Steam Is Going Haywire, People Can Access Others’ Accounts [Updated] [And Again]

Update: It seems, for me at least, that Valve have run screaming around the building, pulling out every plug they can find, as all the servers now appear to be down.

Update 2: After an astonishing four hours of silence, Valve finally bothered to say something publicly about the massive screw-up. They told Kotaku, “As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”

Original story: There we were, feeling smug in our PC slippers that Sony were having trouble authenticating new PlayStation accounts this Christmas Day, and Steam goes nutso-crazy. And in a really serious way. As Kotaku reports on this merry eve, people are logging into Steam to discover they have access to someone else’s account. Full access, letting them see email addresses, personal details, and most of all, see Steam Wallet money.

Clearly most people at Valve will be at home, filling their face with roast Vortigaunt, so a response to the crisis seems slow. At the time of writing, I’m still able to log into my Steam account through the app, but the website version seems to either be crashing under the weight of people observing the news, or brought down at their end in a “QUICK, PULL THE RED LEVER!” sort of way. Kotaku’s Jason Schreier, as well as having too many Es in his name, has found looking at purchase histories “will bounce around other random accounts too.”

Obviously there’s no word yet if this is a hack, some giant internal screw-up, or perhaps an elaborate ARG informing us of the imminent release of Half-Life 3. Again, according to Kotaku, Steam Guard (which fires off an email to you if someone tries to log into your account from an unrecognised computer) isn’t preventing people’s accounts from being accessed.

Edit: People in our comments are reporting it’s a caching issue, the store serving you someone else’s cached page, so if you didn’t log in, you’re fine. So glad I logged in in order to write this story. With the whole thing pulled offline, it seems people should be safe right now. I imagine they’ll insist everyone change their passwords come tomorrow. Edit: Valve are saying otherwise, but changing your password on occasion is good practice.

Keep an eye on your accounts, clearly. All the best to Valve’s engineers, whose Christmas has just been shat on from far above.

122 Comments

  1. Pich says:

    Apparently is a caching issue, so people still aren’t going to be able to get you creadit cards or wallet funds. still if you want to unlink your paypal do this: Log in on paypal website, go to setting, go to payment settings, click on “preapprobed payments”, select Valve Corp and cancel it.

    • p3r02d3r0 says:

      I’m not exactly sure about that, but I’m hoping it’s true.
      Folks on NeoGAF are apparently reporting that some users had hundreds and thousands of dollars/euros in their steam wallet.

      • brat-sampson says:

        Sure, but any purchases made on that will go to the real owner’s account, not the person viewing/purchasing, and then surely they/Valve can simply revoke the purchase once all this has blown over. Person A still can’t use the money of person B to add anything to A’s library.

        Don’t get me wrong, this is a monumental fuck-up, but it’s not the worst armageddon scenario.

      • Canazza says:

        Steam Database (unaffiliated with Valve) posted a blog on what they think is happening, and what you can do to protect yourself: link to steamdb.info

    • Canazza says:

      If it’s the Caching issue (and it’s a perfectly reasonable explanation) then LOOKING at it will just make it worse (you look at it, the server caches your request, then gives you someone elses. Then it gives YOUR cached request to the next guy). It’s like the Ark of the Covenant. Except it’ll melt your online face rather than your real one.

      • Pich says:

        that’s why i did that throught Paypal website instead of steam

        • Canazza says:

          My mind is reeling from the idea that Paypal is somehow better than Steam right now.

          • BlockAtATime says:

            And that is because everyone gives Valve a pass, for everything. They are awful at all the things they should be amazing at: customer service (generally takes 7-14 days to get a response, which is ALWAYS scripted), billing (seriously, how can a company do this volume of transactions and have a policy of no returns/chargebacks under any circumstances until last year), client software (no rich queuing options for the first decade of existence, etc). They have beta software options built into all their software, but the release versions still require almost daily patches. Honestly, nearly everything Valve does smacks of incompetence.

