A Huge Steam Screwup Leaked Users' Account Info (Update)

Valve has commented on today's issues.

|
Dec 26 2015, 12:48am

Image: Valve.

On Friday afternoon Eastern Time, we started getting reports that something was seriously wrong with Steam, the digital PC games platform that services over 125 million users.

Players logged into their accounts only to see the front page of the Steam store set to Russian, Chinese, and other languages that their accounts shouldn't display. Upon further examination, players discovered that when they checked their account information, they were each seeing information for another random Steam user's account information.

Motherboard contributor Ian Birnbaum saw the last two digits of a random Steam user's credit card number, the last four digits of his phone number (meaning this user had two-factor authentication on), full name, billing address, and an email address associated with his PayPal account. Another friend told me he had the same experience. He logged into his account only to discover that his login was connected to a user named chill_bro, giving him access to all the information above, as well as what games he played, when, and for how long.

Needless to say, this is colossal fuck-up, which the Steam tracking site Steam Database now suggests is due to a caching issue. A few hours into the debacle, Valve, the company that operates Steam, seemingly pulled the plug on the platform so no one could access it at all. Steam is back online now, and everything seems to be working fine. It's not clear what caused this problem, though a group named SkidNP did threaten to take Steam down on Christmas earlier this month. (It's worth noting that major game services like Xbox Live and PlayStation Network were attacked on Christmas last year. Valve wasn't affected by that attack.)

"Steam is back up and running without any known issues," Valve told Motherboard in an email. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."

If you're freaked out, don't bother calling: One of the biggest complaints about Valve is the company's lack of a customer support phone number to call, as we've discovered when we've read through 264 FTC complaints against it.

Of course, the fear here iss twofold: First, that someone could use this information to hack your Steam account and any other account that shares the same information. Second, that someone with access to your account could have gone on a crazy Steam shopping spree, and perhaps gift themselves some games or in-game items. Users who tried buying games discovered that once they went to check out, it was empty because they were then logged into another random Steam user's account.

Did I already say this was a colossal fuck-up? It bears repeating.

Update: Valve has replied to Motherboard with a comment about today's security issues after this story was first published. The story has been updated with Valve's comment and edited to reflect that.