Steam's Christmas gift to you is access to someone else's account

The running joke was that Xbox Live would suffer some hideous outage today, Christmas Day, but alas it's actually Steam that takes the crown this year. A major security issue is currently in play (no pun intended) whereby users are being given gratuitous access to accounts which are not their own and a smattering of Russian for good measure.

We've not personally investigated, because frankly, we're staying clear of this hot mess. However numerous outlets online are reporting the troubles. From PC Gamer:

"Something has gone very wrong, and the Steam Store is showing users the private information of other accounts, including partial credit card numbers, email addresses, balance and purchase history."

Furthermore it doesn't appear to matter if you have Steam Guard enabled or not, all accounts are seemingly affected. For now it seems the Steam Store is down, which is probably good, since you can't really use it, and the official support channels are being somewhat quiet on what's actually going on.

via PC Gamer

Richard Devine is an Editor at Windows Central. A former Project Manager and long-term tech addict, he joined Mobile Nations in 2011 and has been found on Android Central and iMore as well as Windows Central. Currently you'll find him covering all manner of PC hardware and gaming, and you can follow him on Twitter and Instagram.

87 Comments
  • Well, I hope this is a lesson for everyone. Keep your security protocols updated.
  • Did you not read, steam guard does not work....
  • Username...does not check out.
  • I did read, genius. But Valve's security protocols are like Sony's. They're for s**t. That's not exactly state's secret.
  • What is Steam? I'm actually not joking :/
  • Steam is Valve's game client program/game marketplace. Most games go through Steam for activation (DRM). EA's games go through their client called Origin.
  • So this is just for PC games I assume? Never seen anything about it on my xbox.
  • Correct.
  • Steam is like Xbox Live but for PC, just like PSN for PlayStation.
  • And people still say things about Xbox, even though it's one of the most robust network I have seen.
  • It's certainly held up more reliably than PSN. It's also faster.
  • Yep! I Tel people they can say with they want.. But paying Dir Xbox live is best and we have been taken care of. Psn (when it was free) , steam (which i do like ans use) and these other free like Nintendo (so far antiquated and not an experience like ms or Sony)... Any who, I'm happy. Everything can be free. When it comes to your data, don't skimp. Companies who skimp, be it a bank, retail store, or online service, you will eventually suffer.
  • Well if it wasn't for the amount of people they employ unlike what sony had it wouldn't've come back soon(& kim.com generous donation). As for Nintendo its just they need to know how to scale for their current supported content on NN properly something they needed to work on during the nwfc days
  • Nobody is immune, not even Xbox, so don't get too cocky. Xbox could be hacked tomorrow.
  • I would love to hear you say that last year when lizard squad attacked Steam, origin, psn and live, and only Steam didn't fall
  • Store itself was working but dota2 and team fortress were unplayable so...
  • Live is experiencing issues too. I wonder if its related to the group that made threats to take down Live, PSN, etc., on Christmas day a couple weeks back. They took down Steam at that time if I recall.
  • "The running joke was that Xbox Live would suffer some hideous outage today"   On the other hand, Microsoft's websites as slow as h-ell* and the purchase I tried to make of Stick of Truth went terribly wrong with the purchase failing but Microsoft still sending the bill and charging the credit card...So when it's not Xbox Live it's Microsoft's services. But something has to go wrong on Christmas for Microsoft every. single. year. it seams.   (*if we're adding 'murican censorship, I'll add 'murican turn-arounds)
  • On the plus side. I bet the website stayed in your own language and you were in your own account? ;-)
  • Well...Yeah. I mean...sort of. I have all my accounts and websites opening in the EN-GB version. They only automatically switch to my country's site when purchasing stuff. But nothing changed to Russian at least lol)
  • Rich you might want to update the article as this has now been fixed and was caused by a caching issue (see the PC gamer article you linked).
  • It was slow on wp store aswell
  • Do you know if we're supposed to change our password or something like that?