    • Darth Gangrel says:

      Someone on the Gamespot article for this issue said the same thing and I’ve done it, but thanks for the tip anyway.

      I had the surreal joy of seeing the steam store in russian and finnish, then looking at Swedish accounts, one of which had the same name as my grandmother and located at my birthplace. In all the randomness, Steam knows who I am without me ever telling it those details, lol.

    • Generator22 says:

      Are we supposed to be completely safe if we did not log in at all today?

      • dwm says:

        At the moment, we can only make informed guesses—we do not know for sure. To be sure, we will need to wait for Valve to tell us what went wrong.

        My best guess at the moment is that looking at Steam store or account pages while logged in might have let someone else do bad things on your account. You did not log in, so you really should be okay unless my thinking is badly wrong.

        • Generator22 says:

          Thank you. Let’s hope we get an official confirmation along those lines as well.

      • TacticalNuclearPenguin says:

        I’m wondering if there’s a difference between having logged in today or having been already logged in since days.

        Well, i hope i made sense and that the latter means i’m safe.

        • Fnord73 says:

          This was a good day to spend with the family AFK.

          • TacticalNuclearPenguin says:

            Oh, i did, what i meant is that i usually keep steam on 24/7 and so i was wondering if being already logged in would count.

    • akerry says:

      Still be vigilant with your card data..won`t go into how here for obvious reasons but when this started there was a way to get ALL the payment details entered,card details,expiry date,security code for each card,for each account you were given inadvertent access to..found it by accident while trying to find out why i couldn`t pay for something..then found it wasn`t my account data,Steam got the details on how but people need to know it was possible.

    • PancakeWizard says:

      This isn’t the first time this caching issue has happened. I’m sure it’s been a common bug in individual cases for some time. This was just the first widespread incident.

  2. matnym says:

    According to SteamDB (which is not affiliated with Valve btw) this is not a security breach but ‘page caching gone rogue’.

    link to twitter.com

    It’s recommended that you do not visit any Steam URLs for the time being.

    • LionsPhil says:

      We’re very much aware that we shouldn’t be the ones informing people about this, but Valve is consistently failing to do it themselves.

      Too f-ing right!

      Supposedly all sorted now, according to the community moderator post linked by dwm below.

  3. Decimae says:

    As everyone has said, it is a cache issue. Do not use any of the steam websites, as it might cache them with you being logged in, and enabling others to access your information.

  4. Clavus says:

    Valve finally killed the Steam servers after a full hour (WAY too long). It seems to have been a page caching issue, so as long as you didn’t log in, you probably were not affected.

  5. Yachmenev says:

    They seem to have shut it down now.

    Merry christmas to Valve’s technicians. As programmer myself, I feel for them now.

    • subedii says:

      No kidding. This is the worst time of the year for anything critical to go down.

      At least from what I’m hearing they killed it fairly sharpish. Or that’s the impression I’m getting, since I’m not really seeing any issues at my end other than being unable to access the store itself in-client.

      • Yachmenev says:

        I think it took them quite a while, but as far as I understand it, it’s not always that easy to shutdown a distributed system. They don’t neccesarly have the same big red buttons as in movies.

    • caff says:

      Poor guys, fingers crossed it’s all sorted quickly.

  6. dwm says:

    Steam was having availability issues during the course of today. I suspect that as part of fixing those issues, someone inadvertently messed up the configuration of the front-end Varnish caching layer that sits in front of much of the service, causing it to return cached versions of e.g. other people’s account details pages inappropriately.

    Whether this allows hostile actions to be taken depends on the precise nature of the failure, but if (for example) other users’ secure session-cookies were included in those cached responses, it would allow others to execute commands as them. :(

  7. subedii says:

    Weird, I’m just seeing my standard profile page.

  8. Freud says:

    A reminder of how exposed you can be if you insist on having your whole game collection on Stream.

    • Premium User Badge

      John Walker says:

      Well, no, it’s not, is it? It’s equally problematic for someone who has some of their games on Steam. But good work scoring a point so quickly!

