back to article Gaming souk Steam spews credit card, personal info in Xmas Day security meltdown

Video game marketplace Steam is leaking people's personal information – including their payment details and billing addresses – to strangers. Gamers browsing the online store have found themselves logged into other people's accounts, revealing strangers' profile settings and other sensitive details, such as addresses, PayPal …

  1. Anonymous Coward
    Anonymous Coward

    It seems to be caching snafu

    Going to will give you the address and details of a random steam user.

    1. Destroy All Monsters Silver badge

      I hope they have cached up on legal insurance, because lawyers need to hit this one hard.

      1. Martin Summers

        “I hope they have cached up on legal insurance, because lawyers need to hit this one hard."

        Yes of course, the answer to all of life's problems is a lawyer isn't it. Please get some perspective, it's a minor privacy breach not someone taking nude pictures of you unawares in your bathroom and posting them online.

        1. Destroy All Monsters Silver badge

          > it's a minor privacy breach

          Jesus Christ, the things one hears in 2015.

          1. Martin Summers

            "Jesus Christ, the things one hears in 2015."

            Hey I didn't say it was right did I, it still sucks and shouldn't happen. Like I said though, perspective...

            1. Anonymous Coward
              Anonymous Coward

              "Hey I didn't say it was right did I, it still sucks and shouldn't happen. Like I said though, perspective..."

              No, I just think your perspective and those of many others, is distorted. This isn't minor, the details which were leaked are very sensitive in the wrong hands. Details such as name, address, email, last four credit card numbers and recent purchase history are more than enough to commit fraud or phishing attacks.

              It was also hugely inconvenient, like many people who logged on during that period and discovered they were looking at another persons account I immediately called my bank and cancelled my card. There was no information from Steam about what was happening and I wasn't going to risk some stranger racking up purchases on my account* - even if they might have been refunded later. So now I'm without access to my current account for the next few days until a replacement card arrives, during the holiday season ...

              * Yes, it would seem that this wasn't likely to occur now that the cause of the problem has been revealed (albeit not directly by Steam in a message to their customers), however it was impossible to know that at the time.

              1. Boris the Cockroach Silver badge

                But you read

                the payment screen when you buy a game through steam the same as I do

                Fill in name, yupp, address,. yupp... phone number? nope dont get that one, CC number... then notice the box underneath that says "Save CC info? " with its little tick box.

                And you untick that box, and you untick that box because Valve is a big company and fekking useless at security just like everyone else on the internet.

                And even if you save CC info, whats wrong with having a debit card from the bank as well and only ever use the CC for on-line purchases... that way, if the company disappears between you buying and the stuff not arriving, at least you can call the CC company and cancel the payment.

                Gawd help us if you ever have to deal with a real crisis.... it'll be 'pull all the breakers and cut the cables because the amber light on the power supply board has gone out" only to find out the bulb has blown...

                1. Anonymous Coward
                  Anonymous Coward

                  Re: But you read

                  FWIW The same protections which apply to credit cards also happen to apply to my visa debit card - I've never once had any problems getting my bank to refund a charge on my debit card. My CC is kept for emergencies and foreign travel expenses only.

                  1. Danny 14

                    Re: But you read

                    Refunding a cc charge isnt an issue generally UNLESS you go over the CC limit. Then it become fun filing a note on your experian file and getting various flags removed. It is a fecking trawl.

    2. Turtle

      Or Log On To Other People's Steam Account Via Bing...

      I used Bing to find the store pages for two games, and logging on to the them, I found myself logged on, simultaneously, to the Steam accounts of two different people. I accessed their "Account Details" pages and could have gone further than that but I did not actually do so. I would imagine any other search engine would have gotten me the same results.

      It made me wonder if someone was logged on to my account but I wasn't able to access it. Although, as I write this, Steam is off-line entirely, I will have to check on that when they're up again, to see if anything has been changed. Steam only has my Paypal account; pretty sure that that doesn't get them any credit card info...

      Whatever shitty webpages Steam creates and sets to "public" when a new account is created were set to "private" by me a long time ago. Although I once had to (temporarily) set a few to "public" to do some trading, those too were reset to "private".

