Steam security issue exposes users' personal information

51

It's the middle of Steam's big winter sale, which means a huge number of people are browsing, buying, and playing games right now on the platform. Some of them, however, seem to have tripped into a major security hole earlier today. A variety of users on Twitter, NeoGAF, and Reddit first noted that they can see other users' account information — including addresses and credit card data — instead of their own details.

Valve, which owns and operates Steam, confirmed in an email to The Verge that the issue was an internal error and it has been fixed. "Steam is back up and running without any known issues," a company spokesperson said. The company is blaming a "configuration change" earlier today that randomly let some Steam users view others' account pages, but it says the window was no longer than one hour. "We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users," they added.

It's unclear why the company is showing no element of contrition here, considering that its users' personal data was exposed — a fact that it does not deny.

Steam Security Problem Redacted

It's also not totally clear how many users were affected. At least one of us at The Verge was able to replicate it, along with other problems, like being intermittently logged out while browsing the catalog or seeing the storefront in various, apparently random languages. In a message on Steam's forums, a moderator earlier today said, "Steam is not hacked," and that "credit card info and phone numbers are, as required by law, censored and not visible to users."

Update December 25th, 4:30PM ET: Visiting Steam's website or store now returns an error, although games on the service remain playable. There's still no official explanation, but one popular theory holds that Steam is incorrectly caching account pages and rendering them for other users.

Update December 25th, 5:50PM ET: Added Steam forum update. Steam's store appears to be back online, although we don't know how stable and/or safe it is, and attempting to pull up the account details page still returns an error.

Update December 25th, 9:30PM ET: Added comment from Valve.

The best of Verge Video

Back to top ^
X
Log In Sign Up

If you currently have a username with "@" in it, please email support@voxmedia.com.

forgot?
forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot username?

We'll email it to you.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Try another email?

Forgot username?

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.