      • Freud says:

        If you have some of your games on Steam and some elsewhere, you would have access to some of your games if Steam is inaccessible for a short or long duration.

        • Premium User Badge

          gritz says:

          No one’s games are inaccessible on Steam right now, dude.

        • suibhne says:

          I’m playing in Offline mode right now – no problem at all.

    • draglikepull says:

      You would be equally exposed if you had 1% of your game collection on Steam (except that less of your purchase history would be available, but all the other details would still be there).

    • Yachmenev says:

      It’s not a concern for your game collections as it might be about your personal details. The effect can be the same whether or not you have one game or thousands on your steam account.

    • subedii says:

      As opposed to what? I mean if this hit GOG.com / Galaxy / Origin, it’d still be the same problem.

      Unless the proposition is that we go back to CD’s?

      • Freud says:

        An alternative is less DRM so you have access to the games you purchased or rented/licensed or whatever you do when you pay for them on Steam, as if you indeed owned it.

        • subedii says:

          That’s actually a separate issue. Like I said, if this had hit GOG or Galaxy, it would be exactly the same problem that we’re seeing now.

          • subedii says:

            In fact I just checked now to make sure I wasn’t going crazy. Jumped into a game of CS:GO. No problems.

        • LionsPhil says:

          Hate to burst your bubble, but the auth servers are actually fine.

          I mean, I generally agree that grr-DRM-bad, but you’re grinding your axe in completely the wrong place here.

          • Llewyn says:

            As are the download servers; I still have access to all my games (including not-previously-installed ones, just tested) regardless of the combination of the current issues and DRM.

          • Emeraude says:

            Yeah, I don’t think I have to say I’m about as anti-mandatory online client as it gets, but let’s not cross streams here. This is a separate issue.

            Still, can’t say I have one ounce of sympathy for the company here. Hopefully its customers don’t get too hosed in that mess.

          • LionsPhil says:

            Heh, should’ve seen that coming. Now I’ve said that, Steam’s stopped connecting at all.

          • subedii says:

            You sure? I’m still connecting fine.

          • LionsPhil says:

            It was failing repeatedly at the time; now it’s managed to go back online. I suspect it’s a bit wobbly.

        • draglikepull says:

          Steam has an offline mode, which I’ve used lots of times, that gives you access to any game in your library, though obviously you can’t connect to online features if you aren’t online. You don’t get locked out of your games if Steam’s network features go down. I don’t know why people continue to insist that Steam must be online to access your game library, because that isn’t the case and hasn’t been for years (if ever).

          • suibhne says:

            Indeed. Not to be a broken record, but Offline mode is working fine now (as expected, since a temporary server issue should have literally zero impact on Offline mode).

          • PseudoKnight says:

            Moreover, the DRM in Steam is completely optional. There are games on Steam with no DRM, at least no more than a service like GOG that requires you to login to download but not play. It seems like people think Steam is inherently DRM. The reality is, unlike GOG, there’s just no requirement to have no DRM, and they do offer DRM services (and other online services that are effectively DRM if required).

          • baozi says:

            With all Steam games, you gotta authenticate to install and use; that’s DRM. It’s little different from authenticating professional graphics or music software, or whatever, where usually the installers are freely available for demoing purposes, but you gotta authenticate to use the programs for more than 30 days or so. You wouldn’t call that not-DRM, right? Whether you gotta authenticate every time to play/use after that first authentication makes no difference in whether there’s DRM or not, it’s just different DRM.

            With GOG, of course you gotta authenticate to download, but that’s pretty irrelevant, imo – that’s just logging into the store, and you don’t have to use Galaxy. The games themselves are completely free of DRM. You download them once, you have the installers; GOG never has a say in what you do with them anymore.

            It’s the same difference with buying music from the iTunes store vs buying movies from the iTunes store. You can put your iTunes songs wherever and play them however; you can play your iTunes movies only from within iTunes and associated services and only after you’ve authenticated. Logging into GOG to get the a game installer is just like logging into iTunes to download a song.

            Ergo, Steam = DRM, GOG = no DRM.

