After suffering some heavy problems with Steam Valve has now finally issued a statement on what exactly happened

If you have no idea what issue I'm talking about head over here for the detailed version but long story short for about an hour on Christmas people that logged on to Steam would essentially log in to other people's accounts and be able to see all of their private info. Given that it was a caching issue no one could actually change anything or purchase/trade games but it was nonetheless a serious privacy leak.

Now, after five days of basically radio silence Valve have finally spoken about the Christmas Steam issues. Here's the gist of it:

"On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

If you think you're among these 34k users that had their personal information leaked don't panic because while the leak did reveal some sensitive personal information nothing critical (such as credit card numbers) got through.

What I'd suggest you do is change the passwords of every account you have that shares login information with your Steam account because even though the odds of a random guy who stumbled upon your profile being a douchebag are rather low its better to be safe than sorry.

As for why it happened Valve had this to say:

"Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale. 

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."

The rest is Valve basically saying that they will continue working on this and that they will contact everyone who might have been affected by this issue. That's all well and good but what makes me wonder is why did it take them five days to give us any sort of update?

I know Valve isn't famous for their communication skills but when a lot of Steam users go in to a wide-spread panic because nobody knows what exactly is happening and everyone is suddenly logging in to Russian accounts even a simple tweet from Valve explaining what they're doing to mitigate the issue would do a world of good, certainly it would be better than utter silence.

On the positive side at least the issue was spotted and stopped extremely quickly. It took them about an hour to shut down Steam (not an easy task) from the moment first reports on the issue started popping up. That and the fact that the "account sharing" was only cosmetic because I can't even begin to imagine how big of a mess this would be if anyone could mess with random accounts in whatever way they want.

For now however it seems that everything is back to normal as I haven't seen any reports of issues since then. Hopefully it stays like that.

Please Log In to post a comment