Eurogamer.net

Steam security error leaves personal information exposed

UPDATE: Store returns online as Valve shrugs out statement.

UPDATE 26/12/15 11.35pm: Steam's store is back online after a Christmas Day error exposed countless users' personal details.

A statement from Valve has brushed off the issue, which left users able to view (but not edit) personal details in other people's accounts.

Steam users need not do anything in response to the error, Valve has reassured, despite usernames, PayPal emails and home addresses registered to credit cards being visible.

Full credit card details and passwords were not shown.

"Steam is back up and running without any known issues," Valve explained via a Steam forum post. "As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour.

"This issue has since been resolved. We believe no unauthorised actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users."

ORIGINAL STORY 25/12/15 9.45pm: Steam's store has been pulled offline after a major security error exposed thousands of users' personal information.

1

Anyone logging in to Steam this evening, Christmas Day, was greeted with account details for other users' accounts instead of their own.

Usernames and PayPal email addresses were visible, along with purchase histories and other private information.

Thankfully, no new purchases could be made - despite users being able to see the amount of funds in another users' Steam wallet, as well as censored information on linked credit cards such as the last few digits. Account details could not be changed, either.

But the information linked to accounts could still be used to compromise other services.

Eurogamer readers have provided evidence of being able to view dozens of other users, with accounts served up at random as they refreshed the store pages.

We've also seen account details of people who were using the service's Steam Guard and Mobile Authenticator methods of protection - which did not stop the information being shown.

At present it appears to been a caching error on Valve's part, which ended up serving the wrong pages to the wrong people.

Valve has yet to comment on the matter. Steam's help desk is also offline.

2

Merry Christmas.

Comments (181)

Comments for this article are now closed, but please feel free to continue chatting on the forum!