          • Premium User Badge

            neffo says:

            That isn’t actually true in all cases.

            You can use steamcmd to download the non-DRMed games and there is no need to authenticate beyond the downloader. In which case it’s no different to GOG. Ok it’s not the same as just using your browser, but then again neither is Galaxy.

          • baozi says:

            Oh, never heard of that before. So what you download via steamcmd is an executable installer? I was indeed talking about using a browser…but, while the primary use of Galaxy is to download, auto-install and update behind the scenes, you can also just download the installer from within Galaxy. Also, Galaxy is optional, after all.

          • Press X to Gary Busey says:

            A slight complication, depending on if you view it as multiplayer matching convenience or mandatory installed inconvenience. GOG Galaxy is required, and installed for some games’ multiplayer. The Witcher Adventure Game, AvP Classic 2000, Trine 3, Double Dragon Trilogy and the Rise of The Triad remake.

    • NihlusGreen says:

      Your library is still fully available

      • DarkFenix says:

        Let’s not let something as inconvenient as facts get in the way of bashing Steam.

  9. mattevansc3 says:

    Dramatised scene at Valve HQ
    link to youtube.com

  10. Yachmenev says:

    Oh, and a Merry Christmas to John Walker, who took time now to write about this for us. :) All the best to you and your family.

  11. Pulstar says:

    Welcome to the online-only future of gaming.

    • EhexT says:

      …would be an appropriate comment if this was about Battle.net going down. Since with Blizzard games you really can’t play their post-Warcraft3 games anymore if their store goes offline.

      But since this is about Steam, you can still play all of your non-online-only games perfectly fine when Steam goes offline. You can pull your network cable out right now and still play all of your (non-online-only obviously) steam games.

  12. Bull0 says:

    What a fuck-up. So what are we thinking, someone chose christmas to exploit a known vulnerability? Surely they can’t have been naive enough to roll anything out over christmas?

    • LionsPhil says:

      It’s Valve. It seems like their roll-your-desk-into-whichever-project-is-fun mentality means they don’t attract any boring, solid web application developers who can build an e-commerce and community site that doesn’t crap itself on a regular basis.

      • Bull0 says:

        And even if they try to hire some, they immediately second themselves to the hat design bureau anyway.

    • dwm says:

      It is possible that someone was doing something very nasty—such as sitting on a vulnerability in Steam until the worst possible day—but that’s not the simplest explanation that fits what we know.

      Before this problem happened, Steam went down a few times during the course of today—which, being Christmas Day, is likely to be one of its busiest!

      (I gather that some people might have been planning to DDoS Steam off the ‘net today? If true, this would not have helped.)

      For whatever reason, Steam stopped working properly around lunchtime GMT today—about when the east coast of the US woke up, in fact. Valve did whatever they do to bring the service back, and they did this pretty fast.

      However, it looks like that the set up of the “caching” layer Valve use to make parts of Steam work quickly was wrong—and, worse, this brokenness was not automatically detected. It was left running on the live system for about an hour before Valve turned the shop pages off to stop the wrong pages showing up.

      It is not entirely clear what bad things someone could do after being shown one of the wrong pages—whether it was possible to do evil things with other peoples’ accounts, or if they could only look but not touch.

      The latter is still bad, but the better of the two. Hopefully Valve will explain things soon.

      • Bull0 says:

        Ah, OK. With that timeline it seems much more plausible that extra capacity was brought online and not properly configured than anything else.

    • dwm says:

      To follow up, this forum post by a community moderator indicates that this was not a hack.

  13. eocar89 says:

    That’s why! I have noticed steam today had many issues, I could hardly open the store page, and when I could it showed me prices in dollars (strange for me, as I am from Italy!). I hope they fix everything soon!

  14. Giftmacher says:

    grrrr steam bad, floppy disk good

    • trjp says:

      You never used one did you – you never had them go missing, throw errors or had to manage a pile of the things just to see the next video ;0

      • Giftmacher says:

        Sorry, no, I was being sarcastic. I don’t think anyone could seriously argue floppy disks are the best format.

