to give the situation the appropriate response..." The situation being a company failed to secure personal information, the response being anything up to legal action for their failure. You said you had experience in server admin stuff, is that maybe making you a biased party?

Sarge034:

Areloch:

Sarge034:

If one malicious action is taken then it's one action too many and Valve, be it a third party subsidiaries fault, should be held accountable. These people gave Valve sensitive information under the promise that information would be secure, it was not, and now heads need to roll. Simple stuff really, holding people accountable.

Sure, but lets also not act like this is the exact same thing as the Sony or Target breaches. That's all I'm saying.
People need to give the situation the appropriate response, and not immediately fire up the internet hatemob-pocalypse machine as is the norm.
It's a bad, but comparatively minor event. I've seen several people pulling the "I HOPE VALVE GETS SUED FOR THIS" rhetoric already.

Issue is fixed, with relatively few affected, and the affected will be contacted by Valve and reparations will ensue as required, if at all. This is the handling I would expect when a screw-up occurs. Trying to start an internet brouhaha doesn't help anyone/anything.

Holding a company accountable for a breach of customer trust and the dispersion of private information is "brouhaha"? You and I sir or madam have very different definitions of an appropriate response then. Be it the Sony, Target, or Valve debacle, they all leaked personal information they were entrusted to keep secure. You want to take numbers and probability of malicious actin into account, I don't give a shit about either of those two things because, as you said, "People need to give the situation the appropriate response..." The situation being a company failed to secure personal information, the response being anything up to legal action for their failure. You said you had experience in server admin stuff, is that maybe making you a biased party?

It's entirely probable I'm slightly biased, sure. For example, I've been in a situation where the company I worked for did nothing wrong and we had a complete outage of all services for 3 hours.

Basically, the datacenter the company operated out of was doing routine maintenance, and due to a freak cascaded hardware failure, both redundant switches that acted as the pipes for the datacenter died. The hardware itself tanked. They had the manufacturer themselves emergency ship replacement hardware out(because it was a hardware fault), but it meant that everything just ceased to exist as far as the internet was aware. Support ticket system, phone system, all websites we hosted including our own, just suddenly ceased to be.

That's a BAD situation to be in when you serve tens of thousands of customers, but the fact of the matter was, there was *literally* nothing we could do until the replacement hardware got there. Not a singular bit.

So having been in a pretty bad hosting/datacenter situation myself on more than one occasion, I'm willing to just accept that sometimes crap breaks catastrophically and you can't personally do anything about it because it was a third party company's fault.

Is it a good thing? Pfthahaha ooooh lord no. Not in the least. But at the same time, I have a hard time justifying the people going "Man, I really hope Valve gets sued!", when a) Valve wasn't the core entity at fault, and b) the response was likely as fast as reasonable, and once the situation was contained, it really, REALLY didn't take long for them to get a statement out that explained what the problem was, why it happened, and how it'll be prevented in the future, in addition to them doing the reaching out to any impacted parties for any needed reparations.

And as I mentioned before, there's a rather high probability the data that was exposed was already put out on the internet by the impacted party themselves.

That said, if someone does, indeed have something malicious happen to them due to the breach, then they absolutely have grounds to seek damages, but as-is, I'm not entirely sure(though of course, I'm not a lawyer) that Valve's handling of the situation is something one has a legal basis to hit them for. If anyone would actually, legally be on the hook, I'd presume it would be the caching provider, as they were the ones serving incorrect and compromised data.

So sure, I'm probably biased to be a bit more favorable to the techs in this because I've been on that end of things before, but at the same time, I'm unconvinced that people who always have their pitchforks and torches at the ready have any idea how this stuff works and are just chomping at the bit to hit the first thing that looks like a target, without consideration for what happened or what, if any, the repercussions are.

Make no mistake, leaked data is bad and I fully acknowledge that, but I just personally can't help but not put this in the same category as the Sony or Target leaks due to the nature of the leak, the scope of the leak, and the data that was compromised in the leak. A sister-category probably, but not the same one.

I don't know what the reasonable middleground is, to be honest. I know that any compromised user is a very bad thing, but I'm also aware that if we burned down every company that ever had a single user compromised for any reason, I don't think we'd have any companies left.

