Sometimes something comes up that demands a discussion and especially when the reaction to it seems to be completely wrong. So here I am, and we're here to discuss what happened at Steam on Christmas day, and why Valve's lack of communication, reaction, and action are not acceptable.
If you weren't on Steam that day, and have been enjoying the holidays, what happened in brief is that, according to Valve, they on Christmas day implemented a change to their caching system. For about an hour (Valve claims it was under, I recall it being a bit over, but it was near that ) people would see the accounts of others on the Steam website whether via a browser or loaded in the Steam client. While seeing the wishlist, or what language the thing is in, is mostly harmless, what wasn't harmless was the fact that a lot of personal account information was visible. Potentially what could be seen was: your real name, email address, last 4 digits of credit card, mobile phone number, and billing address.
Now, I mentioned Valve said something. Yes. They sent a terse response to some game websites, so let's take a look at the only official communication from Valve on this:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
This statement was sent to gaming press sites who inquired, but it was not posted on any official Valve sources, such as their announcement area, or either official Twitter. While it's a short statement, there's a lot to dissect there so let's go through it line by line.
Steam is back up and running without any known issues
That wasn't exactly accurate actually, as for a while after many users reported issues with logging in. While I didn't experience that myself, there were enough reports to make me believe it was a widespread issue for many, but not all users. It is possible that it was just caches on the users side causing issues, or congestion, but the issue seemed to be for people who were wanting to log in—and logging in does have some impacts with caching as we'll get to.
As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour.
If this is accurate, that means that the issue yesterday wasn't the result of an attack. That's good. What's not good is that it means instead its the result of at best mass arrogance, and very possibly gross negligence. This was something Valve did on their own and apparently without properly testing it before. The fact that it was made earlier that day—on Christmas day—makes it seem like someone at the office decided to test something, live, because of the stress the servers were under. That type of testing should never be done first on a live server with actual information—you have test servers to try things out just to find this type of issue. You don't implement this type of change when people are away or when there's an uptick of server stress without having thoroughly tested it, and Valve illustrated why. That is because if it goes wrong, you are likely violating the trust of your users. Those pages generated included those such as Account Details where all that key information was kept.
This issue has since been resolved
Technically, true. We aren't seeing other users any more. What isn't resolved is the fallout from all of this, and the fact that potentially millions of customers' personal information was shared by Valve with people.
We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
This line is one with a lot of issues.
First, "we believe," which means they have not confirmed that there were no unauthorized actions. They believe it. The same people who believed that they could implement that cache change without there being any issues.
Second, "beyond the viewing of cached page information" is a really dismissive way of discussing what was in effect the doxxing of many users.
Third and most insultingly: "no additional action is required by users." That part in particular is patently false. There is, if what Valve has said is the limit of the situation, no need to change your password or anything like that. However, there is the need for users to be extra vigilant and keep an eye. The information that was leaked can have serious repercussions and there are things that people need to know—to keep a closer eye on credit card statements, to watch credit report and other sources for unknown account applications. That is basic security when this information leaks out there.
So ... Valve's statement to gaming press was an attempt to massively downplay what happened and dismiss it. However, what happened is not something that can be easily dismissed, and while I hear the VDF (Valve Defense Force) getting ready to attack, let me explain why—a bit more of what I've alluded to.
Beyond the fact that this type of leak is sanctioned and illegal in many countries, the first of the big issues is one that many in the gaming community have become more familiar with in the past year: doxxing. The posting of personal online information that identifies the person can have many repercussions. These range from the relatively small—like someone connecting a face to an online name, to harassment, all the way up to having police arrive at your door armed to the teeth, aka swatting. This is a serious issue and the fact that addresses and phone numbers were available emphasizes this point in particular, as with a name and address (as well as email) the potential harm from doxxing goes far up beyond the digital into the physical world.
The other major issue potentially is the social engineering and identity theft that can be done with this information. Just the name and last 4 digits of a credit card can confirm with many organizations or companies you are who you claim to be, and address adds even more to that list. That information is stuff that can be used to sign up for fake credit cards, sign up for things in another person's name, be used to get more information to fill in other things, and more. This is a big part of why companies need to take this privacy stuff beyond the credit card number seriously as even without the ability to make direct purchases in your name, there's a lot of harm that can be done.
People have been talking about how it is resolved and how it's good that it's done with. However, Valve needs to inform its customers that their information was at risk—that they essentially with their screw up risked that information. This is without getting into the unconfirmed reports that people could indeed buy things there for a short period, which if so would indicate that there was an even more severe change in how Valve handled caching, disabling essential protections of not caching when going to payment pages. They need to apologize, offer some more information in general, and let people know it happened—not try and sweep it under the rug.
Without that information we can only speculate, and the people who most feed off speculation are those who take advantage of an uncertain situation: scammers and fraudsters. Given account names, emails, and other information as well as knowledge that more users are going to be concerned and possibly unsure what has happened, it is a prime situation for them to step in. Until Valve steps up and talks about what happened, publicly and via their own channels, that uncertainty will remain for many people who don't read gaming press and get their information second or third hand.
And please, stop saying that the mass leaking of personal information was not a big deal if you were. It was and is.