Valve has issued an official statement along with an apology about what happened to their services on 25th of December 2015. The incident that exposed Steam users’ personal and billing information has been confirmed as a fault on Steam’s side while the lags and delays were being caused by the DoS (Denial of Service) attack.
Valve, initially, described the event as a caching error by a partner. The real problem occurred as a result of the DoS hacking attempt on the service. Steam went offline for most of the day on 25th of December after users reported that they were seeing sensitive information from other users.
Valve’s official statement said
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
According to Valve, only users who logged in to Steam that day and browsed any page with their personal information were affected. The leaked information includes financial and billing information and last four digits of the users’ Steam Guard phone number. Purchase history, Email addresses and the last two digits of credit or debit cards were also leaked. Fortunately, passwords or complete credit card numbers were not revealed so unauthorised access or transactions aren’t a possibility.
Valve reports that other than being able to view cached personal information, no unauthorised actions took place. The company said that they are working with their partner to identify and contact the 34,000 users who were affected.
Steam was the target of a DoS attack since the morning of 25th December and the service was getting an increased traffic of about 2000%. To resolve the issue, Valve enabled caching via its partner so that server load could be managed. Soon after the second wave of attack began and Steam enabled another caching configuration and that’s when the error occurred. The company incorrectly enabled the caching for authenticated users resulting in users seeing other user’s account pages or pages in wrong languages.
Valve eventually decided to turn off the Steam service. This affected Steam’s Winter Sales too. The DoS attack, the web cache configuration error and daily Steam Store Refresh all happened at approximately the same time, revealed Valve. Steam is “the” service for PC gamers and Valve is generally considered to be really dedicated towards what services it offers and its customers’ satisfaction. This incident, however, might have become a rare black eye for the online store and the company.