      Did that provide me with any protection, I wonder?...

      1. Turtle

        Re: Or Log On To Other People's Steam Account Via Bing...

        PS: Steam seems to be back online now, immediately after I submitted my previous post.

      2. Anonymous Coward
        Anonymous Coward

        Re: Or Log On To Other People's Steam Account Via Bing...

        If it was a caching issue, then most likely you would have been safe - you should worry if you saw your page ( as that would be cached and displayed to everybody for the next few minutes* until the cache expired )

        * depending on the cache ttl, or what triggers flushing the cache

  2. Benny

    If it is a caching issue/cookie thing, probably wise to not log in to your account at all..

  3. Anonymous Coward
    Anonymous Coward

    Tricky to remove payment details from your account when it won't actually show you your account...

    1. Adam 1

      Maybe you can just remove someone else's payment details and they can remove yours?

    2. joed

      I never really understood "save payment details" options (and why it's checked by default). It's like the merchants want the trouble of maintaining a database every hacker was after (Amazon, you better don't snooze). Same with regard to other personal info that's not required to complete one time payment.

      Bunch of hoarders.

      1. 404

        hehe Amazon.... They fuck up and I'm flying in with a Lvl90 mace - spend a lot of money there.

      2. Mark 85 Silver badge

        I wouldn't worry about Amazon at this moment. The US Gov got hit for 191 Million people's records.... The crackers/hackers/miscreant, etc. are gonna' busy for awhile.

      3. Tom 13

        Re: I never really understood "save payment details" options

        Well, if they don't include that check box by default, they can get in serious trouble with their credit card processing company.

        Last time I was involved with it (which was over 10 years ago) you had to destroy the information no more than 60 days after the transaction was completed (including you receiving the money). I don't imagine that number has gone up. If you have a cockup like this, it's only bad PR and sodding users you piss off. If you don't have that check box you'll get your credit processing dropped immediately. That's some serious bad karma.

  4. Anonymous Coward
    Anonymous Coward

    Even on the Steam app I am logged in as me but when I view my account details I see someone else's. I don't think this is a caching issue, more of a database snafu with ID's screwed up.

    Someone from Steam needs to roll a DB backup restore and fix this asap.

  5. Craigo

    Its been up and down all day as as of 21:45 its down for me.

  6. DropBear

    Actually, having to talk to your family is what I imagine hell must look like. Based on personal experience. And yeah, I wish I was kidding...

    1. Destroy All Monsters Silver badge

      You are not alone, DropBear.

      Working from the office now...

    2. Turtle


      "And how many people commit suicide each year because they're forced to spend time with their families?!" - J. Belushi, c.1977, SNL.

  7. Chris Miller

    I'm not seeing anything unusual on my account. Is it perhaps a regional issue? (I'm in the UK.)

    1. Dazzz

      I see UK users reporting the same issue on irc

      If you can change your account pull the card details now!

  8. IanTP

    Steam has never had or will ever have my payment details saved, uncheck the box, its the only way, other than nuking from space!

    Christmas beer in hand :)

    1. Destroy All Monsters Silver badge

      It's no use, you will now have to get a new credit card anyway because, how can you be sure?

      It's an epic fuckup make no mistake and "1 year of free credit monitoring" won't cut it.

      1. David Webb

        Steam never shows full CC details, just last 4 digits, the rest as **** **** ****.

  9. Mr Flibble

    SteamDB's view of what happened – they think that it was a cache problem. I've seen and heard enough to agree with that.

    1. Destroy All Monsters Silver badge


      Where is Gordon Freeman when you need to break something?

      1. This post has been deleted by its author

      2. Turtle

        In Beta, Possibly: "Where is Gordon Freeman...?"

        "Where is Gordon Freeman when you need to break something?"

        In beta, possibly. In the link given by Mr Flibble, , we read the following entry in the comments:

        "A month ago or so HL3's existence on steam in beta was leaked " (but there is a following comment disputing its authenticity.)

  10. Anonymous Coward
    Anonymous Coward

    That's why

    I only pay for steam with one-time anonymous limited debit cards. And for other online purchases also.

