Steam had some serious security issues on Christmas Day last week, as the store ended up having to be taken down for a while. An issue had sprung up that was allowing users to view accounts that were not their own, with the ability to see some personal information of the other user. The digital distribution service went back up later in the day with Valve claiming that “no unauthorized actions” had occurred. Still, we’ve been waiting for an official statement on the event.
Today in a new post on the news channel of the Steam Store, the company released an official statement about what happened last week. Apparently on December 25, Steam was the target of a DoS(Denial of Service) attack, that helped to increase Steam traffic by 2000 percent of what it normally is during the Steam sale. Caching rules managed by a web caching partner were deployed at this point to minimize the impact on the store as well as continue to route legitimate user traffic.
During the second wave of the DoS attack an incorrect caching configuration was deployed resulting in some users seeing Steam Store responses that were generated by other users. The responses varied from seeing the store in the wrong language, to being able to see the account page of other users. The store was brought down at this point to launch a new caching configuration and purge the others. Valve says that almost 34K users were affected in some way.
The information available depending on requests could vary but some potential information seen was, Steam user’s billing address, the last four digits of their Steam Guard phone number, purchase history, the last two digits of their credit card number and/or email address. It seems that this information was not viewable however if you didn’t browse a Steam Store page with your personal information in the time frame.
The company apologized for the interruption of Steam service and to everyone who’s information might have been seen in any way. They’re taking steps to reach out to affected users as well,
“Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.”
It’s definitely alarming that something like this happened, but it certainly isn’t the first time an attack has taken down a gaming service. Another attack took the PlayStation Network offline for over a month in 2011. It sounds like the information seen during the Steam attack was limited, and hopefully anyone affected doesn’t have any issues.
What do you think about the entire Steam ordeal? Were you online at the time of the attack? Let us know what you think about it all in the comments down below.