GET THE FUCK OUT OF STEAM RIGHT NOW

LordDz_2 · Dec 25, 2015

http://www.theverge.com/2015/12/25/10665814/valve-steam-holiday-sale-security-problems

TL; DR: Steam is being hacked, if you buy anything or try to change your passwords or whatever, your account has a chance of getting hacked. So.. Simply log off steam for a while.

So what to do in the meanwhile? Well.. Go to your steam profile, copy the steam profile url and paste it in here.
https://steamdb.info/calculator/

And you can see how much monies you might lose this 1-day late christmas present from Valve and whoever decided to hack them.

Cheers! Stay drunk and tuned.

Neoony · Dec 25, 2015

https://www.reddit.com/r/Steam/comments/3y7r0b/do_not_login_to_any_steam_websites/

Neoony · Dec 25, 2015

This is probably not a hacker attack.
Some say this is aftermath from the ddos attack that apparently occured earlier today.
Problems with steam cache server.

Steam confirmed its not a hacker attack here: http://steamcommunity.com/discussions/forum/0/458604254431478327

It seemed like every time some of the specific urls were loaded, you would suddenly become some specific user.

So as far as I know, only things that could have been leaked are your email address, address, purchase history, phone number, your account balance or similar stuff.

I personally dont think any of that is really abusable, atleast unless you would have a bit more informations about the user, or passwords or the whole creditcard info.
But none of that should be visible or stored at cache server. Or it is encrypted.

But you never know.

Neoony · Dec 25, 2015

Store servers are down so there shouldnt really be any risk using steam now.

It was only an issue on steam store website. So anyway, even if they were up and still fucked, you just have to not use the store.

https://steamstat.us/

EDIT: btw, if the steam was ddosed earlier, it doesnt mean it was compromised. DDOS is just a poor attack to take servers down, not to gain access.

Neoony · Dec 25, 2015

This is a nice post from reddit:

For those wondering about what was leaked, if you logged into the Steam store recently, random people may have seen:

Your username

Your email address

Your billing address

Your purchase history (games, DLC) and wishlists

Your item inventory, badges and achievments

How much money you have in your steam wallet

The last 4 digits of your credit card number

Essentially, anything that you can see from your Steam account.

As far as I am aware, people can NOT:

Get your password, or otherwise gain permenant access to your account

Perform any kind of actions on your account (purchase/gift/play games, change password, message people, etc.)

Drain funds from your steam wallet, or linked paypal account

See the cookies of anyone but themselves

(Gathering this from a few sources, feel free to correct me if this is incorrect)
Click to expand...

And explanation on cache server problems:

It's a problem with their caching-server (varnish), caching pages that should not be cached (such as Account-Details, Cart, etc.). It invalidates after some time and is re-cached when the next user visits the page with their profile. You are not actually logged in (as in, you take over the session of the user), you just see pages rendered for others than yourself. This is why different parts of steam appear as different users.

Which page you see is probably dependent on the edge node (first server you connect to) closest to you, hence why different users see different profiles.

My guess to how this could've happened is that an untested configuration got activated when steam went down earlier, e.g. due to an auto-conf service (puppet, chef) pulling an untested config or some of their live servers being replaced by staging / development servers. It's also possible that they were under heavy load and the engineer on duty reconfigured all their edge nodes to cache more aggressively.

Let's hope they fix this fast, because this is a major data leak. I can see private E-Mail and account names. Let's hope their cache server is not delivering internal pages.

Edit: /u/LymiaAluysia made an important point about whether cookies are being cached.

As far as I can tell, no HTTP-Headers are being cached which includes cookies. Below is a screenshot where I see the profile of someone else though the steam id in the cookie is still my own: http://i.imgur.com/TK9FFv.png
Click to expand...

Nothing official though.

EDIT: or another explanation:

Edit: This isn't essentially Steam's fault. It's a natural way of how many webservers react in a case like this, and unless they completely change the way cache is handled - they can't do much about it. It happens all the time. Anyhow, this isn't so much a security issue but more of a privacy issue. The only details people can view are your steam name, balance and email.

