Last week on Christmas, something went wrong on popular PC gaming store Steam .alve has issued an apology and an explanation for just went wrong. As players browsed through the massive catalog of discounted games as part of the Steam Winter Sale, they saw the private information of other Steam users, such as their billing addresses, purchase history and the last two digits of their credit card number. According to Valve, the issue lasted for two hours, and then service was back to normal. Almost a week after the issue, the company finally provided details about the problem.
As we reported at the time, Steam users logging into the app Christmas day were randomly finding themselves logged into other users’ accounts, with a bunch of personal information exposed in the process.
After a few hours of this, Valve shut the Steam Store down temporarily until the problem was solved. Then, for nearly a week, we heard no explanation for what exactly went wrong save for a rather vague statement from the company at the time.
Now Valve has revealed what went wrong. A DDoS (or Distributed Denial of Service) attack hit Steam particularly hard as traffic was already at 2000% its usual volume over the Christmas holiday. When one of Valve’s partner companies issued a new caching configuration to help offset the effects of the attack and keep legitimate traffic flowing, something went terribly wrong.
Here’s Valve’s full explanation:
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.
Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
The whole thing started with a distributed denial of service (DDoS) attack, a brute force form of Internet vandalism that attempts to bring down one or more systems by overloading their bandwidth with a deluge of incoming traffic from many sources. Valve notes that during the attack, Steam traffic increased 2,000% over the average during the annual Steam Holiday Sale.
To fight back, Valve worked with a Steam web caching partner — web caching temporarily stores data to reduce the server load — to mitigate the effects of the DDoS on the user side. By temporarily filing data in an easy-to-access location, people shopping in the Steam Store would see less lag.
Unfortunately, the code that was used to file the information during the second wave of the attack was bad in some way, leading to authenticated users’ information being filed away incorrectly. The result: Some people were fed pages of content that actually belonged to other users.
The Steam Store shutdown was an intentional act that Valve took once it became clear what was going on. The downtime gave the Steam gatekeeper and its web caching partner time to address the error and make sure it wouldn’t be repeated.
If you didn’t browse the Steam Store while logged into your account, then your account was not compromised, according to Valve. So if you were spending time with family instead of playing games on your PC, Santa was watching and rewarded you accordingly.
“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward,” Valve assures us. “We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
Five days seems like a long time to wait to make this clear to users. Certainly they needed to fully understand what was going on before informing the world. And mistakes happen when dealing with cyber attacks. But waiting five days to utter the words “We’re sorry, here’s what happened” seems a bit on the slow side of things, especially when users have no idea how they’ve been impacted or what sort of sensitive data has been exposed. Yes, it’s fantastic that this isn’t all cloaked in PR doublespeak. Honesty is lovely. But the silence has been deafening.
Steam is far and away the biggest digital storefront for PC gaming, with over 125 million users and over 4,500 games. I suppose when you’re king of the hill, you can take your time with this sort of thing. At least 34,000 users only comprises a very tiny sliver of their total customer base.