Maybe I'm just simply tired of seeing the internet rage machine at this point. I don't know.

Areloch:
It's entirely probable I'm slightly biased, sure. For example, I've been in a situation where the company I worked for did nothing wrong and we had a complete outage of all services for 3 hours.

Basically, the datacenter the company operated out of was doing routine maintenance, and due to a freak cascaded hardware failure, both redundant switches that acted as the pipes for the datacenter died. The hardware itself tanked. They had the manufacturer themselves emergency ship replacement hardware out(because it was a hardware fault), but it meant that everything just ceased to exist as far as the internet was aware. Support ticket system, phone system, all websites we hosted including our own, just suddenly ceased to be.

That's a BAD situation to be in when you serve tens of thousands of customers, but the fact of the matter was, there was *literally* nothing we could do until the replacement hardware got there. Not a singular bit.

So having been in a pretty bad hosting/datacenter situation myself on more than one occasion, I'm willing to just accept that sometimes crap breaks catastrophically and you can't personally do anything about it because it was a third party company's fault.

Is it a good thing? Pfthahaha ooooh lord no. Not in the least. But at the same time, I have a hard time justifying the people going "Man, I really hope Valve gets sued!", when a) Valve wasn't the core entity at fault, and b) the response was likely as fast as reasonable, and once the situation was contained, it really, REALLY didn't take long for them to get a statement out that explained what the problem was, why it happened, and how it'll be prevented in the future, in addition to them doing the reaching out to any impacted parties for any needed reparations.

And as I mentioned before, there's a rather high probability the data that was exposed was already put out on the internet by the impacted party themselves.

That said, if someone does, indeed have something malicious happen to them due to the breach, then they absolutely have grounds to seek damages, but as-is, I'm not entirely sure(though of course, I'm not a lawyer) that Valve's handling of the situation is something one has a legal basis to hit them for. If anyone would actually, legally be on the hook, I'd presume it would be the caching provider, as they were the ones serving incorrect and compromised data.

So sure, I'm probably biased to be a bit more favorable to the techs in this because I've been on that end of things before, but at the same time, I'm unconvinced that people who always have their pitchforks and torches at the ready have any idea how this stuff works and are just chomping at the bit to hit the first thing that looks like a target, without consideration for what happened or what, if any, the repercussions are.

Make no mistake, leaked data is bad and I fully acknowledge that, but I just personally can't help but not put this in the same category as the Sony or Target leaks due to the nature of the leak, the scope of the leak, and the data that was compromised in the leak. A sister-category probably, but not the same one.

I don't know what the reasonable middleground is, to be honest. I know that any compromised user is a very bad thing, but I'm also aware that if we burned down every company that ever had a single user compromised for any reason, I don't think we'd have any companies left.

Maybe I'm just simply tired of seeing the internet rage machine at this point. I don't know.

Ok, I get that. But as one of those people who has no idea how that stuff works it looks like this. Beginning, middle, and end, it doesn't matter who actually failed because it was Valve's responsibility to secure that data. I didn't buy anything from a third party server service so these people who Valve contracted to secure the data have come under Valve's prevue to secure both the user's and Valve's data. They failed and that responsibility is transferred to the thing on top. You know that saying shit rolls down hill and failure floats to the top... And I'm not looking to burn Valve down, not for this reason at least, just take a sizeable chunk out of their ass.

Xeorm:

It looks that way, but even just looking at responses here, you can see how people react: DoS attack->caching problem. Valve doesn't put much emphasis on that the caching problem was one of their own design, so people reading it don't see it either. Nor is there even an apology in the message.

Eh?

We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

Pretty sure thats an apology. You may not believe it's any more sincere than your regular corporate speak and that's fine, but they did issue an apology.

Sarge034:

Ok, I get that. But as one of those people who has no idea how that stuff works it looks like this. Beginning, middle, and end, it doesn't matter who actually failed because it was Valve's responsibility to secure that data. I didn't buy anything from a third party server service so these people who Valve contracted to secure the data have come under Valve's prevue to secure both the user's and Valve's data. They failed and that responsibility is transferred to the thing on top. You know that saying shit rolls down hill and failure floats to the top... And I'm not looking to burn Valve down, not for this reason at least, just take a sizeable chunk out of their ass.