There's a lot of people saying Steam's having major security issues or exploited, or their account has had games purchased.

That's not true. All this is, is cache. I'll try my best to explain it, using external references.

Browser cache - Most web browsers cache webpage data by default. For example, when you visit a webpage, the browser may cache the HTML, images, and any CSS or JavaScript files referenced by the page. When you browse through other pages on the site that use the same images, CSS, or JavaScript, your browser will not have to re-download the files. Instead, the browser can simply load them from the cache, which is stored on your local hard drive.

Basically, cache is a save of a copy of a webpage. If the webpage doesn't change and there's cache available, most servers (clients too) will show this cache. Think of it like this.

Jimmy visits http://steam.com/profile. Steam loads all his data, emails and stuff to show on the website. Steam then saves a copy of this on their server and outputs the page to Jimmy. Whenever Jimmy views that page, if his email hasn't been changed, then steam will show the saved file. If it has been changed, they will 'remake' the webpage and save it again, showing him the new one. Ronald comes to steam while their servers are drunk. The server that checks if Jimmy's email has been changed is offline. This confuses steam, so they just show Ronald Jimmy's saved file. It's not his profile, but essentials the Steam server is 'drunk' and got mixed up so they showed the file they thought was Ronalds.

That's the best I can explain it really. This is a concern because it's leaking users' names, emails and account balances, whether they have steam guard enable and other profile information, but none of it can be changed. People can't buy or edit anything because the webpage they're viewing is just a copy.

Ohh. An easier explanation.. If you copy a word document, and edit the copied file, the original file isn't changed, is it? That's what you're essentials doing, editing a copied profile page.

Hopefully this clears the confusion up.
Click to expand...

Neoony · Dec 25, 2015

Here is a realtime update on the situation:

https://www.reddit.com/live/w58a3nf9yi53

Neoony · Dec 29, 2015

Everything should now be fixed.

@ValveTime confirms on twitter, that the login problems are now solved and that everything should work fine now!
Click to expand...

Somewhat official:
http://steamcommunity.com/discussions/forum/0/458604254431478327/

25 Dec 2015, 23:16 GMT: The issue now appears to have been resolved, and the Steam Store is back online.
Click to expand...

Metruption · Dec 26, 2015

I tried to wishlist Mount Your Friends but my dude already had it. Bummer
I tried to wishlist Sakura Spirit but it literally didn't work

Neoony · Dec 26, 2015

You couldnt really do any changes if thats what you mean.
You only had a cached "image" of their session, simply said.

Neoony · Dec 26, 2015

Official from Valve:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Click to expand...

EDIT:
Just to say, exposed people should be warned of social engineering attacks /scams.
As this did make it easier and put targets on peoples back.

Beerdude26 · Dec 29, 2015

There are only two hard things in Computer Science: cache invalidation, naming things, and off-by-one errors.

-- Phil Karlton
Click to expand...

Neoony · Dec 30, 2015

Just to say, it looks like there is still no other response on this from Valve.

https://www.reddit.com/r/Steam/comments/3ykfwt/we_shouldnt_be_okay_with_the_fact_that_valve/

EDIT:

We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
Click to expand...

-source: http://store.steampowered.com/news/19852/

James · Dec 30, 2015

Scaredycats

Log in

GET THE FUCK OUT OF STEAM RIGHT NOW

LordDz_2 Strange things happens here

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Metruption Member

Neoony Member

Neoony Member

Beerdude26 OnThink(){ IsDownYet(); }

Neoony Member

James Overly Annoying Retard

Share This Page

Log in

GET THE FUCK OUT OF STEAM RIGHT NOW

LordDz_2 Strange things happens here

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Neoony Member

Metruption Member

Neoony Member

Neoony Member

Beerdude26 OnThink(){ IsDownYet(); }

Neoony Member

James Overly Annoying Retard

Share This Page

Useful Searches