Steam bug causing user account information to appear to other customers [Update: Valve responds]

It's as bad as a bug can get. Attempting to access user info is causing other people's account information to pop up, including their buying history and Wallet information.

36

It's Christmas Day and while people were watching Xbox Live and PlayStation Network for any possible issues, it appears that the biggest problem today is with Steam. It's coming in the form of a bug and quite a nasty one.

It's been reported on Reddit, as well as from our own Chatty community, that attempting to log into Steam and access account information will cause the account information for a different user to pop up. This is allowing people to see other customers' account information, buying history, Wallets, and even credit card numbers (albeit blocked out).

An official cause has not been issued, but speculation (including from the diligent Valve followers at Steam Database) is pointing to a caching issue gone horribly wrong.

Logins have been disabled for the time being, but the damage is already being done. Shacknews is reaching out to Valve for comment and any additional instructions, but in the meantime, users are advised to brace for the worst. Those that have not visited Steam today, do NOT visit Steam until this is all sorted, or else you could be caught in the caching web.

Update (2:33PM PT): There is more speculation coming in from the community-run, unofficial site, Steam Database, offering further insight into what might have happened, in regards to the rogue caching issue. More importantly, the site is offering sound advice on unlinking your PayPal information from your Steam account, if absolutely necessary. There is still no official word from Valve at this time, but Shacknews will continue monitoring this situation.

Update (3:40PM PT): There is a sense of cautious optimism that the issue has been resolved, with no issues indicated on the unofficial Steam Database. However, there is still no official statement from Valve in regards to this issue, so be careful out there.

Update (5:33PM PT): Valve has issued the following statement to Shacknews:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

Senior Editor

Ozzie has been playing video games since picking up his first NES controller at age 5. He has been into games ever since, only briefly stepping away during his college years. But he was pulled back in after spending years in QA circles for both THQ and Activision, mostly spending time helping to push forward the Guitar Hero series at its peak. Ozzie has become a big fan of platformers, puzzle games, shooters, and RPGs, just to name a few genres, but he’s also a huge sucker for anything with a good, compelling narrative behind it. Because what are video games if you can't enjoy a good story with a fresh Cherry Coke?

Filed Under
From The Chatty
  • reply
    December 25, 2015 1:00 PM

    Ozzie Mejia posted a new article, Steam bug causing user account information to appear to other customers

    • reply
      December 25, 2015 1:03 PM

      lolllllll gg valve

    • reply
      December 25, 2015 1:07 PM

      Probably HL3 ARG

    • reply
      December 25, 2015 1:20 PM

      How can I temporarily freeze my Paypal account? And should I temporarily freeze my Paypal account

    • reply
      December 25, 2015 1:45 PM

      [deleted]

    • reply
      December 25, 2015 1:55 PM

      What if you were already logged in yesterday? Does it still mean I'm caught up in all this?

      • reply
        December 25, 2015 1:59 PM

        Ah, nevermind, issue stems from loading account pages, not being logged in (I hope)

      • reply
        December 25, 2015 1:59 PM

        Yeah, like, what if you're perpetually logged into the client?

        I know earlier when I was hitting the queue thingy I earned a card for someone else's account apparently, but the client's showing my user name and all that.

      • reply
        December 25, 2015 1:59 PM

        Won't really know until Valve says what happened. Just hang on to your butts 'til they say it's a-ok, then change your password.

        They ought to have database backups if anything fucked up happens and should be able to put things right for anyone that didn't make a purchase while the bad things were happening.

        • reply
          December 25, 2015 2:20 PM

          If they say what happened.

          • reply
            December 25, 2015 2:23 PM

            True. Hopefully they would address something as bad as this. If they don't, it'd be worth raising hell about. Though it's not like it'd do any good since we all asked for the Steam monopoly on game delivery.

            • reply
              December 25, 2015 2:26 PM

              I reached out to the Valve reps, but I'm not holding my breath on a response today.

          • reply
            December 25, 2015 6:58 PM

            There was no data breach and HL2 is coming out soon we swear! ...

            And by soon they meant a year. I like Valve as much as anyone but I take what they say with a grain of salt.

    • reply
      December 25, 2015 3:34 PM

      Valve doesn't really even have any social media outlets that they use to communicate with customers either do they? So it'll be radio silence until they say something via news outlets or email?

