Over the holiday, Steam experienced a serious security breach when users found they could see others’ accounts with personal information like billing addresses and credit card numbers. Over 34,000 users had their personal information exposed, as confirmed by Valve. Steam Database had released a short statement from Valve that day saying it was a caching bug that caused the security disruption, but Valve released a statement yesterday explaining what really happened. A post by Valve on the website’s news blog stated,
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
On Christmas Day, many people were confused and not sure what was happening to Steam. Some speculated a bug and others thought it was an attack. One Twitter user had a pretty good idea of what was going on.
Valve continued in the post,
Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.
Valve went on to explain that they shut down the Steam store and deployed a new caching configuration. They apologized to everyone who was affected and made sure to note that they were still working hard on the situation to ensure something like this wouldn’t happen again.
The attackers pushed a 2000% increase in traffic to the store and Valve responded by deploying caching rules to minimize impact and reroute the legitimate traffic. Some of the internet responded in a humorous manner, exclaiming that those without Steam could sit idly by as Steam users lit up social media with anxiety.
Even though the attack was pretty serious, you can bet it won’t be the last for Steam or any other online gaming community. You can read the full statement from Valve on their website.