Steam Denies User Private Information Was Exposed During The Great Security Fail On Christmas Day

The Steam Winter Sale has been going off strong for the holidays, featuring a slew of games at affordable prices, but customers weren't able to use their own accounts a while back. Instead, they were inadvertently using another user's account.

The issue quickly blew up on the Internet, where users gained access to the private information of other users, including email addresses, wallet amount, purchase history and their phone and credit card's last four digits. At some point, the Steam Store's default language became Russian or another random language for other users.

Steam has made an official announcement over the matter, but it wasn't as informative as others hoped it to be.

"Credit card info and phone numbers are, as required by law, censored and not visible to users," Steam moderator KillahInstinct says, assuring users that the website was not hacked.

With that statement, the company suggests that no sort of exposure has occurred during the incident, but some online users say otherwise.

"When you go into 'Account Information' via Steam Client, it leads you to other peoples pages. I looked at it and there is another guys page named 'minkey***' and it has saved credit card information, which is not mine. I can see his mail address clearly. Also if that random guy has money in Steam Wallet, I think you can spend it too. Mine has $0 at all," user Quirah says on NeoGAF.

Fortunately, some users reported that purchases couldn't be made, where the system denies them with a "This is not your account" message.

"Chances are, if Valve programmed this correctly, no purchases should be allowed to be made as you. But, just to be careful, watch them anyways!" Reddit user HalfBurntToast says.

Meanwhile, Steam Database took the reins to enlighten people of the issue.

The website continues to address users' concerns, criticizing Valve over its lack of information regarding the incident.

As for the cause, Steam Database came up with an interesting speculation, fueling the fact that no other users can make purchases using another's account.

"Our theory is that a caching misconfiguration in one of these components has caused Steam to incorrectly serve rendered and cached pages intended for a single user only," Steam Database says. "This issue means that users' private information such as email address, billing address, and sometimes credit card details are at risk. As far as we know, this issue is read-only, and no one is able to perform any actions involving your account on your behalf."

The latest announcement from Valve only says that the issue has been resolved and that the Steam Store is online again, which is right after the online store went offline. However, the company did not mention a word about the damage, whether anything or nothing occurred.

Just this week, a couple of hacking groups threatened to carry out cyberattacks this Christmas to several gaming servers, including PlayStation Network, Xbox Live, Steam and Minecraft. More to the point, it was SkidNP that announced that Steam was a target on its list, and the group launched a DDoS attack earlier.

With that said, it's unclear whether the attack is related to the current issue that Steam is facing or not, but some say there's a chance that it is.

"[They're] quite possibly related. We've seen other cases in the past where environments under high load have had session management problems and assigned one person's identity to someone else. It would be enormously coincidental to have both these issues occur at the same time and not be related," security professional Troy Hunt of HaveIBeenPwned.com tells Forbes.

However, Steam Database notes that this is "not a hack or a DDoS attack," saying that the incident is likely to have been caused by a "misconfiguration in one of Valve's caching layers."

Some users also took things to Twitter using #steamdown to spread the word, telling other users to stay off the Steam Store to steer clear of any possible issue.

It seems that Steam is in a heap of trouble for this major security failure, but as of right now, it appears that there was no huge damage or anything. At any rate, the company will have to get its stuff together in the future, regardless if the issue was really caused by a cyberattack or a simple internal misconfiguration.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics