Valve finally issued an official statement along with an apology Wednesday about what happened during a Christmas day incident that exposed Steam user’s personal and billing information. While the company originally described the incident as due to a bug with a caching partner, the issue came about from a denial of service (DoS) attack on the service.
As covered by the Inquisitr, Steam was taken offline on Christmas day after users were able to see sensitive information of other users. Valve laid out what happened and how many individuals were affected by the incident.
“On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.”
Only Steam users who logged into the service and browsed a page with their personal information were impacted. The information exposed included user’s billing address, the last four digits of their Steam Guard phone number, purchase history, the last two digits of their credit card number, and email address. Fortunately, this information did not include credit card numbers, passwords, or any other information that could have been used to access a user account or complete a transaction.
In fact, Valve reports that no unauthorized actions were recorded on Steam beyond being able to view the cached personal information. The company stated that it is currently working with its web caching partner to identify and contact the 34,000 affected users.
The entire Christmas day incident on Steam was precipitated by a DoS attack. It wasn’t the attack itself that caused the exposing of personal information, but a mistake during the response to attack.
“Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.
“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
The decision was eventually reached to bring the Steam Store down while the issues with the web caching configuration were corrected.
The incident came at an inopportune time for Valve, as the Steam Winter Sale had kicked off just a couple of days before. The time of the DoS attack and when user information was being exposed was at approximately the same time as the daily Steam Store refresh, when thousands of users log on to check the latest deals and promotions.
Valve is routinely regarded as one of the “good guys” in the gaming industry, and Steam is the service for many PC gamers. This incident became a rare black eye for both the company and store.
What do you think of Valve’s response to the Steam Christmas day incident? Sound off in the comments below.
[Image via Steam]