Why The Christmas Steam Debacle Is Worth Talking About

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.inquisitr.com/2663630/why-the-christmas-steam-debacle-is-worth-talking-about/

When Steam went down on Christmas, many people just took it as par for the
course. Steam, among other online services, typically take massive hits on
Christmas with people opening new consoles, PCs, or currency cards to
spend. However, while hackers typically bring down the Xbox Live and
Playstation Network services on Christmas, Steam has normally stayed pretty
stable. However, many consumers logged into Steam on Christmas to find
other consumers information instead of their own.

When Xbox Live and Playstation Network go down, typically that’s it — they
simply go down. The services just cease to work while the companies behind
them try to bring them back online. However, when Steam went haywire,
which, as the Inquisitr previously reported, was a caching issue, it did
more than just “go down” or “stop working” for users. Steam’s issue put
actual user information at risk by making it visible to people across the
globe.

Valve, which owns and operates Steam, made a statement regarding the issue
hours after it was ongoing, which has been relayed by Kotaku.

“Steam is back up and running without any known issues. As a result of a
configuration change earlier today, a caching issue allowed some users to
randomly see pages generated for other users for a period of less than an
hour. This issue has since been resolved. We believe no unauthorized
actions were allowed on accounts beyond the viewing of cached page
information and no additional action is required by users.”

Steam, to their credit, brought the store down, making it so that users
could not purchase new games under someone else’s account. However,
consumers could still see users’ personal information, such as emails,
account balances, and possibly credit card/PayPal information. This kind of
breach is not like what is seen with Xbox Live or PSN. The fact that the
issue made personal information available to any user, randomly, is an
incredible breach of security, one that should not go unchecked.

Many users panned the issue, stating that it’s not a big deal because they
don’t pay for Steam’s services, or that this rarely happens to the PC
storefront. However, the fact that the company is responsible for housing
and protecting consumer’s personal data is just as much a reason to hold
Steam to the same standard as Microsoft, Nintendo, and Sony. Steam’s
unwillingness to admit there was a problem at first, and their nonchalant
attitude towards consumers by offering no actual support or updates until
after the issue was resolved, left many wondering just how much damage
control they were going to be required to do on their personal accounts.

The fact that the Steam Support Twitter feed, a supposed source of
information in times just like this, was completely unresponsive during
this time further exacerbates the issue. A fan-run Twitter account,
SteamDB, was more helpful and responsive to user inquiries at this time
than Steam even was. It’s an issue of a company who has so many users and
millions of dollars funneling into their system and bank accounts that
quality — and exemplar — customer service is unnecessary. Steam houses more
users than Xbox Live or Playstation Network, and as a result their need to
please everyone is offset by the fact that people simply continue to spend
money, especially with insane deals going on like the current Steam Winter
Sale.

Issues like this cannot be let to rest simply because they are resolved.
Steam had a massive security breach, one that put a lot of user data at
risk. Steam themselves did nothing to assuage the fears of its consumers.
The issues that occurred as a result of the Steam caching issue were more
concerning that the service simply being down, but one that could of had
massive ramifications had not Steam been brought down by Valve. And for any
company to simply pan the displaying of user information to other users is
a shame, especially one as well regarded as Valve’s Steam service.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!