Hard Light Productions Forums
Off-Topic Discussion => Gaming Discussion => Topic started by: headdie on December 25, 2015, 05:21:40 pm
-
So Totalbiscuit has picked up on Steam having issues, looks to be caching related but best advice is to avoid logging in, especially to the steam store until Valve has issued a statement on just what happened
-
I have definitely noticed problems of this sort, myself.
EDIT: Immediately after posting, it seems to be working.
-
I can't manage to browse the store at all, it keeps sending me back to the main list of stuff on sale or on to DLC of stuff I'm looking at without rhyme or reason. Clicking things from the primary list of stuff on sale merely resets it.
Hell, it's just stopped recognizing games I actually own from its sale list.
-
At one point over the past few days, it had me logged in yet not, as it couldn't actually access my inventory so I could check which of this year's trading cards I'd earned. And then when I did buy a couple of games, I never received any confirmation e-mails (and indeed received a flat-out "Your purchase has failed" error message), yet the games are still in my inventory regardless. No idea what the hell's going on in Gabeland.
-
At one point over the past few days, it had me logged in yet not, as it couldn't actually access my inventory so I could check which of this year's trading cards I'd earned. And then when I did buy a couple of games, I never received any confirmation e-mails (and indeed received a flat-out "Your purchase has failed" error message), yet the games are still in my inventory regardless. No idea what the hell's going on in Gabeland.
Was your credit card charged? I haven't had any problems beyond normal steam issues.
-
The only issues I have noticed so far are search-related. For instance, I could search on "Call of Duty" and see that there were 83 pages (which sounds about right, under Bobby Kotick's Activision, so that isn't an issue), but when I would try to sort them by price it would say "no results found." I haven't bought anything recently, but my trading cards from the sale are showing up OK and no problems with my inventory.
-
At one point over the past few days, it had me logged in yet not, as it couldn't actually access my inventory so I could check which of this year's trading cards I'd earned. And then when I did buy a couple of games, I never received any confirmation e-mails (and indeed received a flat-out "Your purchase has failed" error message), yet the games are still in my inventory regardless. No idea what the hell's going on in Gabeland.
Was your credit card charged? I haven't had any problems beyond normal steam issues.
It was for the one that actually went through, but not for the second one, and in that case I actually got a follow-up email saying, "Your payment failed, but we'll hold the item in your cart with its current discount for the next 72 hours so you can try again." I did, and that time it went through successfully.
-
For anyone who hasn't been keeping track of this: https://www.youtube.com/watch?v=dkSslseq9Y8 (Tom Scott: Seeing Other People's Steam Accounts: The Christmas Caching Catastrophe)
That's what went wrong.
I would imagine the sporadic downtime we've seen over the past couple of days has been Valve triple-checking everything to make sure this isn't going to happen again.
On the PSA side, if you checked your account details /before/ they shut everything down that first time, there's a slight possibility that your account detail information was visible to others.
-
TotalBiscuit has made a followup looking into just what happened
https://www.youtube.com/watch?v=esmKdMDvSGI
-
http://kotaku.com/valve-still-hasnt-told-steam-users-about-the-christmas-1750114754
Most of all, it’s infuriating that Valve thinks this is okay, that they can just fire off a press statement and let the crisis blow over without even telling customers that the last four digits of their credit cards may have been inadvertently shown to the world. How can such a smart company, one that’s made such stellar, polished games and dominated the PC gaming landscape for nearly a decade now, be so damn stupid?
Cause they'll get away with it. What are you going to do? Not buy from Steam? That ship has already sailed.
-
FYI: http://store.steampowered.com/news/19852/
-
I know, I noticed that they posted that after the story had been written on Kotaku. You've worked computer security IIRC, do you think waiting nearly a week to tell people about a computer breach like this one is acceptable?
-
A couple quotes jump out at me:
These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
no unauthorized actions were allowed on accounts beyond the viewing of cached page information
Assuming these are accurate, this is significantly less of a big deal than people were saying it was.
-
I know, I noticed that they posted that after the story had been written on Kotaku. You've worked computer security IIRC, do you think waiting nearly a week to tell people about a computer breach like this one is acceptable?
No, I've never worked computer security. And from the content of that blog - Ralwood's excerpts - I think the wait was likely to ascertain exactly what happened and what was lost.
-
Is anybody else having issues purchasing from Steam right now?,
-
A couple quotes jump out at me:
These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
no unauthorized actions were allowed on accounts beyond the viewing of cached page information
Assuming these are accurate, this is significantly less of a big deal than people were saying it was.
I was going to make a post to this effect but they did mention billing addresses, which can be a bit of a big deal.
-
No, I've never worked computer security. And from the content of that blog - Ralwood's excerpts - I think the wait was likely to ascertain exactly what happened and what was lost.
And if you don't know, don't you think you should be telling people to take basic precautions? You know, like every other site that has even the danger of a leak does? As kotaku mentioned, they did give out more than enough information to say, steal someone's Netflix or X-Box account by using the information to do some social engineering.
But **** it, it's Steam. People are going to defend their ****ty practices while screaming bloody murder if anyone else did it.
-
A couple quotes jump out at me:
These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
no unauthorized actions were allowed on accounts beyond the viewing of cached page information
Assuming these are accurate, this is significantly less of a big deal than people were saying it was.
Actually it wasn't, as identifying information (home address, paypal-linked email address, last four digits of the credit card number) was leaked. Not directly harmful, but not exactly harmless either.
-
A couple quotes jump out at me:
These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
no unauthorized actions were allowed on accounts beyond the viewing of cached page information
Assuming these are accurate, this is significantly less of a big deal than people were saying it was.