        • Emeraude says:

          Never underestimate fetishism.

          Still I’m always kinda mad at the implication that not liking Steam is similar to being some kind of clueless Luddite.

        • LionsPhil says:

          Best, no, but to not appreciate floppies is to have never used tapes.

          • Tuhalu says:

            To not appreciate tapes is to have never typed in an entire program by hand from a magazine.

          • LionsPhil says:

            Did that, ran the program, had to break and OLD didn’t work because it had overwritten itself in memory, have been incredibly fastidious about saving ever since (and anything that’s creative work not in version control gives me the shivers).

          • Spacewalk says:

            Tapes? Still using punch cards on this end.

          • Spacewalk says:

            Sorry this took so long to follow up, loading all these cards takes a while.

  15. quietone says:

    So that’s all it took for me to finally fire up my copy of The Sims 4

  16. suibhne says:

    Looks all fixed up now…at least for the moment.

  17. trjp says:

    Store is back as of about 5 mins ago – no word from Valve at all on this so I’d stay offline for now.

  18. KibbleKip says:

    Store and stuff is online, but I can’t login. Anyone else got this problem?

  19. freestonew says:

    what?!

    Christmas?!

    does not everyone Know that during the holidays, Nothing Gets Done, or that Everything Gets Broken, unless it deals with the holiday itself.
    critical people take leave, the workers, who are there, are holiday stressed out.
    Doesn not matter if it is your plumbing, your car; if it breaks during Christmas weekend, it might stay broken until Monday or Tuesday. Christmas, itself, fills all brain cells. little else is available for use.

    • Philopoemen says:

      Eh? from all the emergency service personnel – what’s Christmas?

      Worked night shift this year and had two home invasions, sudden death, attempted rape, and rounded out the day with a murder – and I know the hospitals and hose monkeys were just as busy.

      Christmas was far from the mind, other than the I-can’t-wait-for-it-to-be-over part…

      • Nucas says:

        i guess he’s talking about the white-collar types. the assholes on vacation we have to clean up after.

  20. InfamousPotato says:

    Oh my… I hope that the folks working on this at Valve still get to enjoy their Christmas. Anyway, thanks for writing this article despite what day it is. I think we all very much appreciate it.

  21. racccoon says:

    This is so why MONOPOLY’S crash n burn..
    As you can not hold it for long.
    I’m really sick of logging into STEAM just to play my most of favorite games..
    I think STEAM needs hacking everyday in 2016 to disband the most stupidist tool ever made.
    Just go back to normal installation of games with their own build in updates, wow those were thedays..
    Why people think the STEAM tool is great is beyond belief!
    You have a desktop! it has all your files inside! Neatly ordered to your liking..Oh that was what it was like before CRAPPY STEAM!!

    • Fnord73 says:

      While you, sir, have a very dramatic punctuation-style.

      • Premium User Badge

        DelrueOfDetroit says:

        Doesn’t The Onion have a ‘writer’ with this exact style?

    • suibhne says:

      CRAPPY STEAM!!1: stupidist, or MOSTEST stupidist?

    • jgthespy says:

      I don’t think you were even born yet before CRAPPY STEAM!!

      • Nucas says:

        this reminds me a lot of my 64 year old father’s typing style actually.

    • kalzekdor says:

      Yeah… let’s go back to the days when every wannabe game publisher rolled their own update stack so you had to manage dozens of various clients, sold products out of broken, poorly secured, and unreliable commerce sites (if they had one at all, if not, you might have to mail a money order), purchase verification was done through CD-keys, but a half the publishers didn’t use true GUIDS so pirates coded a keygen so the publisher invalidates a whole swathe of keys, including the one you legitimately purchased, so you have to argue with their customer support to get a new key, and that’s assuming you still remember where you put the physical media, and good luck if it’s scratched, guess you’re buying the game again, and then, before you get to play you have to beat the pregame of fiddling with settings and drivers just to get the damn thing to run, which, when you finally manage it, is pretty sweet, but now it’s late, and you can’t play any more tonight, so you plan to pick up tomorrow on your laptop, but, when the time comes, you realize you forgot to transfer the save data from your desktop, so you just throw the discs in the microwave and watch the pretty colors.

