Jump to content
Awoo.

The Steam Cache Issue Thread of Panic


Tara

Recommended Posts

After checking over the options, it looks like Steam doesn't list the card holder name and address and stuff in the account history anyway, so I don't think accessing one's account alone could have posed any kind of threat to your identity unless I missed a page.  It could still hurt if you had that payment information saved in the checkout menu though.

Link to comment
Share on other sites

After checking over the options, it looks like Steam doesn't list the card holder name and address and stuff in the account history anyway, so I don't think accessing one's account alone could have posed any kind of threat to your identity unless I missed a page.  It could still hurt if you had that payment information saved in the checkout menu though.

There was quite literally nothing at risk, there was the last four digits of a card or the PayPal email (and the contact email attached to your email if different) and due to it being a cached page, you couldn't do shit about it anyway (e.g. removing payment options and the like). And in a checkout situation, you pick from a dropdown menu for previous options, or if entering details, Steam doesn't cache that data anyway.

So basically, the only thing that could happen as a result of this is that your email may have been signed up for loads of porn accounts.

Edited by Celestia Ludenberg
  • Thumbs Up 1
Link to comment
Share on other sites

There was quite literally nothing at risk, there was the last four digits of a card or the PayPal email

Ok, the last 4 numbers of your card can be used by data miners and social engineers to profile build, which means it can be used in conjunction with your email to fool stores into giving someone full access to your user profile on a retail site or any other site which uses your details.

Whilst you cannot use the 4 digits alone to make purchases, you can use the information which was leaked to build and construct a social profile which isn't as hard as you might think it is, simply enter the values into software and let it run.

Depending on how much information of you there is online means that info like this can be key in giving someone the tools to get unauthorised access to accounts you own on various web services. 

There was quite literally nothing at risk,

So based on what I just wrote, if you still have full confidence in 'nothing at risk' how about posting the last 4 digits of your card and email?

Link to comment
Share on other sites

Ok, the last 4 numbers of your card can be used by data miners and social engineers to profile build, which means it can be used in conjunction with your email to fool stores into giving someone full access to your user profile on a retail site or any other site which uses your details.

Whilst you cannot use the 4 digits alone to make purchases, you can use the information which was leaked to build and construct a social profile which isn't as hard as you might think it is, simply enter the values into software and let it run.

Depending on how much information of you there is online means that info like this can be key in giving someone the tools to get unauthorised access to accounts you own on various web services. 

So based on what I just wrote, if you still have full confidence in 'nothing at risk' how about posting the last 4 digits of your card and email?

If people are going to that length to glean your data, then at that point, they were already going to do it. While I see your point, I maintain that while maybe nothing being at risk was an overstatement, there was an incredibly low risk of anything happening due to the sheer probability of someone attempting and going to that trouble to get that data. And even then, having the last four digits of a card number doesn't give you the: start/expiry date, security code, cardholder's name, so on and so forth.

Link to comment
Share on other sites

If people are going to that length to glean your data, then at that point, they were already going to do it. While I see your point, I maintain that while maybe nothing being at risk was an overstatement, there was an incredibly low risk of anything happening due to the sheer probability of someone attempting and going to that trouble to get that data. And even then, having the last four digits of a card number doesn't give you the: start/expiry date, security code, cardholder's name, so on and so forth.

Go ahead then. 

Post the last 4 digits if it's such a low risk.

Link to comment
Share on other sites

Go ahead then. 

Post the last 4 digits if it's such a low risk.

Different ball game entirely, this site for one isn't on a https domain and I'm not making a payment here anyway.

I also don't have my card to hand because circumstances.

Edited by Celestia Ludenberg
  • Thumbs Up 2
Link to comment
Share on other sites

Different ball game entirely, this site for one isn't on a https domain and I'm not making a payment here anyway.

I also don't have my card to hand because circumstances.

Not a different ball game at all, if you can't do anything with the last 4 digits. Post them if you're so confident in your knowledge of how hard it is to construct a socially engineered profile.

 

You know what, you'd better not post your details because frankly if this really is your attitude and you're not just trying to make out as if the last 4 numbers on your card can do some damage, I really don't want to be seen as being the guy responsible for when someone actually does use your details maliciously.

Link to comment
Share on other sites

Not a different ball game at all, if you can't do anything with the last 4 digits. Post them if you're so confident in your knowledge of how hard it is to construct a socially engineered profile.

Posting the last four digits of my card on a website that anyone can view or posting the digits on a website which is saved behind my password, and a two-factor authentication process?

