Valve explains what happened to Steam over Christmas
Steam was hit by a DDoS attack, which resulted in a caching error that meant that users were being shown other users' personal details.
Over Christmas, some Steam users found that they were being shown account details of other users. Valve today explained what happened to the service.
The problem, which affected around 34,000 users occurred because of a caching error that was the result of a DDoS attack against Steam.
“Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale,” Valve explained.
“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
The leaked information varied, but users could see the billing address, the last four digits of Steam Guard phone numbers, purchase history, the last two digits of credit card numbers, and/or email addresses of other users.
Finally, Valve apologised that this happened. “We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service,” it wrote.