    Anonymous, obviously, because anonymous.

    1. Anonymous Coward
      Anonymous Coward

      Re: That's why

      Steam gift cards purchased at the grocery store work well too. Especially when said grocery store has a gas reward points system and a 4x points sale on gift cards.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's why

        Yes, but that doesn't feel nearly as James Bond-ish as using one-time cards...

  11. a_yank_lurker Silver badge

    Seemed OK

    Logged in and everything seems ok, do not store CC with them or other details.

  12. This post has been deleted by its author

  13. Danhalen

    Yup, kinda regret logging into my account page now...

  14. Andy Brock

    Whatever the root cause, Steam should suspend services while figuring it out.

  15. Anonymous Coward
    Anonymous Coward

    I can only imagine

    I can only imagine some gentile wort in marketing absolutely had to have some new ridiculous doohickey on the site and it absolutely had to be done on Christmas Day because it was super serial. So some poor sap somewhere rolls it in because "it's not impacting" so demands the marketing director who is well known for his knowledge in such thing and he's very busy stomping his big clown feet. Probably some intern getting chewed out right now.

    Only saying because it's the kind of dumb shit my company does. Mmmmyuugg "it's just a minor CMS change"

    1. Fibbles

      Re: I can only imagine

      According to the denizens of this site, IT problems are never the fault of the IT department.

      Funny that.

      1. 404

        Re: I can only imagine

        Untrue statement.

        We all know IT 'Professionals' with MCSE's,Netware (remember how important that one was back then?), Cisco etc etc certs that are completely useless because reality isn't always covered in Microsoft's KB's. Business owner's sons who didn't know dick about IT yet got paid for it and my all time favorite: The Office IT Guru Who_Installed_Office_That_One_Time...

        IT has been and will increasingly become a commodity with increasing Great Ideas That Are Horribly Bad decisions as a result.

        1. Roland6 Silver badge

          Re: I can only imagine

          The Office IT Guru Who_Installed_Office_That_One_Time...

          A fascinating interview question is to ask an AD 'guru' is how many production environment forests have they set up from scratch...

  16. Anonymous Coward
    Anonymous Coward

    Oh good

    I never got around to updating my payment details on Steam.

    1. thomas k

      Re: Oh good

      Yes, I've only ever purchased one game through Steam and I'm hoping it was far enough back that it was on my previous bank card.

  17. Anonymous Coward
    Anonymous Coward

    Steam's update

    Here - may not be that bad.

    1. Destroy All Monsters Silver badge

      Re: Steam's update


  18. Sureo

    Configuration change on Dec. 25

    Someone must be due for a promotion.

    1. Anonymous Coward
      Anonymous Coward

      Re: Configuration change on Dec. 25

      No longer!

  19. Anonymous Coward

    What does that button do?

    Mulled wine + Devops = epic fail

    1. Anonymous Coward
      Anonymous Coward

      Re: What does that button do?


      (Or would that be Whineops?)

  20. ecofeco Silver badge

    Oh good lord *facepalm*

    How the hell does that even happen?

  21. LDS Silver badge

    That's again, a "cloud" failure...

    Frankly, I can't understand why a should install of those crappy software - and give it all those personal details - just to install and play a damned game. I'm very sorry they put their greedy fingers on FSX also - guess it's better to pay for Prepar3D and avoid all that useless Steam cloudy toxic vapor on my machine...

  22. Anonymous Coward
    Anonymous Coward

    Fickle idiot gamers

    Seemingly brushing this off as simply annoying, as the internet hasn't instructed them to hate valve or stream. Imagine the rabid ranting if this had been Sony /PSN

    Go figure. Gamers are puppets.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fickle idiot gamers

      Being a Valve customer for 10+ years - although not a massively heavy gamer - I can probably say the reason this is being brushed off is because:

      Valve are a good company. They were first to market with digital-distribution and have provided a very good, non-intrusive service with few hickups. Add to that they also seem to want to make good games/software rather than just be profitable - Portal etc. is awesome, but cheap. There are few software companies I trust to take pride in their software, but Valve is one of them. If you've ever dealt with setting up a Source Dedicated Server on Linux, the process is seamless - again a credit Valve.