      • reply
        December 25, 2015 3:54 PM

        There are so many different ways for companies to communicate with customers these days and their first official statement will probably come from GabeN responding to some buried random Reddit thread

      • reply
        December 25, 2015 5:35 PM

        They have a Twitter account, but it just has advertisements.

    • reply
      December 25, 2015 3:35 PM

      [deleted]

    • reply
      December 25, 2015 5:33 PM

      The Valve statement to Shack:

      Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

      • reply
        December 25, 2015 5:37 PM

        Any ramifications to other people viewing my cached information?

        • reply
          December 25, 2015 6:09 PM

          [deleted]

          • reply
            December 25, 2015 8:47 PM

            Realistically, yeah, probably. All they'd get would be your email address, last 4 of credit card and whether or not you have steam guard enabled. They shouldn't be transmitting anything to the client that is sensitive information after it's been secured on their side. All credit card transactions are done with tokens and the actual credit card information would be stored on servers that aren't directly accessible from the server you'd get your account details from.

            Assuming they're not insane.

      • reply
        December 25, 2015 5:49 PM

        The damage is already done. With so many viable alternatives to Steam, I doubt I'll ever be back.

        • reply
          December 25, 2015 5:53 PM

          I'm sure Valve will survive without your collection of anime sims

        • reply
          December 25, 2015 9:48 PM

          Are you opting out? But you're the entire mnc community!!

      • reply
        December 25, 2015 5:53 PM

        Is there a direct link from Valve anywhere saying this? Not implying whatsoever that your info is wrong, but I'd like to see something published in some way from Valve.

      • reply
        December 25, 2015 6:13 PM

        No apology and no comment on the fact that people saw full names, phone numbers, and addresses for other users.

        Still better than the usual silence from Valve.

        • reply
          December 25, 2015 10:14 PM

          [deleted]

          • reply
            December 25, 2015 10:39 PM

            That's one of the shittiest, more ignorant things I've seen to try to justify something like this. What the fuck?

          • reply
            December 25, 2015 11:05 PM

            You have the option to not be listed in phone books if you don't want that information to be public.

      • reply
        December 25, 2015 7:56 PM

        pre-order cancelled.

    • reply
      December 25, 2015 5:38 PM

      It's a Christmas miracle!

    • reply
      December 25, 2015 6:30 PM

      Scary stuff.

      The way valve doesn't communicate at all is even scarier.

    • reply
      December 25, 2015 7:32 PM

      So can we please stop pretending like Steam is the greatest thing since sliced bread?

      I've been saying Steam actually sucks for a while now, and this incident proves they are run like a Popsicle stand.

      Been off the Steam bandwagon for a while now and it feels pretty good.

      • reply
        December 25, 2015 7:37 PM

        I'm gonna keep on pretending it's the greatest thing and play some more Steam games.

        • reply
          December 25, 2015 7:55 PM

          I still play the games I bought in the past (haven't logged in today though because I repurchased the id stuff off GoG today and been having a blast with it) because yeah, I paid for them. As long as I have an internet connection I can be reasonably sure I can access that content.

          But future purchases are going to GoG, if GoG doesn't have it I'll play more Dwarf Fortress.

      • reply
        December 25, 2015 7:37 PM

        Lol. So hipster of you.

        • reply
          December 25, 2015 7:53 PM

          not a dirty hipster, just tired of DRM these days. Steam's offline mode doesn't work 100% of the time.

          ...hipster. lol. Look at the other comments. This isn't the first time Valve has come under heavy scrutiny. Remember when they wanted to charge for mods?

          • reply
            December 25, 2015 7:57 PM

            Valve isn't perfect but they are still a great service that has been nothing but good for me for years now.

      • reply
        December 25, 2015 7:59 PM

        Is there really a viable alternative though? I mean a lot of games bought retail require you to have a steam account to play, it seems to be the preferred method of DRM right now.

        They hold the monopoly but if they didn't, someone else would take over and I don't really trust any of the potential candidates. I like GOG and it looks like they handled Witcher 3 well, but I can't see DRM-free being acceptable for new releases across the industry anytime soon.

      • reply
        December 25, 2015 8:00 PM

        [deleted]

          • reply
            December 25, 2015 8:02 PM

            [deleted]

            • reply
              December 25, 2015 8:08 PM

              Like I said, I have a pretty decent library and I'll continue to play those games for obvious reasons. I'm just not buying anything else and haven't for months now.

