Valve Still Hasn’t Told Steam Users About The Christmas Fiasco

Valve Still Hasn’t Told Steam Users About The Christmas Fiasco

Four days after Steam’s Christmas fiasco, we still don’t know what happened. We don’t know how many people were affected, how much personal information leaked, or if some friendly Team Fortress players saw our addresses and plan to stop by our homes for an impromptu New Year’s celebration.

We don’t know any of this because Valve, carrying on a grand tradition of opacity, has refused to go into specifics about the fiasco last week, when Steam users logged into the digital store to find that they’d somehow accessed other people’s accounts. It was a creepy, unsettling event for many PC gamers, and although there have been few reports of unauthorised purchases, Steam did expose enough personal information to fuel all sorts of social engineering. For nearly an hour, anyone with a Steam account could see random users’ email addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.

Yet other than a short statement sent to Kotaku and other press outlets last week — “This issue has since been resolved” — Valve hasn’t said a thing. They haven’t commented on how many people were affected. They haven’t contacted the Steam users whose information was exposed. Most alarmingly, they haven’t informed their 125+ million users — some of whom, sadly, do not read Kotaku — that this happened at all.

This is standard practice for Valve, of course. Their customer support has been horrendous for a long time, and their modus operandi has always been to say as little as possible, no matter how much faith they lose. And oh, they have lost faith. On the front page of r/steam right now, for example: “We shouldn’t be okay with the fact that Valve still haven’t apologized for the cache server fiasco.”

For the past few days, several people have contacted Kotaku about what happened to Steam. Some were worried that they’d been exposed and didn’t know about it; others suspected that the false charges on their PayPal accounts were a result of this disaster. There’s been no evidence linking the Steam Winter Fail to unauthorised payments, but even if there was, would anyone know about it?

One Steam user, who asked not to be identified in this story, found out on Christmas that other people had accessed his account. People had seen his name, his address, his phone number, his buying history. And when he contacted Steam support, they didn’t have a single useful thing to say.

Read the full ticket (click to enlarge):

It’s infuriating, frankly. Infuriating that some Steam users won’t know this happened; infuriating that others might never know whether or not they were exposed; infuriating that Valve’s customer service is still so useless and uninformative.

Most of all, it’s infuriating that Valve thinks this is OK, that they can just fire off a press statement and let the crisis blow over without even telling customers that the last four digits of their credit cards may have been inadvertently shown to the world. How can such a smart company, one that’s made such stellar, polished games and dominated the PC gaming landscape for nearly a decade now, be so damn stupid?


  • Well, first of all, we need to leave the emotive “pitchforks and torches” rhetoric at the door. This doesn’t help anybody.

    So calm the hell down.

    This doesn’t exonerate Valve in the slightest, though.

    This is where a robust and forward-thinking media outlet like Kotaku must maintain not the rage, but the focus on what nobody yet understands simply because there’s no interest yet.

    If it was a console service, we’d definitely see a hell of a lot more about it.

    It’s difficult at times to separate the personalities from a site, I get that. The ‘I love Steam sales’ vs the ‘I hate Steam sales’ stuff lately is fine, but this is (PC) gaming’s BP Oil Spill and it’s our job to be angry, not Kotaku’s. It’s up to you to inform us.

    Keep on keeping on.

    • Solid point, leigh, and one which I largely agree with. That being said, if I had a platform to voice my anger about Valve’s practices, I’d be tempted too.

      Regardless, Valve has shown little concern in the past about end-user rage. While there is little legitimate competition and the rupees keep rolling in, will anything change?
      I’m sceptical.

  • Yeah, all around it’s a shitty situation, and Valve has shitty customer support. But it seems short of hemorrhaging customers that’s not changing. And what, are we all going to swap to uPlay, which I hate anytime I have to touch with a stick? Origin, which is basically just EA Games? GoG is probably the closest thing I can think of, but even if Galaxy did have a Big Picture mode and In-Home Streaming, their library is still much smaller than Steam. And even if we did all move, we’d still use Steam for years to come just because of our catalogs on it.

    As a company, Valve is shit. As a software, and as a comparison to other options out there, it’s good enough for me to not want to change, even if I am stuck with Valve.

  • Dramatise and over exaggerate much? Imagine a world where IT companies are totally transparent and communicate all of their problems to the public… The world would be soooo much more secure!

    • There is a middle ground between being totally transparent, and responsibly handling a data breach like this.

