Last week the Steam store was struck by a potentially debilitating flaw- a cache overload that displayed other users’ account information to users, leaking information such as the users’ billing address, the last four digits of their credit card numbers, their Steam wallet amount, their email ID, and the last few digits of their phone number on record.
So far, Valve has remained silent on this issue, and many had expected that the famously reticent company would forego an official statement this time around too. However, they have posted a lengthy statement on the Steam forums, explaining exactly what happened, and apologizing for their oversight.
Here is a summary of what happened and how Valve fixed it.
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.
Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
The Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users.
In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users.
Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed.
We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
Well, good on them for coming clean. I only hope that they reach out to those who were affected, and work with them to secure their information and data.