From early on Christmas day, reports of the Steam store displaying other peoples’ account details to signed-in users began to appear online. Visiting the “account information” page on Steam displayed the details of a seemingly random user logged in at the same time, including their email address, billing address, purchase history and the last two digits of stored credit card numbers.
Many users also received Steam pages in a language different to their own. As the service descended into chaos, Valve took the Store completely offline on Christmas Day, preventing people from logging in. The company remained quiet on the details, not updating its Twitter account or responding to queries from worried customers. With no information available, disgruntled gamers were quick to rebrand the Steam Winter Sale as “Steam Winter Fail.”
Valve finally responded to the incident in a statement yesterday. It said 34,000 Steam users may have seen pages of “sensitive personal information” generated for other users between 11:50 a.m. PST and 1:20 p.m. PST on December 25. People who used Steam during this timeframe but did not access pages that usually display personal information are not affected.
The issues were caused by a configuration mistake on the servers of one of Steam’s web caching partners. Valve says that Steam was the victim of a DDoS attack on Christmas day that saw traffic increase by over 2,000 percent compared to the recent average.
As the company moved to mitigate the impact on users and keep the service online, it deployed caching rules to its server partners designed to store elements of webpages offsite for quicker delivery to users. One of the caching rules, enabled during the second wave of the DDoS, was incorrectly configured and began to cache the contents of sensitive pages designed to be seen by only one user.
In effect, this meant the servers would cache pages like “account information” when a user visited them. When another user requested the page, the server would see it had already been cached and simply return the copy generated for the first user, already populated with their personal details.
Valve apologized to the users affected by the mistake and will be contacting them once identified. It said: “Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on the accounts beyond the viewing of cached page information, no additional action is required by users.”
It added: “We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
Steam users haven’t been impressed by the time it took Valve to respond. The company has gained a reputation for being non-communicative with its users while working to fix issues but this time let them sit for five days without any statement on who saw their details or what will happen next. Users trying to contact the company received only generic responses that apologized “for any confusion” without explaining who could see account details or what was on show.
Even now, Valve hasn’t said if the 34,000 affected users will be receiving any form of compensation. The account details put on display may not be enough to buy things on Steam but the service still has a duty to protect information like home addresses and purchase history.