      Yeah, PC gaming is so much worse now that everyone uses Steam.

      • Nucas says:

        this whole post is like an infomercial segment about gaming. OH NO! there has to be a better way

        none of the things you’ve described have ever happened to me in 20 years of gaming except configuring a game’s settings and adjusting drivers, which steam has had no impact on.

    • Bernardo says:

      I’m reading this out loud while listening to a Max Roach/Archie Shepp piece. Fits perfectly. “CrapSteam: a Beat poem”, I call it.

  22. BlockAtATime says:

    You have a brilliant and highly amusing writing style, John. Thanks for the news!

  23. brucethemoose says:

    This begs the question: should Steam really be caching your personal information like that?

    How common is this among other companies, and how vulnerable are their caching schemes?

    • PhoenixTank says:

      Caching is a thing that happens on pretty much every reasonably sized web based business. Most of the time you wouldn’t know; doing that while increasing performance is the goal.
      Generally, no, web developers don’t want to cache full page content that is unique to one person – that rather defeats the point.
      This is an unfortunate situation for Steam and for any users that were active while this was happening.
      Pure, wild & rampant speculation leads me to take and educated guess that a configuration change happened in order to deal with the load (DDoS threat or just heavy traffic that happens this time of year) and someone made a heavy handed mistake, possibly without the rigorous testing and checking that changes usually require (I’m an optimist sometimes).
      Balancing that amount of traffic isn’t easy, but those affected are more than entitled to be angry. Personal data has been sporadically leaked, after all.
      The “STEAM HACK OF THE CENTURY” threads are simultaneously hilarious and depressing, though.

      • brucethemoose says:

        So based on the current wild speculation, the theory is that some web dev tuned Steam’s caching scheme to handle the holiday load, but was a little too aggressive?

  24. Mr Propellerhead says:

    What?
    No-one’s yet referenced a leaky valve?
    So disappointed…

  25. Nucas says:

    “CALL IT THE STEAM WINTER FAIL”
    reading kotaku is like flipping through new york post. what trite garbage.

  26. grve says:

    This glitch was trying to tell me not to buy early-access Empyrion on sale, but I came back hours later and did it anyway. I’m a fool, bugs are great, don’t pay for games with stupid names.

  27. Gibster says:

    Fascinating, can’t wait to see the storm that’ll follow. Assuming no info was actually leaked and this is really just a caching issue then maybe some good will come of this in the apologies that will follow (free game perhaps).

    Also, nice photo of Castle Geyser you have on the front.

    • Baines says:

      On one side, you have Valve. The company that decided the best solution to complaints about glacially slow fixes and all around poor response wasn’t to improve their service, but instead to enact a company-wide policy of silence. The company that has continues to believe it lives in a magical perfect world bubble where half-baked plans are good enough and nothing ever goes wrong. The company that can only be roused into action by very public PR disasters and/or real threat of legal action.

      On the other side, you had people threatening lawsuits against Valve within an hour.

      And in the middle, you have a lot of people who live in a world where Steam has become a necessity if you want to game on PC. Steam has reached a point where (people at least hope) it is too big to fail, because Steam dying would currently be the biggest disaster to ever happen PC gaming. (Even Valve deciding to sell Steam would potentially lead to a disaster.)

  28. NephilimNexus says:

    Dammit, someone just had to beat Xi Jingping at Leage of Legends this weekend, didn’t they?

  29. SuicideKing says:

    All’s well again.

    We also now have Valve’s official word on the matter, as supplied to several outlets via email:
    “Steam is back up and running without any known issue. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”

    – Valve statement to PC Gamer, Gamespot, etc.

    • Paxeh says:

      This is by far the shitties reponse I’ve ever seen.