      While yes, this lapse sucks, it happens and will happen again, to Valve and almost every other company that runs long-term. What matters is not what happened, but how Valve responded to it. They took the service down, identified the cause, provided a fix.

      The measures they've already taken have protected my card details (excl. the last 4 digits), so I'm not too worried about that - I'll probably get a new card ordered to be safe. I don't like the idea that someone could have my address, but if anyone does, it's a random gamer who's probably more pissed at not being able to play his games than interested in me. It's certainly not some malicious hacker group about to release it on the net. Ultimately, this is small scale compared to the Sony hack etc. where having your details exposed meant you were actually the victim of a targeted attack by a malicious group.

      1. Captain Obvious

        Re: Fickle idiot gamers SHOULD be worried. Ever see a credit check? It contains YOUR credit card numbers EXCEPT for the last 4. Now the if the hacker gets the credit report (which is super easy to do), it won't take them long to figure out the whole number, Since a lot of places to not verify the CV code, or someone makes a credit card up, then this will affect you!

        You should change the card. I deleted mine after the first time mine was stolen - I do not recall checking to save the data but apparently, Valve still had it,

        I also recently discovered that Facebook keeps ALL of your old passwords. Try logging in with an old password and they let you know it is an old one and to please enter the current password.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fickle idiot gamers

        " SHOULD be worried."

        Yes, if this had been a hack by malicious people and my card number and address were splattered all over the Internet, but it wasn't, there were no hackers/malicious persons involved.

        It was a system balls up, which means if someone out there was lucky enough to be issued the same session ID which matched my cached session ID, they *may* have seen my address. This is a very low possibility, and even if they did, they're more than likely just going to whine to Valve about it, since they loaded Steam to play a game, not steal identities. So no, not too worried.

        And I did say: "I'll probably get a new card ordered to be safe." - but this to me is purely a precautionary measure, I don't feel it's a requirement given the conditions around the bug.

        1. David Neil

          Re: Fickle idiot gamers

          Really? - there were threads full of screenshots on 4chan showing peoples details, several people actually sent texts or emails to people just to get a reaction.

          Just because it wasn't a hack doesn't mean that they didn't just spew personally identifiable information all over the net

          1. Anonymous Coward
            Anonymous Coward

            Re: Fickle idiot gamers

            "Just because it wasn't a hack doesn't mean that they didn't just spew personally identifiable information all over the net"

            I'll go back to the numbers again. Yes, some Valve customers may be associated with hacker groups. I'd be even less lucky if my details ended up with one of them, which is even less likely than a random gamer seeing my details. So no, still not too worried. (I have ordered a new card now anyway).

            These idiots posting to 4chan are your usual Anonymous idiots, stupid adolescent males looking for attention who haven't considered Valve very likely can correlate the cached session data with the current session data, and determine which users had access to which accounts. I imagine this will be the first thing done if a customer complains of fraudulent activity to Valve off the back of this.

            So if a few 4chan users manage to get themselves banned from Steam and arrested for leaking personal details, then at least some good has come from this. :-)

            1. Anonymous Coward
              Anonymous Coward

              Re: Fickle idiot gamers

              One has to be logged in to access any cache ,Valve will be on the hunt for the punters.:).

      3. Anonymous Coward
        Anonymous Coward

        Re: Fickle idiot gamers

        Being a Valve customer for 10+ years - although not a massively heavy gamer - I can probably say the reason this is being brushed off is because: ...

        A very complacent attitude, particularly in the light of statements such as "Valve have proven multiple times that they’re unable to keep their security standards to a high level." [ ]

        If this really is down to a caching issue then I suspect some other project (open source?) has just gained a security headache...

