Valve admits Xmas Steam glitch hit 34,000 users

December 31, 2015 | 11:13

Tags: #attack #cache #data-breach #ddos #insecurity #privacy #security #steam-sale

Companies: #christmas #steam #valve

Valve has finally broken its silence regarding the Steam glitch over Christmas that saw users presented with information, including card details, from others' accounts, confirming it as a caching issue.

Steam users logging in to the service on Christmas Day were surprised to find account pages that were not their own. These pages showed purchase history and payment card details for randomly-selected alternative users, leading many to worry that the service had been hijacked by attackers unknown. The official line from Valve, though, was that the problem was strictly one of a glitch in a caching engine introduced to prevent a distributed denial of service (DDoS) attack taking the service down over the festive period.

Since the issue was fixed, though, Valve has been strangely silent on the problem and its impact. It broke that silence late last night, issuing a statement which confirmed the glitch and that it had affected some 34,000 users. 'The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address,' the company has explained in the statement. 'These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user. If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.'

The problem was linked to a switch to more aggressive caching rules implemented by an unnamed hosting partner used by Valve, following a DDoS attack which saw traffic increased by 2,000 per cent over typical Steam Sale figures. These rules, however, included a configuration error which caused pages cached for one user be presented to a completely different user - leading to the apparent breach of Christmas Day.

'Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified,' the company has confirmed. 'As no unauthorised actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.'
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04