      I could see full account details – real life addresses, last digits of creditcards (once I had to deal with Blizzard for an account issue, all I had to do was provide my last four digits and mothers maiden name), email, wallet size (one guy had 400 euro’s in his wallet). I even saw accounts of people who use the steam authenticator!

      Also, it lasted well over one hour. 2.5 hours after the first reports I could still access other peoples details.

      I’m pretty disappointed as a consumer and this has been a huge breach of privacy – especially since I’m one of the people who uses the steam authenticator to protect myself from this shit.

  30. Ham Solo says:

    I don’t know what’s more terrifying, Steam accounts being accessablel or kotaku posting vaguely game-related content.

  31. Jokerme says:

    Downloadable games? Online accounts? What is this, 1893? Get with the times and use mind control, people. What if Steam closes? What if your CD get broken?

    With mind control there is no way to lose your games and game data. It’s only one chip to your brain away!

  32. djhworld says:

    I’m a bit astounded that people and Valve are being so blasé about this now that we know it was “just a caching issue”

    It’s a data protection leak, I’m pretty sure that is illegal here in the UK

    It’s a US company though so I’m not sure what their data protection laws are like, or if our Data Protection Act applies.

  33. Herr_C says:

    Why is 4 hours astonishing? Even if yesterday wasn’t Christmas.

    • aldo_14 says:

      This sort of thing is one of the number one panic buttons for any company handling money*, and for their customers. It’s basic common sense and customer service to warn the customer as soon as the problem is known, rather than – as Valve appear to have done – wait until they’ve tried to fix it before actually stating anything. Then they can issue their follow-up statement(s) as causes are known, as impact is identified, and when the fix is made.

      *If it happens to a bank in the US (and Steam isn’t too far from that, given Steam Wallets existence, so I’m not sure how it’s regulated), and the regulators hear of it, they can literally shut the whole online service down.

      • GunnerMcCaffrey says:

        Especially galling is that there’s been no direct communication from Steam to its customers. Nothing in the client. Nothing on their Twitter. Not even a bloody email. If this had happened to just about any other online company, users would have got emails letting them know about the security problem, and probably advising them to check their accounts on any linked services. But Steam felt it was enough to just issue a half-arsed statement to the enthusiast press after hours had elapsed.

        I’ve always found their customer service laughable at best, but this is finally making me want to reduce the amount of business I do with them. I’m not one of the anti-Steam zealots (I have a couple of hundred games in my account) and generally couldn’t give a toss about “consumer rights,” but it seems at some point they really did just start taking our money for granted.

        I was going to buy my kid a game in their sale yesterday, but decided to go with GOG instead.

        • Pantalaimon says:

          Whilst I do agree that Valve can be really tardy with responses to things, and their front-facing customer service is appalling, it’s quite likely telling their entire userbase that there’s an issue, and having many thousands more people log in without really being able to do anything, would probably have caused more problems than it solved. If they could have pulled a lever and shut the whole thing down instantly they would have, but for whatever reason (engineer on holiday and has to fly/drive in etc) they couldn’t.

          Sometimes even when an organisation’s blanket policy is full disclosure there’s times when they have to go against that, and take the flack for doing so.

  34. Press X to Gary Busey says:

    Perhaps a Valve Janitor rolled his desk over to the empty Web Desk Island. It just took a while to work out who currently has dibs on the Phone Desk and get the coders to roll their desks back from their families to the office.

    I bet he/she also fiddled with the Valve Timer again…

  35. nicoper says:

    This was actually pretty darn spooky, I read some random CS:GO review on Steam, not sure why though, and it contained some russian words (I think?) then I went to the store and it was in Russian…

    • TheAngriestHobo says:

      Careful, those are all telltale signs of a Russian sleeper agent waking up…

  36. kud13 says:

    Huh. Odd, I was on Steam all day yesterday (putting in many hours into AoK HD), don’t think I used any online functions except checking out achievement lists. I suppose I should be safe then?

  37. Banks says:

    And Valve won’t explain shite about what’s happening. What a joke.