Steam Password Change Day 

Steam Guard notification of a login attempt from a French IP. That password was 9 days old, 30 random, reasonably high entropy characters long.

Valve seriously needs to fix their InfoSec stance. Brute force attacks should not be this easy, nor should they leak so much information about how successful they are and/or associated email addresses and 2FA info.

It's 2018, how can you trust a digital store that doesn't rate limit login attempts and leaks like a sieve?

Steam Password Change Day 

Steam Guard notification of a login attempt from a Columbian IP. That password was 8 days old, 40 characters, high entropy.

Do you trust password security in 2019?

Show thread

Steam Password Change Day 

Steam Guard notifications of login attempts from a Brazilian IP and an Albanian IP. That password was 12 hours old, 40 characters, high entropy.

What the actual fuck is going on? This is ludicrous.

Show thread

Steam Password Change Day 

Three nearly simultaneous Steam Guard notifications of login attempts from Russia, Mozambique, and the Canton of Geneva. That password was less than 24 hours old, 42 characters, high entropy.

In what fucking real world scenario would a person be trying to login to the same account from IP Addresses in Russia, Mozambique, and the Canton of Geneva at the same time? It might be an interesting spy drama to read, I guess?

Show thread

Steam Password Change Day 

Steam Guard notification of a login attempt from a Russian IP. That password was about two months old, 47 characters, high entropy.

Show thread

Steam Password Change Day 

Steam Guard notification of a login attempt from a Brazillian IP. That password at the time of breach was not even an hour and a half old! 49 characters.

Show thread

Steam Password Change Day 

Steam Guard notification of a login attempt from an Indian IP. That password was 46 characters and lasted apparently almost 5 months.

Show thread

Steam Password Change Day 

Steam Guard notification of a login attempt from a Chinese IP. That password was 59 characters and lasted apparently almost 10 months.

Show thread
Follow

Steam Password Change Day 

Steam Guard notification of a login attempt from an unfamiliar US IP (a first time I鈥檝e seen a US IP, wow). That password was 57 character and lasted only a few hours. 馃槺

Steam Password Change Day 

Steam Guard notification last night while I was asleep of an attempt from an unfamiliar Thailand IP. That password was 61 characters and lasted almost 10 days.

Show thread

Steam Password Change Day 

@max Have you tried the password "Admin"? I have had good luck with that one.

Steam Password Change Day 

@doolbneerg Wish I could yell at an Admin at Valve. This situation has me quite concerned/frustrated and Customer Support has either been unconcerned (鈥淪team Guard stops it though, see鈥) (but this attack downgrades Steam Guard to a lesser authentication method!) or victim blaming (鈥淥ur security is perfectly cromulent, you must have mal-ware or something鈥) (when GitHub searches suggest this is an easily found, somewhat well known leaking API hole).

Sign in to participate in the conversation
Smeap.com

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!