Originally posted by Ardenian:

I would like to post on the PoE forums, playing PoE through Steam. To do so, I have to link my Steam account to PoE on the forums. Is this a safe act? In particular, if their forums and my data there get compromised, does this also cause my Steam account and its details to get compromised?

Its the same login used by all companies when affiliated with Steam . Its fine. Have an authenticator tied to your steam account to increase your account's security if you don't already.

Originally posted by Tincup_the_Middleman:

Originally posted by Ardenian:

I would like to post on the PoE forums, playing PoE through Steam. To do so, I have to link my Steam account to PoE on the forums. Is this a safe act? In particular, if their forums and my data there get compromised, does this also cause my Steam account and its details to get compromised?

Its the same login used by all companies when affiliated with Steam . Its fine. Have an authenticator tied to your steam account to increase your account's security if you don't already.

I have one, thank you! Do you know if this "login through steam" is something like OAuth, which allows to verify that you are a valid user without actually granting you access to anything? This is my main question, whether linking my Steam account into their forums "exposes" my account there and makes me vulnerable through it, 2FA for Steam or not.

DO NOT link your steam account manually if you've ever played the game through steam. In that case you have a PoE account and can login into it via steam (right hand side of poe's login page). Linking a second account will REMOVE the existing link, potentially removing the only authentication method for that PoE account. If that happens only GGG's support can help you undo the damage.

And yes, probably OAuth 2.0: https://partner.steamgames.com/doc/features/auth#website

Originally posted by The_Driver:

DO NOT link your steam account manually if you've ever played the game through steam. In that case you have a PoE account and can login into it via steam (right hand side of poe's login page). Linking a second account will REMOVE the existing link, potentially removing the only authentication method for that PoE account. If that happens only GGG's support can help you undo the damage.

And yes, probably OAuth 2.0: https://partner.steamgames.com/doc/features/auth#website

That ^

Thanx Driver.

Originally posted by The_Driver:

DO NOT link your steam account manually if you've ever played the game through steam. In that case you have a PoE account and can login into it via steam (right hand side of poe's login page). Linking a second account will REMOVE the existing link, potentially removing the only authentication method for that PoE account. If that happens only GGG's support can help you undo the damage.

And yes, probably OAuth 2.0: https://partner.steamgames.com/doc/features/auth#website

Thank you! For the tech noobs like myself, reading through the OAuth 2.0 text that you linked, it means that if PoE gets compromised and their data stolen/copied, my Steam account is safe?

Originally posted by Ardenian:

Originally posted by The_Driver:

DO NOT link your steam account manually if you've ever played the game through steam. In that case you have a PoE account and can login into it via steam (right hand side of poe's login page). Linking a second account will REMOVE the existing link, potentially removing the only authentication method for that PoE account. If that happens only GGG's support can help you undo the damage.

And yes, probably OAuth 2.0: https://partner.steamgames.com/doc/features/auth#website

Thank you! For the tech noobs like myself, reading through the OAuth 2.0 text that you linked, it means that if PoE gets compromised and their data stolen/copied, my Steam account is safe?

All linking account does is share your steam account ID code the string of numbers that steam assigns your account and is used for things like friend lists etc.
All someone can do if they know it is the same as clicking on your name here and selecting view profile.

Originally posted by Kotli:

Originally posted by Ardenian:

Thank you! For the tech noobs like myself, reading through the OAuth 2.0 text that you linked, it means that if PoE gets compromised and their data stolen/copied, my Steam account is safe?

All linking account does is share your steam account ID code the string of numbers that steam assigns your account and is used for things like friend lists etc.
All someone can do if they know it is the same as clicking on your name here and selecting view profile.

I see, thank you for the clarification!

Originally posted by Ardenian:

Originally posted by Kotli:

All linking account does is share your steam account ID code the string of numbers that steam assigns your account and is used for things like friend lists etc.
All someone can do if they know it is the same as clicking on your name here and selecting view profile.

I see, thank you for the clarification!

NP glad to help.

its just a token, i really doubt steam gives out your logins and stuff to other companies.

It's easy to disprove safety (one counterexample suffices), it's hard to prove it (formal verification is quite complex, add to that ruling out side channels etc).

The ID itself might as well be considered public data. You advertising you're playing the game to your friend list etc is information you can never depublicate, someone might log it etc.

However an attacker that actually manages to compromise a system with a developers API key to steam might just leave more attack vectors open than telling other people someone played* a specific game. Not sure if e.g. game bans need to be setup as a concept, but imagine someone issuing game bans by having compromised PoEs servers. Might stain a user profile for a bit, and websites that crawl profiles might pick up on it and haunt you even after such things are removed on the official entries.

But again, that's a scenario where the compromisation is way worse than just the associated steamids being leaked.

So for all we know, it's "reasonable to say 'safe enough for the time being'".

* yes, you might have an associated account without playing, the sentence is already complex enough...