  • Thumbs Up 1
Link to comment
Share on other sites

Hogfather all you're doing right now is making a demand for something that no logical person would just to prove your point, which... I'm not sure exactly what it accomplishes in your favor, because Celestia choosing not to post their card number certainly doesn't make you any more correct. I'm sure there's a name for this kind of logical fallacy but I can't find it anywhere.

  • Thumbs Up 5
Link to comment
Share on other sites

The account data actually only lists the last two of your card number now, which significantly lowers the risk simply because no retailer will ever ask you for the last two.  So it provides enough context for the buyer to understand, but obscures just enough so that no one else can do what Hogfather is suggesting.

I'm sure particularly advanced data thieves could probably use that in some way as well, though.  So I'm not totally disagreeing with Hogfather, either.  Data thieves are always looking for ways to screw someone over, and it's not always a premeditated thing.  But I don't think the risk that I was initially scared of is even there or at least as big as I had thought based on the fear that was circulating a few days ago.

Link to comment
Share on other sites

Hogfather all you're doing right now is making a demand for something that no logical person would just to prove your point, which... I'm not sure exactly what it accomplishes in your favor, because Celestia choosing not to post their card number certainly doesn't make you any more correct. I'm sure there's a name for this kind of logical fallacy but I can't find it anywhere.

It's quite simple. The assumption is that if anyone saw you details as the glitch presented them, it's not a big deal since it can't really do anything. 

I'm saying that information as it's presented can be used to data mine or socially engineer profile details which if used correctly can be used to gain access to accounts which that user owns on other web services.

But of course if you don't believe that, if you are so confident that the data leaked can do no or little harm, prove your point and post your details as Steam presented them in the glitch. 

Link to comment
Share on other sites

http://utminers.utep.edu/omwilliamson/ENGL1311/fallacies.htm

 

Shifting the Burden of Proof. (see also Argument from Ignorance)  A fallacy that challenges  opponents to disprove a claim rather than asking the person making the claim to defend his/her own argument. E.g., "Space-aliens are everywhere among us masquerading as true humans, even right here on campus! I dare you prove it isn't so! See?  You can't!  That means  what I say is true."

I guess this is the closest thing I can find that describes what you're doing right now. The main difference is that you're asking someone to do something that nobody in their right minds would do. Asking the other to perform an impossible task doesn't automatically validate your argument, especially if posting one's credit card info on a public message board has absolutely nothing to do with the topic at hand.

  • Thumbs Up 2
Link to comment
Share on other sites

The main difference is that you're asking someone to do something that nobody in their right minds would do. Asking the other to perform an impossible task doesn't automatically validate your argument,

I believe they call what you are doing "Missing the point entirely". Although the odd thing is you kinda do sorta get the point in that it is kinda a big deal to get these details revealed publicly so I really don't understand why you're moaning about me pointing out how it's not a good idea to have your details on show like this other than the fact you're trying to start something.

Link to comment
Share on other sites

Not trying to start anything. Just saying that you making a request to someone that you know they can't fulfill, and would be stupid to do so, isn't a good habit to have in a debate. I'm not as concerned with trying to argue whether or not there was a severe security breech as I am with the methods you were using to shoot down Celestia's points. Simply put, asking them to post their card digits in order to prove a point is completely unfair.

  • Thumbs Up 1
Link to comment
Share on other sites

Wait, if you werent connected, what means your account didnt get affected, right? Cuz i didnt put anything personal on the settings and my steam wallet was empty for a long time, so i would be ok

Link to comment
Share on other sites

If you weren't on Steam at all during the time this transpired, you are most likely not affected, but it's always a good idea to check anyway.

Link to comment
Share on other sites

5 days after the atrocious event, Valve has finally given an official statement on their site.

http://store.steampowered.com/news/19852/

Quote

We'd like to follow up with more information regarding Steam's troubled Christmas.
 

What happened


On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

 

 

How it happened

 

 


Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale. 

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

 

Link to comment
Share on other sites

So I guess I stand corrected on the statement that this wasn't the result of malicious activity?  Granted, it's not the same as the cries of Steam being hacked, but still.

Also, it's a bit relieving to know that this information was only leaked through transaction pages.  So if you didn't buy anything on Christmas, you're probably fine!

Link to comment
Share on other sites

It also looks like it wasn't even Valve's own fault, it was one of their partners who handle the cache for the sites. That explains why Valve didn't issue anything until they got the full details as well as why it took them 1 hour to shut down the store.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

You must read and accept our Terms of Use and Privacy Policy to continue using this website. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.