  • You can, and you should if you logged in (3:00 to 4:10)ish MST.   But if you didnt log in, it won't apply to you. Basically, when you click a page, it creates it for you and saves it (cache) the reason it saves it is in case you need it again. It goes away after a while. What happened was, someone would request the page, it'd save it, then you'd get somebody elses saved page.
  • You can revoke the Paypal access through the Paypal site. As for peoples Credit cards, monitor, and I hope you know how to dispute charges if needed.
  • If you dispute a Steam charge with your card company, Valve will close your account and ban you. They don't like consumer rights.
  • Even if the fault is their own? Like is the case here
  • Yes, even then. Mind you, this hasn't been tested with a mass issue like this one. Fancy being the guinea pig?
  • Good thing my credit card is never linked to my steam acc.
  • Merry Xmas! Happy New Year!
  • My steam homepage had everything in Spanish when I logged on an hour ago. This could explain it.
  • I had Swedish and Russian mixed
  • It's a problem with their caching-server (varnish), caching pages that should not be cached (such as Account-Details, Cart, etc.). It invalidates after some time and is re-cached when the next user visits the page with their profile. You are not actually logged in (as in, you take over the session of the user), you just see pages rendered for others than yourself. This is why different parts of steam appear as different users. Which page you see is probably dependent on the edge node (first server you connect to) closest to you, hence why different users see different profiles. My guess to how this could've happened is that an untested configuration got activated when steam went down earlier, e.g. due to an auto-conf service (puppet, chef) pulling an untested config or some of their live servers being replaced by staging / development servers. It's also possible that they were under heavy load and the engineer on duty reconfigured all their edge nodes to cache more aggressively. Let's hope they fix this fast, because this is a major data leak. I can see private E-Mail and account names. Let's hope their cache server is not delivering internal pages. Credit to: https://www.reddit.com/user/mrallon
  • Thanks for the info. So, if don't make any purchase you're fine?
  • steam store is down you cant make any purchase they only risk you had was someone able to see your email adress,phone number and credit card if you are using paypal you can on paypal website and unlick the steam account
  • Steam is running up again
  • Yup, I was on Steam last night, and everything seemed fine.
  • Thanks for the in-depth technical info, much appreciated. Posted via the Windows Central App for Android
  • Thank you, good info to support my future install of gifts and new account I tried installing for someone today. Wasn't fun.
  • No wonder that other guy wants ban the internet if he he becomes prez of... I love the internet, the possibility are vast.
  • That other guy= Donald Duck
  • Donald Duck is awesome.
  • I would vote for the duck LOOOONG before I ever considered voting for that asshat Trump...
  • https://en.wikipedia.org/wiki/Donald_Duck_Party
  • Well o can't even seem to log in so...
  • If only Boonty Box was still a thing
  • Thank god I don't save my credit card detail on Steam Posted via the Windows Central App for Android
  • Okay so I do have my Paypal connected, but that only has my bank account linked and not a creditcard. Is that still exposed now or am I in the clear?
  • If you didn't sign in in the last two (ish) hours, your fine. (3:00-4:10 MST)   If you signed in, but didnt view your account info pages, or sign into any third party websites (such as trading websties) you should be ok, can't promise though.   If you viewed, removed, or added your paypal info, then you are not in the clear.   Hope this helps, so sorry if the third one applies to you :(
  • I'm in the clear then. Thanks for the info mate :)
  • How come you see a risk if I was logged in but did not view my account pages (i.e. did not cause the server to cache them) but no risk if I was not logged in at all? If you are saying that the page might have been cached without my doing, I don't really see a connection to my login-status.
  • This is the best preseNT ever!
  • This is the best eXPerience ever!
  • It looks like Microsoft was able to thwaRT the attack on Xbox Live?
  • Xbox Live didn't go down this tiME!
  • ^THIS
  • Hasta la VISTA, hax0r$!
  • It's back working again.
  • You had one job Phantom Squad...