      If a company stores your personal information, and then exposes it to third parties in a way contrary to how they said they would handle your information, they have a responsibility to tell you so you can protect yourself. In a number of jurisdictions, this is actually required by law:

      It’d be interesting to know whether Valve is bound by the Californian security breach law described on that page (does selling to Californians count as doing business in California?).

  • Go to Mitre 10 and buy pitchforks and torches. TIme to boycott Steam. Why hasn’t anyone sued them already?

    Gabe Newell should be more like Jeffrey Tambor aka transparent.

  • Valve stuffed up when they pushed the config update without testing enough. They are responsible for the issue.

    That being said, some of the information this user is asking for is likely not possible to obtain. People were randomly being given the wrong cached data. It is possible, though unlikely, the information of how many people were served that information is accessible. It may be floating around in a log somewhere, but if Valve are keeping a log of every page served it could be nigh-on impossible to parse it to find specific pages served. As for the other information, what was viewable, ask the people who verified his account was accessible and assume it all was.

    It would be interesting to know how widespread this issue was and what the overall damage is, but it just might not be possible to get that information. I don’t know if Valve is keeping quiet because they’re staying true-to-style or if they actually don’t have any more information to give, but I’d hazard a guess it’s as likely the second option as the first.

  • One could argue that Valve is currently in breach of the Australian Privacy Principles act in their handling of the fiasco.

  • With the on-going issues on the store, valve is probably waiting until everything is definitely fixed before they issue a statement. They also, no doubt, don’t want to provoke unnecessary panic.

    Realistically, this only seemed to affect those who were currently logged in during that one hour (about 8am on 26dec), during which, a small number of people *may* have seen some cached details of a random user when browsing the steam store.

    Name, email and phone number would only be shown if the user had credit card details saved, and only then if the user purposely wanted to view them (not everyone is malicious) by clicking edit.

    No passwords nor CC details were leaked, so if anyone lost account access, it would be due to weak passwords, or phishing scams.

    Personally my credit card details on steam get displayed as “card ending in **25” which technically is only 2 numbers due to the asterixes. And I’m happy to let the world those details because frankly, there is nothing one could do with it.

    Customer support for 125 million wouldn’t exactly be a walk in the park, so some leeway is surely justified.

    Still, this shouldn’t havd happened. But how about we view this molehill as it really is, which is certainly no mountain.

  • Oooo! Steam better pull their head out of their butt here, this is the exact reason Australian and European consumer groups are going after them in legal action… lack of customer communication and appropriate level of responsibility to customers. Potential data breach and they havent contacted the effected or leveled any public statements. “Your account security has NOT been compromised even though we gave COMPLETE strangers your personal details ???”

  • Compare this with the way Nexus Mods handled it earlier this month to see how it can be handled well.
    Within a couple of days there was clear communication from the site on what had and hadn’t been compromised and they encouraged everyone to change their passwords just to be safe.

  • I would be tempted to boycott Steam at this point except that my entire library of games, hundreds of them, are on Steam :\
    This is not a sunk cost fallacy, this is “I don’t want to lose all my stuff” in a very literal sense…

  • One Steam user, who asked not to be identified in this story, found out on Christmas that other people had accessed his account. People had seen his name, his address, his phone number, his buying history.

    The only thing people could view was email address, purchase history, the last 4 digits of the phone number (if provided) and the last 2 digits of the credit card (if provided). Of those, the only thing of any value is the email address. The issue was only present for what, an hour I think they said?

    I’m not saying Valve shouldn’t give a complete public account of what happened, but let’s try to keep some perspective and sense of scale here. This isn’t anywhere near as big as some people (and media outlets) are making it out to be.

  • i dont understand why valve not responding to this issue is such a big deal. 0.38% of concurrent users or 0.03% of active users were affected. if i stub my toe on a gutter in the street i dont expect the mayor of melbourne to release a statement informing everyone that im ok and it was a slight error.
    especially seeing as nothing of great value was seen, nor was account security really compromised.

  • Having the last four digits of your credit card number being shown should never be a problem. They are the least significant digits which is the entire reason every single site will confirm it is your card by displaying them to you. The more alarming issue is that there are systems that base their access to personal information around knowing those digits. Apple got burned by this years ago when someone’s account got hacked because Amazon had shown the last 4 digits of someone’s credit card and Apple tech support used it as a verification point for resetting your password by phone.

Show more comments

Comments are closed.

Log in to comment on this story!