If you were online on Christmas Day, you may have been sent into a brief panic by the sight of someone else’s personal details been shown when you tried to access your Steam account profile. Within a few hours it was deemed that nothing damaging had happened, but Valve have published an apology and follow up to the incident, explaining just what happened.
The problem was due to a DoS attack on Steam on Christmas morning, where Steam store traffic increased to 2000% over average expected visitors. These kind of attacks are a regular occurrence at Steam, and the system has a solid amount of countermeasures that normally mean users don’t notice anything wrong as legitimate traffic is routed to the store.
Steam has a web caching partner which deploys in these situations, which is where things went wrong. In the second wave of the DoS attack, a set of caching configurations incorrectly started to cache web traffic for authenticated users. This error caused responses being sent to people that were meant for other users. That’s what caused you seeing other people’s information.
“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user,” explained Valve in a Steam update.
“If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.”
Anyone who was affected by the attack will be contacted by Valve when they have been identified. However, Valve emphasise that no unauthorised actions could be taken with the information made available, so no one needs to take any action.
“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service,” said Valve.