Valve’s official statement regarding the Steam Store technical issues on December 25 details the DoS attack and caching issues at the heart of the problem.
Five days ago on December 25, Steam suffered technical issues that led to the entire service being taken offline. The scope of the issue was unclear at the time, but social media was abuzz with Steam users saying they had viewed or accessed the personal information of other users. While the service was restored within just a few hours of being taken down, Steam made only one small statement noting the issue had been resolved. Today, five days later, Valve has released an official statement regarding the event.
The crux of the event was a DoS attack that began early Christmas morning, a not so uncommon event for major platforms during the holidays. In the event of a DoS attack like the one on December 25, Valve has partnerships with third-parties to handle various actions within Steam. One such partner handles some store web caching, which directly led to the issues on Steam:
“During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Valve, after identifying the error, quickly took Steam down. They now say that the error was affecting Steam Store users between 11:50 PST and 13:20 PST, with “about 34k” users potentially vulnerable to the issue. After Steam was down, Valve reviewed their caching configurations and deployed them to their partners while ensuring that all previously cached data “on edge servers had been purged.” Steam was then brought back online and no issues have been reported since.
As for the 34,000 potentially affected Steam users, Valve was specific with regards to what kind of information could potentially have been shared:
“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”
Valve is currently working with their partners to identify those users whose information was shared improperly. It must be reiterated that Valve says there is no evidence of any unauthorized transactions being made as a result of this issue. Nevertheless, Valve will be reaching out to those who were affected once they’ve concluded their investigation. Valve has also apologized both to those whose information was shared, as well as for Steam’s interruption of service.
The official statement from Valve provides an impressively transparent take on the events on December 25th. Is unfortunate that it took five days for Valve to put together such a statement? Absolutely, but if that’s how long it took for Valve to feel absolutely confident in the situation, then there’s nothing else to say. It’s sad that these types of attacks continue to happen, especially during the holidays, but it’s a relief to hear that no one’s holiday will be retroactively ruined as a result.
This is likely the last we will hear about the December 25 Steam issues from Valve, unless they followup publicly when they’ve emailed those affected by the issue. Considering Valve’s tendency to remain mum unless absolutely necessary, it’s unlikely a followup will be made — or that it will be necessary.