Valve Finally Apologises for Steam Christmas Woes

After almost a week of silence, Valve has finally opened up about exactly what happened over Christmas which saw a number of users accidentally gain access to other users’ profile settings which revealed private email addresses, purchase histories, and PayPal details.

As it happens, around 34,000 users were affected by the issue, which Valve are pinning down to a “DoS attack which prevented the serving of store pages to users.” Of course, what happened following this was what many assumed had happened, this issue caused many pages which shouldn’t be cached, to be cached, then served to various different users.

In a fairly detailed update on the situation, Valve said:

During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

As you recall, once the issue arose, Valve quickly shut down the Steam Store to prevent any further breach of information. However, of those 34,000 users who were affected, Valve has assured that no unauthorised actions were allowed on accounts, despite personal information being on show.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

So there you have it. After a week of silence, you’ve got a statement from Valve which echoes everything we already knew about the issue this Christmas.