In case you didn’t catch today’s news, Steam, an online gaming platform developed by Valve Corporation, suffered an egregious security breach today.
Okay, well, technically it wasn’t a security breach, it was a cache control problem, but it sure felt like one and it didn’t help that Valve failed keep users apprised.
Everyone is steaming over Steam
Large swaths of gamers started reporting that going to the Account Details page in the upper right corner of the online portal allowed them to access a bevy of private facts from other peoples accounts.
Everything from email addresses, purchase history and credit card details can be filched with the benign click of a mouse.
There were thousands of indignant users on Reddit vilifying Valve for not acting sooner and for seemingly dissembling the facts about the problem. Many users embroiled in today’s fiasco wondered why Valve didn’t just take the server offline. Other’s contend that Steam was entirely culpable because the problem is merely a corollary of how web servers react.
In any case, the bottom line is that the systemic scope of the problem demanded a prompt response. Valve waited to the last minute to say anything. Everyone was waiting in worry and most people were speculating diabolical hackers were the source of the problem.
Valve come forward
Later in the evening a Valve spokesperson told Gamespot the following:
Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.
Okay can I be blunt here? Do you know what I hate about these politically correct, bullshity press-releases? They sound so dishonest! And it sounds like it is trying to dilute the severity of the problem.
It would be unconscionable for me to indict Valve Corporation of dissembling the facts here but that friggin statement was cold and careless.
Valve should issue a real apology; there should be genuine contrition here.
Why did Value wait so late for a status update? Why didn’t Valve take the site offline during the alleged “caching problem”? What I see here is a failure to accept responsibility for putting thousands of users accounts at risk.
In the very least, Valve should have launched an email to all affected users notifying them that they were aware of the problem and were working on it. Did that happen? Nope.
An underground community of Steam users at steamdb.info were the first to break the news.
Check out the tweet they sent earlier today:
My chief problem with Steam
The cardinal problem I have with Valve’s statement to Gamespot is perfectly captured in this phrase:
We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users
Why do you believe this Valve? Can you please justify this assertion and give some substantive advice to all the people keeping you in business?
Thousands of steam users private information such as their billing addresses, credit cards and email addresses are at risk! Valve should have exhorted users to unlink any Paypal accounts and monitor their credit cards for suspicious charges. Heck, they should have also offered to pay for a credit card monitoring service for all affected users.
Why punish the victims for Valves blunder? The logic here is unconscionable.
One last thing: I still can’t find an answer to this imponderable question: why did this happen on Christmas? The timing couldn’t have been any more unfortunate.
So what do you think?
What do think about the steam situation? Is Steam to blame here? Or should we blame the users for storing their sensitive data on Steams servers?
I realize that last question might feel inflammatory but I have to ask.
Because Steam has a track record of security problems. Back in November of 2011 hackers breached the DB and siphoned credit cards. And in July of this year a software bug allowed anyone to reset anyone’s password by using the “Forgot Password” link thus issuing a DoS (Denial of Service) attack on users. Without the password you can’t log in!
So what’s the deal? Where do we put the blame? With the Steam users or with Valve? Let me know in the comments how you feel about this.