Steam's Christmas Day debacle exposed the details of 34,000 users

Valve has now offered more information on what happened on Christmas Day, when some users of its Steam PC game download service viewed accounts on its web site other than its own. Valve said about 34,000 accounts were viewed in that fashion, due to a combination of a denial-of-service attack and an error from their web caching partner.

Valve said the attack caused traffic on the Steam site to go up by 2000%:

"In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."

Valve said that the issue lasted for about 90 minutes before the company shut down the Steam store:

"The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."

Valve said there were no unauthorized actions on those accounts, and as such no additional actions were needed by those users. Valve said they are contacting the users who were affected by these issues but it did not state what they plan to offer to the owners of those Steam store accounts. It added:

"We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service."

Source: Steam

21 Comments
  • Cool
  • +l929
  • Sounds like if you didn't log into Steam during that time frame you should be fine.
  • Good for me I didn't login steam for about 3 months now ☺
  • it didnt matter if you were online or not. it allowed people to view your info just by looking at your profile
  • You had to be online. Posted via the Windows Central App for Android
  • Not necessarily. It sounds like pages that were cached for online users were subsequently delivered to incorrect users. You would have to be logged in for pages with your information to have been cached.
  • Correct. If you didn't log in, on Xmas day, then you're fine.
  • Yes this, you had to put a request to a page for it to be cached and a random user would get it.
  • No. Its only affected ppl that had stored information in the online cache of steam. Meaning when you logged out your cache got deleted. Only when you were online or never logged out when exiting steam meant that there could be data of you in the cache.
    Now tell how looking at someone's profile when they are offline will display their acc ??
    New level of stupidity post
  • No. I'm pretty sure it's cause i have a life
  • Well seems like all the servers got hit for Christmas... So who was the grinch this year???
  • I normally purchase all my games in DVD box,only digital game are from Blizzard Entertainment
  • That's a great way to miss out on a lot of games.
  • and then maybe he is fine playing the games he plays... without Steam which is just another crappy service that do stupid things like this cache. thank god it wasn't Microsoft, people would have gone crazy for 2 months talking about it. and no, I am fine without Steam in my life, it doesn't have all the games, and it doesn't have all the great games like Blizzard or EA.
  • Great is nothing more than an opinion. The fact is, if you only buy physical PC games, you leave yourself open to miss out on many. Truth be told, even if you buy the box for a PC game it's still digital.
  • You could just say disc boxes...or you know, whatever =P
  • Yeah I thought I was having a problem and I was right I kept on seeing game pages in language that wasn't english and one users page for about a minute
  • Yea heard this a few days ago, sucks! Apparently you couldn't buy things as that other user though so not catastrophic.
  • Does anybody know when universal apps come for Steam? I would love Steam on my Lumia 950 XL
  • I think you'll have to keep dreaming about that. Steam is not releasing any UWP or WinPho apps at all and probably never will, unless I've missed something the past week in the deep forests of Finland w/o internet.