Breach, Data Security

Steam blows as games website’s security collapse

Gaming platform Steam appeared to have developed a huge problem when users found themselves being logged into other, seemingly random accounts.

The glitch allowed users to see personal and financial information, such as some credit card and PayPal details, according to some user posting and Steam's own community web forum.

“My friend informed me. When you go into 'Account Information' via Steam Client, it leads you to other people's pages,” said Neogaf forum member Quirah.

“I looked at it and there is another guys page named 'minkey***' and it has saved credit card information, which is not mine. I can see his mail address clearly. Also if that random guy has money in Steam Wallet, I think you can spend it too. Mine has $0 at all,” he added.

Twitter user Jordi tweeted: “Just logged into steam to find out someone bought all the Sims 4 DLCs for me worth $5690 with my Credit Card! How is this even possible?”

However, Valve, the form behind Steam said that the problem was down to a “configuration change”.

“A caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour,” the company said in a statement. “This issue has since been resolved. We believe no unauthorised actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”

Originally, after the problem was discovered, Steam pulled the plug on the entire service while investigated the issue. It also looks like no purchases went through during the problem and neither did any credit card or any financial information get compromised.

According to Reddit user KondaxDesign, the problem wasn't Steam's fault.

“It's a natural way of how many web servers react in a case like this, and unless they completely change the way cache is handled - they can't do much about it,” they said.

“It happens all the time. Anyhow, this isn't so much a security issue but more of a privacy issue. The only details people can view are your steam name, balance and email.”

KondaxDesign explained what may have happened in this instance.

“Jimmy visits Steam loads all his data, emails and stuff to show on the website. Steam then saves a copy of this on their server and outputs the page to Jimmy. Whenever Jimmy views that page, if his email hasn't been changed, then steam will show the saved file. If it has been changed, they will 'remake' the webpage and save it again, showing him the new one. Ronald comes to steam while their servers are drunk. The server that checks if Jimmy's email has been changed is offline. This confuses steam, so they just show Ronald Jimmy's saved file. It's not his profile, but essentials the Steam server is 'drunk' and got mixed up so they showed the file they thought was Ronald's.”

They added that this is a concern because it's leaking users' names, emails and account balances, whether they have steam guard enable and other profile information, but none of it can be changed. “People can't buy or edit anything because the webpage they're viewing is just a copy.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.