Fair enough. As someone that's been on the other side, I can't say I agree, but I can definitely understand the reasoning.

Sorry but to everyone trying to absolve steam because "3rd party" lol.

Their customers bought from valve, gave their personal information to valve and trusted that valve would not fuck up.

Valve fucked up.

It doesnt matter that it wasnt one of their own code monkeys that fucked up, they where the ones that hired the 3rd party monkeys and they should have made damn well sure that those dont fuck up either.

As to the guy above that claims "what could ever happen?"

We live in a day and age where doxxing has become a REAL problem, where SWATTING has become an increasingly attractive thing for colossal douchebags, and it is only a matter of time till someone catches a bullet... i mean pets allready get killed in those incident when your dog decides to protect you from the invading dudes in tactical armor and guns shouting at you. You think those guys in SWAT will think twice about putting a bullet through your pet if it attacks them? Or you for that matter should you try to defend yourselfe?

And that is only the tip of the iceberg of shit people can do to you if they have your real name or only your phone number. If they have one of the two they will find out EVERYTHING about you.

Yes you might have that info posted somewhere on the internet for whatever reason, but before this no one could tie that information down to your Steam account, chances are more people on the net know you under one of your account names then your real name. But once they got your personal info its open season.

Never underestimate the douchebaggery of internet trolls.

Valve fucked up royaly and are even liably to a class action lawsuit in this case since they neglected to protect their custumers user data. Ofcourse someone has to sue first, wich in most cases like this wont happen, but that just shows that no... theres no difference.. it doesnt matter if it was a valve employe or someone they outsourced them to. Valve is responsible for their customer data and no one else.

So they responded far quicker and clearer than Sony and didnt try to lie about it?

flying_whimsy:
Well, at least valve will have an out if the sale isn't very good: everyone got scared off by caching errors; it absolutely had nothing to do with the lack of flash sales or any really interesting gimmick.

That said, this caching error is pretty stupid: I'd have thought valve had their ducks in more of a row than that.

Kinda. First Steam Sale in years where i didnt buy anything at all. Mostly because the things i wanted to buy werent low enough and i dont really care about the rest. so doubt those gimmicks you mention would have helped either.

Steve the Pocket:
There is a valuable lesson to be learned here for anyone in the Web development business: What if the store had been set up so that accessing any page as a given user actually logs you in as them for real? What if every page just blindly served a valid session cookie, allowing users to proceed from there to do anything they wanted?

This is why pretty much any store i ever used online has a re-validation when doing the actual purchase.

Sarge034:

If one malicious action is taken then it's one action too many and Valve, be it a third party subsidiaries fault, should be held accountable. These people gave Valve sensitive information under the promise that information would be secure, it was not, and now heads need to roll. Simple stuff really, holding people accountable.

and they are held accountable by change of peoples opinion of them, clearly. This was quite clearly a simply mistake of third party contractor that will be getting a lot of flack for this as it is. there is no need for beheading people.

Karadalis:
You think those guys in SWAT will think twice about putting a bullet through you for that matter should you try to defend yourselfe?

Yes. Not only that, but SWAT did not even shoot when being shot at. SWAT people are not idiots that shoot first ask questions later.

And that is only the tip of the iceberg of shit people can do to you if they have your real name or only your phone number. If they have one of the two they will find out EVERYTHING about you.

My real name and email adress is posted in my profile. Good luck.

So many people seems to be up in arms about this, but all I can think about is that one guy out there that fucked up trying to deal with this. Imagine yourself being that guy, doing his stuff like routine, then types , instead of . or something like that and the whole system goes highwire.

It was a huge mistake, sure, but while I don't know much about coding and all that, I know enough that a small simple mistake like forgetting to add something or misstyping something can have giant ripples. So Yea, can't really be mad, I just feel sorry for the guy.

Strazdas:
*SNIP*

I'm not trying to start an argument here, but I do take issue with a couple of your points in regard to this.

Strazdas:

Karadalis:
You think those guys in SWAT will think twice about putting a bullet through you for that matter should you try to defend yourselfe?

Yes. Not only that, but SWAT did not even shoot when being shot at. SWAT people are not idiots that shoot first ask questions later.