    2. Anonymous Coward
      Anonymous Coward

      Re: Fickle idiot gamers

      My point was, the PSN hack, no card details were accessed (not that this is that clear due to the rabid fill in the blanks with made up info reporting). It's also very likely no actual customer data was accessed either, as nothing has ever appeared online. The problem Sony had was they had no way to prove customers data wasnt taken (due to insufficient logging) and had to therefore paint a worst case picture on advice of their lawyers (downplaying and it coming to light it was worse would have been a litigation nightmare). Sadly the media crucified them for this. It was headline news on BBC for a month. No doubt due to Microsoft fueling the fire and benefitting from the Sony backlash.

      This stream issue (whilst not a hack) affects REAL people , over 10m, and REAL payment details and yet didn't even get picked up by the mainstream press at all. Not even the BBC tech page, which has loads of non stories.

      Makes you wonder if the whole Industry is on payola

  23. Anonymous Coward
    Anonymous Coward

    "I kind of think it's super unprofessional for steam to have not said anything on their social media"

    Oh do kind of stop super whining, you illiterate whinging harpy. No-one cares about your half-formed child thoughts, Victoria, no-one cares.

  24. ThorWarhammer

    Somebody went shopping at Argos and it wasn't me

    So my Wife was out shopping yesterday with my girls and she used a new card when out

    At the same time wingman and I were gorging on Borderlands and yes I ignored the phone when it rang, but we picked up the message from Santander's fraud department. Somebody had been shopping at Argos on-line with our card details.

    The cogs start whirring as we go through purchases with the bank and where those purchases were made, Tesco, Aldi, Lidl, Argos, Tesco pay at pump and Tesco's cash machine, whilst wondering where the hell the details were got from. Home PC and network is way more secure than TalkTalk.

    So fraudster, yesterday at Argos spends £24 £60 £150 gone through then we're told by Santander that they'll be cancelled paperwork in the post then a few for £350-£400 all declined, as luckily new card was actioned during their shopping spree.

    New card was unadulterated in the envelope & been sat for a week or so (old one expires Jan 2016)

    I call the police in town to see if there have been reports of a skimming device in the town (Cupar) and blank drawn here.

    Roll through with Santander what was bought by us and where, nobody behind me in Argos or Tesco or Lidl or Aldi & yeah I even went out for a look at the petrol pump and the ATM at Tesco.

    Then I read about the Steam issues and sure enough last Steam purchase in November was on this card & from what I've seen everything they fraudster needed was slurped up by steam during the snafu, to facilitate an online purchase and account creation on Argos's web-site.

    Santander have duly been informed of this & we await the outcome

    so putting 2 & 2 together & with two other accounts and cards completely unadulterated (hence figuring network not hacked or slurped) It is nice to know Valve and Steam hold enough info for somebody to use my card to buy stuff on my ££, they did kindly wipe all payment info from my account, but somebody still got it though.

    1. Mr Flibble

      Re: Somebody went shopping at Argos and it wasn't me

      I've never quite trusted them with my card details. I've always entered my details every time, never saving them “to save time next time”, and this vindicates my cautious approach here: stuff the convenience when there's too much risk involved.

      1. ThorWarhammer

        Re: Somebody went shopping at Argos and it wasn't me

        Kind of kicking myself over that.....

        However annoying this was it is good to know that Valve shut it down and sorted it out quickly, just unlucky for me some tosser got the full card details then thought about using them for a few days and then tried it on

        If they'd done it Xmas day we probably wouldn't have found out untill it was to bloody late!

        Silver lining and all that

        The hardest part will be getting an acknowledgement from Steam/Valve about it al

    2. Jediben

      Re: Somebody went shopping at Argos and it wasn't me

      Wait, are you saying that the last time you went to the Steam account page which bore your credit card number was in NOVEMBER?

      That seems to be an AWFULLY long time for Steam to have cached your purchase page, for it to then be served to a random on 25th December. You sure you didn't buy any meals at a restaurant or allow your card out of your hand card since then?

      1. Steven Raith

        Re: Somebody went shopping at Argos and it wasn't me

        Didn't you know Jediben, all the cool kids tell their massively distributed web platforms to cache everything for six months at a time, because obviously the real performance impact is from people who use the system once a quarter.

