Tweet
Update (6:03PM ET): It looks as though the issue is resolved with the Store. After a lengthy period of being offline completely, the Store pages returned and seem to be in working order.
Of course, the extent of the damages from this afternoon's security breach are not yet known. We'll have more details are they are made available.
Original:
If you've been on Steam today, chances are you've already experienced this issue. If you log into Steam, you may see that you are "logged into" another user's account, but only on the Store page. This means you can view some random person's Wishlist, their friends, what games their friends want, and worse.
What's worse?
Well, if you go to your Account page via Steam (clicking your Steam Wallet funds is a quick shortcut) you can see more information than anybody should ever know about someone else's account. This includes a full email, the last few digits of their credit card on file, whether or not they are protected by Steam Guard, even the last four digits of their phone number. You can see all of that in the image at the top of this news post. I obviously hid any important bits of information from public display.
It is also possible to view the purchase history of users along with other details that should not, under any normal circumstances, be shown publicly.
I have seen unverified reports that some users exploited this security issue by purchasing games using someone else's account. With credit card and Steam Wallet information tied to someone's account, this could have very easily been used to "gift" games to the exploiter's actual account using someone else's funds. No matter how you slice it, nothing good can come from this.
Of course, the extent of the damages from this afternoon's security breach are not yet known. We'll have more details are they are made available.
Original:
If you've been on Steam today, chances are you've already experienced this issue. If you log into Steam, you may see that you are "logged into" another user's account, but only on the Store page. This means you can view some random person's Wishlist, their friends, what games their friends want, and worse.
What's worse?
Well, if you go to your Account page via Steam (clicking your Steam Wallet funds is a quick shortcut) you can see more information than anybody should ever know about someone else's account. This includes a full email, the last few digits of their credit card on file, whether or not they are protected by Steam Guard, even the last four digits of their phone number. You can see all of that in the image at the top of this news post. I obviously hid any important bits of information from public display.
It is also possible to view the purchase history of users along with other details that should not, under any normal circumstances, be shown publicly.
I have seen unverified reports that some users exploited this security issue by purchasing games using someone else's account. With credit card and Steam Wallet information tied to someone's account, this could have very easily been used to "gift" games to the exploiter's actual account using someone else's funds. No matter how you slice it, nothing good can come from this.