Steam's Christmas Day caching issue affected 34,000 users

[Scorpus]

Valve has apologized for an issue with Steam that occurred on Christmas Day, allowing some users to view the personal account information of others for a brief period during the day.

The company says that approximately 34,000 users were affected by the issue, which was caused by a combination of a denial of service attack and a configuration error. The configuration error was the main culprit, as it affected how Steam cached certain pages, which led to some users receiving cached pages for a different account.

Valve says that the content included on these cached pages ranged from a user's billing address, email address and purchase history, to the last four digits of their Steam Guard phone number, and the last two digits of their credit card number. The cached pages "did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."

In what should be a relief to some users, Valve also mentions that if a user did not browse a Steam Store page with their personal information during the time frame which the error occurred, "that information could not have been shown to another user." On top of that, Valve claims that "no unauthorized actions were allowed on accounts beyond the viewing of cached page information."

The configuration error itself arose in response to a denial of serrvice attack that hit the Steam Store on Christmas Day. The attack essentially caused Valve to deploy page caching via a "Steam web caching partner" to reduce the load on their servers, and during "the second wave of this attack", a caching configuration was deployed that "incorrectly cached web traffic for authenticated users."

After the error was identified, which took around 90 minutes, the Steam Store was entirely shut down until the issue could be resolved. According to Valve, "no additional action is required by users" to remain secure while using the Store.

Permalink to story.

https://www.techspot.com/news/63312-steam-christmas-day-caching-issue-affected-34000-users.html

 

[Lurker101]

I notice how this apology and explanation only happened AFTER Total Biscuits video was published, in which he fully railed at Steam and explained how, at least in the UK, Valve could be held legally accountable.

 

[BlueDrake]

I notice how this apology and explanation only happened AFTER Total Biscuits video was published, in which he fully railed at Steam and explained how, at least in the UK, Valve could be held legally accountable.

I noticed that also. Could be they wanted a full scale sweep, along with trying to cover all their bases before making a statement. Just it seemed a large number of outcries about this, seemed to spark Valve to actually post something. Not to just a general news outlet, but actually on their own service itself.

Before it was simply "Here's what happened, and everything is fine." Without the real impact of, actually coming forward and talking about it early on. So I think everyone together wanting an answer, really pushed them into making a statement. Likely to also hope the slate is wiped clean, because tomorrow is a new year and hopefully a new slate for them.

 

[Panda218]

I just watched the TB video and turned it off after a few moments. Sorry but I don't find it to be an issue worth watching him flap his mouth for 27 minutes. If anyone saw my information feel free to give me a call or send a letter

 

[Puiu]

I just watched the TB video and turned it off after a few moments. Sorry but I don't find it to be an issue worth watching him flap his mouth for 27 minutes. If anyone saw my information feel free to give me a call or send a letter

no, you are right. TB's rant was just for show and had no substance.
in the end nothing bad happened. no accounts were stolen and no sensitive information was taken.