Data Breach Notification

So what will this mean for the massive GDPR breach?

Will you guys get fined millions or lawsuits or something?

This is a big oof.

What this post does NOT say is, how we all should react now to ensure our steam account safety. I mean... they say so themselves:

"

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

Email Address if the account had one associated
Steam ID if the account had one associated
IP Addresses that the account had used
Shipping address if the account had previously had physical goods sent
Current Unlock Code for unlocking accounts locked due to logging in from a different region

...

In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.

E-Mail Adress, SteamID, Shipping Adress... maybe even paypal-mail-accounts in the list of previous purchases? Even with 2FA on steam, that could be more than enough information to reset an account... I'm honestly sick to my stomach right now in fear of getting my Steam Account stolen with that information.

GDPR called, they want stored personal data.

Probably someone else also, about not informing us directly and instantly.

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

This entire situation is just one thing after another including how its being handled

Not even a global email? A forum post is how people find this out?

Honestly would rather just get a refund and go on my way at this point

"

I really look forwarding to 2FA available to the wider player base to bolster the security of the entire PoE community.

Has nothing to do with this

"

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

Did you even read the post? Social engineering has nothing to do with VPN or 2FA. You people are lost

"

topsen_#5879 wrote:

"

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

Did you even read the post? Social engineering has nothing to do with VPN or 2FA. You people are lost

Only one being lost is you.
If Staff account login is only possible with a specific IP from Corp only VPN everything could have been avoided.
Even if you got the login data+PW you can't login with that Staff account (and in best case that account will be autolocked) since your IP doesn't match one of the expected ones.

Hoo, boy. Hope the guy whose account it was has his resume dusted off. That's an instant termination in just about any job in this field. I know if I was their security admin, I'd be demanding as much.

so here's my problem with the post.

reports from people that claim their account was hacked, yet their password was unchanged.

- their password hadn't been leaked to any online database (that is searchable by the public, i.e. hibp etc.)
- they used the password/email comb only for the poe account
- they were not using 3rd party software apart from the generally accepted price-checkers
- only poe2 account was affected, not bank account, not poe1

the fact that in the statement theres mentions of "The attacker set random passwords on 66 accounts" and "No passwords of password hashes were viewable through the customer service portal." plays completely against that? Unless theres a way for a customer support person to "log into someones account without using email/password" the post - for this group of people - is completely worthless.

Why didn't you touch on that?