I always was curious about this Russian dude's hats
December 25, 2015 2:55 PM   Subscribe

Got a hankering to cash in that newly-acquired gift card or just browse the newest Winter Sale? You might be waiting for a while, as the Steam Store is currently very, very down.

This is an improvement on earlier in the day, when users were suddenly encountering the addresses, emails, and inventories of random other users. A caching issue gone wrong, and/or a side effect of the usual Christmas DDOS? In any case, this is probably not a great Christmas if you work for Valve support.
posted by selfnoise (33 comments total) 6 users marked this as a favorite
 
This is terrible but Steam is pretty awful on a good day. Seriously, it's like Real Player or Flash Player level of awfulness with its daily updates and restarts, pop-up banners, and clunky interface. So not surprised that this happens.
posted by Foci for Analysis at 3:03 PM on December 25, 2015 [7 favorites]


half-life 3 confirmed
posted by Justinian at 3:11 PM on December 25, 2015 [16 favorites]


Flash Player level of awfulness

At least it doesn't try to install McAfee every time it updates.
posted by BungaDunga at 3:29 PM on December 25, 2015 [6 favorites]


Looking at the Facebook memories thing, I've seen about three or four updates of mine in the past (2010 and 2011 only) whining about Steam being down (again) on the past few days. This makes the usual downtime seem like the nuisance it really was.
posted by lmfsilva at 3:44 PM on December 25, 2015


Eh, I like Steam. Or, rather, I like Steam better than having a collection of CDs, boxes, patching, third party sites and utilities... the list goes on. I think it often runs into a problem like Google, where it's a private service that's almost bordering on public utility status due to its success and ubiquity, therefore mistakes sting users a lot more since they feel trapped by the service. Similar attempts at alternatives have been even worse.

The silver-ish lining to this is that I'm on a game buying hiatus for the short term, so not having the temptation there is a good thing for me. The crossing of accounts is pretty bad though, even as someone who likes Steam.
posted by codacorolla at 3:44 PM on December 25, 2015 [6 favorites]


There is still no official response from Valve about any of this.

Too early to say whether this will result in a permanent hit to Valve's reputation or if the fact that it hit during Christmas means most people won't notice. But given the breadth of information revealed by the issue, Valve should be hit hard by this, especially given their total radio silence on the matter. For chrissakes, you can still see someone's account details in Google's cache. That should NEVER EVER be the case.
posted by chrominance at 3:51 PM on December 25, 2015 [4 favorites]


Someone in Bellevue, WA, is having a really shitty Christmas.
posted by Cool Papa Bell at 3:56 PM on December 25, 2015 [1 favorite]


SteamDB has a pretty reasonable blog post up on this. Probably the most info we're ever going to get on this, knowing Valve. Turns out, if you decide that people only need to work on what they feel like working on, nobody will ever feel like handling outage communications.
posted by tobascodagama at 3:56 PM on December 25, 2015 [9 favorites]


I know that Valve just isn't going to say shit about this, and it's incredibly irritating, because I'd really like to buy a game and I'm just not 100% confident it's a good idea at the moment. (because I don't store my CC in Steam, so it's not there NOW....)
posted by selfnoise at 3:57 PM on December 25, 2015 [1 favorite]


Foci for Analysis: Daily updates? Are you signed up for the beta client, maybe?
posted by ODiV at 4:16 PM on December 25, 2015


Oh, and there's a checkbox for the popups under "Interface" in settings.

Not to be all "Well, actually..."

There are actually issues with the interface. Just thought I'd give you some suggestions if these are things that are annoying you.

posted by ODiV at 4:20 PM on December 25, 2015


Seems to be working for me. Didn't try to buy anything, tho.
posted by Kevin Street at 4:50 PM on December 25, 2015


Just so you know, you don't need Steam running to play Kerbal Space Program. Just run [Steam folder]\SteamApps\common\Kerbal Space Program\KSP.exe (or your Mac or Linux equivalent).
posted by dirigibleman at 4:54 PM on December 25, 2015 [1 favorite]


So how do I know if my info was compromised?
posted by infinitewindow at 4:54 PM on December 25, 2015


They could definitely do me a favor by giving me an opportunity to delete my account from their servers. Geez.
posted by yueliang at 5:10 PM on December 25, 2015


So how do I know if my info was compromised?

It's hard to say, really. What would have been visible would be your address, email address, purchase history, and the last 2 of your CC. But I'm not sure anyone can prove if yours was visible. It's more likely if you were active on Steam today since it seemed to be spitting out cached pages which would have been generated when someone was active.

This is a good reminder to never store your address or CC number on Steam. Just enter it when you need to buy something.

Here's Valve commenting (tersely) on the issue:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
posted by selfnoise at 5:40 PM on December 25, 2015 [1 favorite]


Considering my partner and I both saw the same person's account when checking from our phones, I suspect that only some accounts were cached and those were what was being randomly served out to people. But who knows?