              I don't think DRM-free is going to happen industry wide, pipe dream and all that, but it feels good supporting GoG at every opportunity because I feel like they truly love PC gaming and aren't out to make money over enjoying good games, DRM free. I feel like they truly provide a product, a real product. Steam makes me feel like I'm playing PC games on Netflix. Once the service (Netflix) goes, so does my ability to play the games I 'bought'.

          • reply
            December 25, 2015 8:02 PM

            best thing since sliced bread was Carmack and Romero in the same room making games...

          • reply
            December 25, 2015 8:04 PM

            Remember Valve's Employee Handbook?

            No one's telling you what to do. This the result.

          • reply
            December 25, 2015 9:19 PM

            vocal minority

          • reply
            December 26, 2015 12:59 AM

            Steam doesn't want low level employees. Its amazing what they've done with out them. But at some point you need people to answer phones, answer emails, screen games, and write documentation

      • reply
        December 25, 2015 8:09 PM

        [deleted]

      • reply
        December 25, 2015 8:11 PM

        Lol no

      • reply
        December 25, 2015 8:17 PM

        Yea I really miss the days when I had to keep track of multitudes of CD's and serial numbers. Wasting my time with that shit was so much fun.

        • reply
          December 25, 2015 8:35 PM

          I really do miss the boxes and manuals and stuff, yeah.

      • reply
        December 25, 2015 8:20 PM

        It's better than the alternatives. You do what you want but I'm gonna keep using Steam

      • reply
        December 25, 2015 8:23 PM

        some of you guys are locked into 1999 and can never escape

      • reply
        December 25, 2015 8:27 PM

        It's pretty great man, come on.

      • reply
        December 25, 2015 8:42 PM

        [deleted]

      • DM7 legacy 10 years legacy 20 years
        reply
        December 25, 2015 8:44 PM

        You use origin? :D

      • reply
        December 25, 2015 9:12 PM

        Yeah, no.

      • reply
        December 25, 2015 10:09 PM

        Steam is run by a company that:
        - Rarely fucks up
        - Is quick to rectify it if they do.
        - Doesn't dig it's feet in when it's makes a bad decision (paid mods)
        - Almost single handed saved PC gaming.
        - Heralded the beginning of digital distribution
        - Resurrected the PC indie scene
        - Has driven the price of PC games down.

        Steam IS the greatest thing to happen to PC gaming.

        • reply
          December 25, 2015 10:32 PM

          [deleted]

          • reply
            December 25, 2015 10:41 PM

            yup, and I bet without steam there wouldn't be these awesome things like GOG.

          • reply
            December 25, 2015 11:04 PM

            It's definitely a legitimate mistake. The real test will be how they follow it up. I've received emails from many other sites when the only "personal" information that was compromised might have been an email address.

            In this case it could have been email address, full name, full address, credit card last 4, phone last 4, and steam guard participation. That's not a small amount of stuff.

            If valve goes out of their way to communicate this to their users, then good. If they just sit back and hope it blows over or hope the media covers it and the one response they have on their forums is good enough, then they fucked up big time. Your dad who was adding his info to register the game you just bought him isn't going to know to go check forums or some gaming websites to find out why something was weird for a few minutes. He'd likely not even know anything was wrong other than "something was weird but now it's working".

            So yeah, if Valve doesn't address this publicly and doesn't inform the users that could have been affected by it, that'll be pretty telling about their security policies.

        • reply
          December 26, 2015 7:23 AM

          It's kept PC gaming afloat during the day of the console and for that I'm thankful, but I want Valve to continue to strive to improve customer service and it would also be nice if it gave us the option to run games separately from the Steam client (GoG gives us that option).

      • reply
        December 26, 2015 10:48 AM

        Please continue eating your grass fed gluten free pizza. I'll be using steam until something better comes along.

    • reply
      December 26, 2015 5:31 AM

      Lol if this were Origin people would be out-hyperbolizing each other to come up with the sickest burns on EA while furiously reading Wikipedia's legal section to see what class action they could start via online petition for upvotes on reddit. But it's Steam and Le Gaben King so it's fine. Just some personal info. If I did this I think I'd end up in front of a grievance panel

    • reply
      December 27, 2015 7:46 AM

      Listen, just release HL3 and everything will be forgiven Valve.

Hello, Meet Lola