I do agree, SWAT officers aren't idiots. But a lot of them do have a self-preservation instinct. Just because one officer in Oklahoma didn't shoot back doesn't mean that applies to the United States, nor in fact globally, which is how broad-reaching this issue affected. Do you think a Russian OMON squad might be as forgiving about a SWATting incident as this chief might be?

Strazdas:

And that is only the tip of the iceberg of shit people can do to you if they have your real name or only your phone number. If they have one of the two they will find out EVERYTHING about you.

My real name and email adress is posted in my profile. Good luck.

And were it only your real name and email involved in the leak, you'd likely be okay. A lot of people didn't have just that leaked though. And I'm going to guess the name in your profile likely isn't your full name, given most people have a last name.

Full disclosure, I had items in my cart that day. I had made purchases in the days leading up to, and indeed the day of, that leak. It's not just my real name and email that were potentially leaked, from what I have been able to gather.

My name, contact address, full email, paypal email, contact phone number, and country were all potential discoveries from that leak that day. And that's only because I used Paypal instead of my credit card directly, because I am completely averse to leaving my credit card info anywhere that isn't behind a wall. And yes, I know if Paypal were hacked, that all of that information would be leaked, but at this point, reducing it to one website as opposed to several is a risk I'm fully accepting of.

So, are you fully willing to share your full name, email, contact phone number, physical address, and Paypal associated email/last four numbers of your credit card right here, where anyone with a Steam account can see it?

Because if you aren't, then no. Your first name and email address on your Escapist profile is not the same as the personal information that was potentially leaked. And I wish people would recognise that.

theSovietConnection:

I do agree, SWAT officers aren't idiots. But a lot of them do have a self-preservation instinct. Just because one officer in Oklahoma didn't shoot back doesn't mean that applies to the United States, nor in fact globally, which is how broad-reaching this issue affected. Do you think a Russian OMON squad might be as forgiving about a SWATting incident as this chief might be?

nor will all people swatted be shooting at officers barging in the door. The point is that SWAT, or OMON or whatever other locan team you want are specifically trained to asses situations quickly and dont just randomly shoot all civilians.

And were it only your real name and email involved in the leak, you'd likely be okay. A lot of people didn't have just that leaked though. And I'm going to guess the name in your profile likely isn't your full name, given most people have a last name.

Full disclosure, I had items in my cart that day. I had made purchases in the days leading up to, and indeed the day of, that leak. It's not just my real name and email that were potentially leaked, from what I have been able to gather.

My name, contact address, full email, paypal email, contact phone number, and country were all potential discoveries from that leak that day. And that's only because I used Paypal instead of my credit card directly, because I am completely averse to leaving my credit card info anywhere that isn't behind a wall. And yes, I know if Paypal were hacked, that all of that information would be leaked, but at this point, reducing it to one website as opposed to several is a risk I'm fully accepting of.

So, are you fully willing to share your full name, email, contact phone number, physical address, and Paypal associated email/last four numbers of your credit card right here, where anyone with a Steam account can see it?

Because if you aren't, then no. Your first name and email address on your Escapist profile is not the same as the personal information that was potentially leaked. And I wish people would recognise that.

The person said that knowing only my name is enough to find out everything about me. this is patently false. The name in my profile is my first name but you could easily google my second one just by my nick alone. its no secret.

As for your list of information:
Name - no.
Contact Address - only if you explicitly entered it, which i actually never heard anyone do on steam as its not needed. unless you need it for tax reasons or something.
Email - if you have entered contact email. Most people do.
Payapal email - yes, if you have linked your paypal account to your steam account. Note that you do not have to link accounts to purchase from steam via paypal. If you do not link you will have to enter it every time you make a purchase though. for most people it will be the same email as above.
Phone - no, only last 4 digits.
Country - yes.
If you used credit card, only the last 4 numbers of your credit card number would be visible, making it unusable. (i also have same police with paypal as you btw).

My full name and Email is no secret. My physical address can be found in a phone book or public registry. I do not share my phone solely because i use it as minimally as i can, id rather people email me instead.

i was not equating my information to that leaked on steam, i was calling out the nonsensical statement that having only somones name is enough to find out EVERYTHING about them.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here