There is one Valve staffer in the reddit thread who's been in to say they're working on it, and it's fixed. The absolute lack of communication otherwise is really concerning to me
posted by thecjm at 5:59 PM on December 25, 2015


UNGH. I got my dad, a soon to be retired plasma physicist/maker of weapons of mass destruction, Kerbal Space Program for Christmas. That he could not log on to Steam, let alone deal with its crappy interface, has now tagged the game as Hassle and my gift as Wanting in his mind. Gee, thanks. Steam LOL indeed.
posted by robocop is bleeding at 7:01 PM on December 25, 2015 [3 favorites]


There is one Valve staffer in the reddit thread who's been in to say they're working on it, and it's fixed. The absolute lack of communication otherwise is really concerning to me

As far as I can tell it's not even a Valve staffer, but one of their forum moderators. It's unclear if that person is even on Valve payroll or not.
posted by chrominance at 7:18 PM on December 25, 2015


I had an idea for a company which would come in and do all the customer facing stuff for the disruptors of this world. But we realised they wouldn't pay for it until the situation was beyond salvage. Also, we never could decide between the names "Engineer's Cure" or "Emotional Labour"
posted by fullerine at 10:32 PM on December 25, 2015 [6 favorites]


My full telephone number and real name were both exposed, I know this because other users were ringing me up at home to warn me that they could see my info. Valve's line is still that phone numbers were obscured but the ones associated with payment info were definitely not.
posted by sudasana at 11:32 PM on December 25, 2015 [1 favorite]


codacorolla: "Eh, I like Steam. Or, rather, I like Steam better than having a collection of CDs, boxes, patching, third party sites and utilities... the list goes on. I think it often runs into a problem like Google, where it's a private service that's almost bordering on public utility status due to its success and ubiquity, therefore mistakes sting users a lot more since they feel trapped by the service. Similar attempts at alternatives have been even worse.

The silver-ish lining to this is that I'm on a game buying hiatus for the short term, so not having the temptation there is a good thing for me. The crossing of accounts is pretty bad though, even as someone who likes Steam.
"

Oh, wait! Those shiny things I can lose or damage and lose the keys to?

(It is sad how many titles I have repurchased on Steam for just that reason.)

I have a love/hate Steam relationship, but it beats the hell out of Desura or Origin, IMLTHO.
posted by Samizdata at 12:58 AM on December 26, 2015


What I find disheartening on this is that, unless things have changed radically on the past 2 or 3 years, nobody will press Valve to be more open and still think Newell poops rainbows. Even if this was just a caching fuck-up caused by a server fart, personal data was out on the open.


I have a love/hate Steam relationship, but it beats the hell out of Desura or Origin, IMLTHO.
These days I only have Origin installed (and GoG Galaxy, although I'm not sure why) because of the occasional free game . Jade Empire is on now... even if I think I have the metal box edition, for some reason. I don't recall playing anything from it since the first giveaway.
posted by lmfsilva at 2:34 AM on December 26, 2015


My full telephone number and real name were both exposed, I know this because other users were ringing me up at home to warn me that they could see my info.

While this is horrible, and Valve's reaction has been just awful, the fact that the first you knew about it was total strangers wanting to warn you that something was wrong makes me feel a little better about humanity.
posted by Vortisaur at 3:39 AM on December 26, 2015 [8 favorites]


True - most of them were trying to be quite helpful, even though by then I had already cancelled the card associated with the account just out of an abundance of caution. Gamers gotta stick together?
posted by sudasana at 5:37 AM on December 26, 2015


The dark side is that if you were someone those gamers didn't like, your first indication that something was wrong could've been having your front door busted open by a SWAT team. Gamergate has taught us that.

As potential consequences go, that one is pretty slight given the random nature of the information revealed. But whenever anyone says "oh your home address, phone number and purchase history being revealed isn't so bad," in addition to all the social engineering attacks it could enable, I always think about being SWATted or worse.
posted by chrominance at 6:18 AM on December 26, 2015 [1 favorite]


I was wondering what was going on. I clicked on my account setting inside Steam and saw a random e-mail address and purchase history. It had me mildly concerned, but I don't store CC info, so wasn't that worried. Looks like it is back to normal now.
posted by Benway at 7:39 AM on December 26, 2015


Ok, so apparently I had beta testing nonsense and popups checked - not anymore.

I've too deleted my cc details because I don't trust Valve with that kind of information. I won't enable 2FA because i don't trust valve with my phone number ;(
posted by Foci for Analysis at 8:45 AM on December 26, 2015


Can you do 2FA through the mobile app?

The problem is that due to the steam marketplace and people selling inventory items, your Steam account is very likely to be at least poked by someone malicious at some point. I consider it to be my most at-risk account for that reason. Not only is it attractive to hackers, Valve's horrible customer service means that it can take ages to get your access back.
posted by selfnoise at 9:27 AM on December 26, 2015


I've got two-factor authentication set up with the mobile app because of a big nudge from Steam. They gave Marketplace (cards, hats, etc) discounts for "mobile authenticator" users, and now that setup is required for trades iirc. I remember reading that this was Valve's way of addressing compromised account complaints without having to improve their support system (which is long overdue). An optimist might say that cutting down on hacked account complaints gives them more of an opportunity to make those improvements, but who knows if/when that'll happen.
posted by knuckle tattoos at 9:55 AM on December 26, 2015


I set up the mobile authenticator, but then when I tried to use it, the mobile app asked me to log in, which required a code from the mobile authenticator. It fixed itself after I closed the app a few times, but I decided to switch off that particular feature until it's a little less half-baked.
posted by davejh at 9:55 PM on December 26, 2015


“Seeing Other People's Steam Accounts: The Christmas Caching Catastrophe”—Tom Scott, 25 December 2015

P.S. An explanation of the meaning and origin of "chinny reckon."
posted by ob1quixote at 1:48 AM on December 27, 2015 [1 favorite]


Update on Christmas Issues
posted by ODiV at 12:00 PM on December 30, 2015


« Older Hacking for the Holidays   |   Ja, weQ Newer »


This thread has been archived and is closed to new comments