Actually it wasn't, as identifying information (home address, paypal-linked email address, last four digits of the credit card number) was leaked. Not directly harmful, but not exactly harmless either.
"Not as big a deal as people were saying" != "harmless". I concur with everything you just said there; it also doesn't contradict what I said in any way.
-
I don't know, I consider these things to be a pretty big deal.
-
I know, I noticed that they posted that after the story had been written on Kotaku. You've worked computer security IIRC, do you think waiting nearly a week to tell people about a computer breach like this one is acceptable?
Well, the government waited four ****ing months to tell me that chinese hackers stole literally ALL of my personal information. They could hit me personally with an ICBM if they really wanted to with everything the feds leaked. They make you put your entire damn life story in that SF86. I had to do research to fill it out. On myself. That is not a joke or exaggeration. May god have mercy on the poor soul of a lowly federal employee who doesn't complete their PII security training, but if the top dogs **** up to the tune of 14 million records, well.... oops. Our bad.
-
Well that's obviously far worse, but it doesn't absolve Valve of any guilt.
-
No, I've never worked computer security. And from the content of that blog - Ralwood's excerpts - I think the wait was likely to ascertain exactly what happened and what was lost.
And if you don't know, don't you think you should be telling people to take basic precautions? You know, like every other site that has even the danger of a leak does? As kotaku mentioned, they did give out more than enough information to say, steal someone's Netflix or X-Box account by using the information to do some social engineering.
But **** it, it's Steam. People are going to defend their ****ty practices while screaming bloody murder if anyone else did it.
What could you possibly do to mitigate that risk? Deactivate your accounts and re-register with a different email address? Get a new credit card because the last few digits were compromised? Move to a different house? This is a serious question. None of the stuff potentially compromised is supposed to be 100% secret, even your billing address.
Also I would blame Netflix for allowing account hijacking without secret information, not valve. Sure leaking personal information is bad, but Hell you can't blame valve for letting people get into my Netflix per se when my co-workers and friends could just as easily get in without the leak.
-
Sure, it's incredibly strange that in this day and age, it is still rather trivial to steal an identity using just four numbers, but it has happened. But Valve is very definitely at fault for two things: One, that they allowed this thing to happen at all (the only reason this became an actual thing was that compromising information was cached), and Two, that they used the typical Valve approach to communication with regards to this. They were keeping quiet about it for a very long time, and that is just not acceptable for this type of thing.
Basically, I'm with Total Biscuit on this:
-
What could you possibly do to mitigate that risk? Deactivate your accounts and re-register with a different email address? Get a new credit card because the last few digits were compromised? Move to a different house? This is a serious question. None of the stuff potentially compromised is supposed to be 100% secret, even your billing address.
Also I would blame Netflix for allowing account hijacking without secret information, not valve. Sure leaking personal information is bad, but Hell you can't blame valve for letting people get into my Netflix per se when my co-workers and friends could just as easily get in without the leak.
"Hi, this is Steve at Valve support. We've noticed a problem with your account which could lead to us deactivating your account. If you could just give me the full credit card number for the card you use with your account, the one that ends in 7328, I'll get that sorted for you."
I'd only need telephone number and last 2 or 4 digits to do that much. More data would only help to make it more believable and since this is a cached request from the store, if I can name a game the person ordered literally only an hour ago, I could probably fool a lot more people than this kind of exploit would normally catch.
Yeah, you can't change the data that Valve allowed to leak easily, but you can damn well be careful to look out for someone trying to exploit it.
-
Small nitpick that actually doesn't matter (but could be interesting for those who like such details):
The last 4 of a credit card is actually the last 3 of your account, plus a hash digit on the whole number (which includes stuff like system number, bank number, and account number).
http://money.howstuffworks.com/personal-finance/debt-management/credit-card1.htm
-
Maybe in the US, but I just checked mine and they are nowhere near
-
Finally got VPN access so I could watch the Total Biscuit video, and he's basically come to almost exactly the same opinion as I have. Steam failed to give the care it should have to their users, but they'll get away with it cause people love them and don't care that a billion dollar company is ****ing them over cause they think they're friends.
-
You know, sometimes schadenfreude is just way too hard to suppress
(http://vignette3.wikia.nocookie.net/simpsons/images/e/e9/Nelson_Ha-Ha.jpg/revision/latest?cb=20121205194057)
I do recall warning a bunch of people in this very forum about Steam and about this issue and account lockings some years ago.
Let this be a reminder that you should require about the same amount of diligence from Valve as you do from banks in keeping your accounts safe.
-
It wasn't all that long ago that my steam account was worth more than my bank account :P
-
I do recall warning a bunch of people in this very forum about Steam and about this issue and account lockings some years ago.
I remember warning people when Steam was first released about the fact that the more games you bought off Steam, the less power you would have to stop using their service, and that as a result they wouldn't have any real impetus to keep up a good level of service.
But like I said, that ship has sailed and people aren't going to give Valve the push to improve based on this leak. To be honest, I do wonder what kind of **** up Valve would have to make before people did start insisting on a change.
-
I remember warning people when Steam was first released about the fact that the more games you bought off Steam, the less power you would have to stop using their service, and that as a result they wouldn't have any real impetus to keep up a good level of service.
But like I said, that ship has sailed and people aren't going to give Valve the push to improve based on this leak. To be honest, I do wonder what kind of **** up Valve would have to make before people did start insisting on a change.
You mean a **** up like selling mods?
-
I didn't see any changes to Valve's service cause of that. Just not the introduction of something new and stupid. I'm talking about how big of a **** up they'd have to make before they were treated even remotely closely to the way any other company offering the same services would be.