It wasn’t a very merry Christmas for Steam or the countless gamers who use the service to download cheap PC games. As we reported, something went seriously screwy on the site on Christmas day, with some users finding they were able to access another user’s account. If you randomly stumbled into somebody else’s account, you had full access to their personal information, Steam Wallet funds and more.
Since the Yuletide debacle, Steam parent company Valve has remained tight-lipped about what caused the issues, and how many people were affected. Well, finally, five days after the incident, Valve has opened up about the scope of the issue in a blog post.
“On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34,000 users, which contained sensitive personal information, may have been returned and seen by other users. The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address.”
According to the post, Valve was the target of a DDoS attack on Christmas Day, but the user account issue was actually caused by Valve’s own defensive strategies.
“The Steam Store was the target of a DDoS attack which prevented the serving of store pages to users. In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users — incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Finally, Valve did what they should have done days ago, and apologized for the snafu…
“We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
I’m sure most people will forgive Steam for this screw-up, because we all like our Steam sales, but hopefully the next time this happens (and it probably will) Valve doesn’t take so long issuing a decree from their ivory tower.