  • I read PSN also dropped the ball this Christmas. Not really surprised, if im honest. It seems to be a regular occurrence on PS4.
  • In what way?
  • They are/were having issues if you wanted to sign up for a new psn account. So I suppose if a person got a new ps4 and its their first Sony system it might be an issue. Not quite as big of a deal.
  • I just noticed with every click it changed regions-language and some games say I already own them, its not that you can go and play games from someone's account
  • Official support is quiet on the matter? So you mean it's like normal. Steam support is terrible.
  • IMHO, This is what PC MASTER RACE people get.
  • So your humble opinion is that this is good because a few fanboys annoy you which justifies as karma that over 125 million peoples' information is compromised?
  • Another reason console gaming is king, all day long.
  • What was the first reason?
  • Driver updates, constant tweaking, upgrading video cards every year just to maintain performance because the $300 video card you bought 6 months ago isn't optimized for the latest greatest game but the new $300 card just out is. On the other hand I appreciate the choice PC gaming provides. Midrange - Go Microsoft Xbox One, mid to high-end - Go Microsoft Windows 10 with or without Steam.
  • People like you really make me wonder what goes through your head, so in your opinion, driver updates are bad, that's like saying Xbox updates are bad for your Xbox. A $300 card will last you way more than three years. Posted via the Windows Central App for Android
  • @Akira X - what a load of nonsense. Xbox still has updates and driver updates on PC are practically invisible to the end-user these days. "Constant tweaking" of what?? I don't tweak anything. I set everything to Ultra and play my game. Upgrade video cards every year? That is the biggest load of bollocks - my video card is exactly 4.5 years old (bought mid-2011) and still runs like a champion on Ultra settings. Maybe if you buy the cheapest ****, then you might need to keep upgrading - but I got a mid to high-end card that works great. I'm not saying consoles are bad, as I have an Xbox 360 and a PS3 - but these days I prefer to game on PC. I will probably get an Xbox One for Halo, and to play my stack of games from Games With Gold. PC gaming almost always trumps console gaming - higher resolution, better graphics and draw depth, higher framerates, smoother performance etc. I don't think anyone has ever said "console gaming is king" except you, and you're clearly deluded. @jacob114489 - exactly right.  
  • Yeah because it's impossible that services as PSN or Xbox Live could ever be hacked or have outages!   Oh wait, it isn't.    I could now make a joke about how stupid console gamers are, but I don't think it's necessary 
  • Lol
  • I was wondering why my name and account information was in another language. I thought it was Polish but I don't know Russian or Polish. I figured I clicked the wrong link.
  • I thought I compromised dad's new pc, steam account and games. Saw an aol address, I've never used aol, and funds in my wallet, never use the wallet. Huh? Spent an hour trying to access the account from multiple devices after seeing that info, borked from there, 3:30 EST. Deleted it all and checked the account on my pc at home, could finally reconnect and change the password. We'll see if he'll want it installed again, not good confidence for him.
  • Ok
  • Well its christmas. Go to church,read a book or go and have fun with your girl/boy friend. Or go to your local pub and meet new plebz. All better then gaming
  • I didn't even turn on my PC this Christmas, spent all day with the family.
  • Amen to that.
  • I prefer to sit around and worship my Pagan Christmas tree
  • But I love how nobody hacked uplay or origin rofl
  • Steam wasn't hacked, it was a software issue. Posted via the Windows Central App for Android
  • We will see the extentofthe fallout in a few days with the official statement from steam. Until then I am just happy I changed my password a year ago to a randimly generated one. It's a major pain in the *** to set up a new system but it is unique so nothing else is in peril if it were to be stolen.
    Also I did not sign in yesterday so I should be fine with my cc details (hopefully).
  • Glad it's fixed, though I didn't log in because, you know, it was Christmas and I wanted to spend it with my loved ones. Oh well.
  • Good thing I use PayPal
  • Oh dear.....
  • no problems here. i purchased 2 games today. one for 3.00 and another for 13.00 ahh my purchase history lol.