Recently, security researcher xmrcat was studying Steam and discovered a specific bug. It turned out that the "offline status" does not completely hide the fact that a user logs in / out of the network.
xmrcat drew attention to the fact that it is possible to find out when a user last logged into Steam and logged out of their account:
The thing is in the technical feature of the Steam client — it transmits information about the player's activity, even if he has set the "Offline" mode:
Setting the status to "Offline" is, in fact, just a visual effect of the interface. For others, you may appear "offline", but the backend connection manager (Connection Manager, CM) still continues to transmit information about your activity through the socket.
Even "private profile" settings do not protect against this vulnerability. This allows an outsider to assess a person's sleep schedule by examining the activity of their profile.
xmrcat reported the problem to Valve, but they will not fix it:
Valve closed the report with the status "For information". Their logic is this: to receive this data packet, you need to be on the user's friends list, which means there is a "relationship of trust". In other words, Valve believes that if you added someone as a friend five years ago, then you automatically give consent for that person to be able to restore your sleep schedule — even if you have enabled a feature specifically designed to hide such activity.