      2. ThorWarhammer

        Re: Somebody went shopping at Argos and it wasn't me


        No card has not been out my or my wife's hand at all

        Given the timescale it all points to steam

        Unless Argos retail, Tesco retail,Aldi or Lidl have been hacked

        Which is highly unlikely and the fact they waited until the 27'th to use the details makes me think they had a conscience but the lure was to much to try their luck.

        I did try local Police re a card skimming device and no dice there.

        Not a home hack as PayPal and the bank accounts are all untouched

        So we're back to steam and yeah the card was on there last transaction Nov 14'th for a Star Wars game for my son.

        I've been in and wiped just eat as well today and they had expired cards on file...


        1. Steven Raith

          Re: Somebody went shopping at Argos and it wasn't me

          Here's the official statement - unless you made a purchase and enterted your details on Steam during the timeframe of the incident, no details, period, would have been leaked. And even then, the details would have been minimal at worst.

          "On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

          The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

          If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user."

          My emphasis. Because that's how caching works.

          Does that excuse the snafu? Nope. Does it mean it's likely Steam is the cause of your card fraud? No, to a laughable degree, no. Get the cops to actually check your local petrol station for skimming devices, rather than just asking them if they've had reports of them, because that's - worryingly - more likely to be the case.

          It's also likely that they saw the Steam shenigans and thought "Hey, if we use those deets now, they'll blame in on Steam!". Or it could just be coincidence.

          Steven R

          1. ThorWarhammer

            Re: Somebody went shopping at Argos and it wasn't me

            OK first up if it was a skimming device the account would have been emptied

            Second had it been a home snafu they'd have got all the details from the 3 accounts plus our PayPal and probable access to the credit card as well all of which are unadulterated

            As we went over everything with the bank for a 2 week purchasing period it was clear as to the the date the card had been slurped

            It is not "laughable" as you put it

            Local community police officer is a personal friend whom I've worked with for 6 years delivering local cycle training to primary school kids, so I called her and not the station.

            Remember talk talk they talked shit about customer cards not being given up and it was bullshit

            The fanboys with their pants around their ankles defending steam are laughable.

            Bottom line is this steam can have an official line all they want whilst they know 34,000 customer details were viewed they have no idea to what degree this has been.

            Santander's fraud team have confirmed that we are not the only clients of theirs in the UK that have the same problem pointing back to steam dozens was their word,

            I've also been contracted by a couple of folks in the US via twitter who've had a similar issue.

            Problem being nobody in the industry quite knows what they're getting ahold of and what they're using to "complete" card numbers if they don't get the whole thing, but a bit of code and a nice algorithm with get them what they need if they did not get the whole thing.

            When it happened it felt like being burgled, but it became apparent it was an opportunity for someone not to refuse,not an issue on our part or a security slip.

            My wife is a charge nurse so at work its locked in her office I currently work from home so that's out and then sadly most purchases are at Tesco, Aldi, Lidl or at Tesco or Morrison's gas stations if we eat out we pay cash.

            So as much as Steam want to put out the PC We're doing all we can blah blah blah nobody was compromised bullshit I'm afraid I know differently as do TalkTalk's customer's

            And as a footnote Argos's fraud team have also taken this on as they can track the purchse address etc etc and Santander's been super quick to refund the payments which if you're a phishing victim they are not quick to do at all.


            1. Jediben

              Re: Somebody went shopping at Argos and it wasn't me

              Glad all the money came back in the end whatever the case!

  25. Anonymous Coward
    Anonymous Coward

    Hold them accountable

    These kinds of outrageous security leaks are unacceptable and those responsible should be held accountable - including jail time and massive fines.

  26. Nocroman

    I enjoyed not having to keep putting in disks to play my games by having them on Steam.BUT, Maybe it's time to go back to the old ways if steam isn't even going to let it's customers know when they are in danger from something Steam employees did. This is not a EULA matter, It is a case of sloppy security and can cost customers billions of dollars. I know if my credit is compromised, My attorney's will have a field day with Steam.

  27. Anonymous Coward
    Anonymous Coward

    Was that mull and wine or mulled wine ?,the former axes the later.

  28. ThorWarhammer


    Valve admit to a DDOS attack and the leak of 34,000 users data 5 days after it happened.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022