Valve has now offered more information on what happened on Christmas Day, when some users of its Steam PC and Mac game download service viewed accounts on its web site other than its own. Valve said about 34,000 accounts were viewed in that fashion, due to a combination of a denial-of-service attack and an error from their web caching partner.
Valve said the attack caused traffic on the Steam site to go up by 2000%:
“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Valve said that the issue lasted for about 90 minutes before the company shut down the Steam store:
“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”
Valve said there were no unauthorized actions on those accounts, and as such no additional actions were needed by those users. Valve said they are contacting the users who were affected by these issues but it did not state what they plan to offer to the owners of those Steam store accounts. It added:
“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”