Some Steam users’ personal information was exposed for a period of time on December 25. Following a brief statement released a few hours after the problem cropped up, Valve today offered a more in-depth explanation of what happened.
“About” 34,000 Steam users’ information may have been accidentally shown to other users due to a “configuration error,” Valve explains in today’s statement. Only users who visited a page on the Steam store containing their personal information during this period–11:50 AM PST to 1:20 PM on Christmas–could have had it exposed to other users.
That’s a small reassurance, but Valve says it’s attempting to identify those whose information may have been seen. Once it’s done so, it’ll be contacting those users. In the meantime, as it said on Christmas, there’s no need to actually perform any actions, as the only thing someone would have been able to do is see other people’s cached page information. (That said, it’s probably wise to keep an eye on your credit card statements and credit report anyway.)
As for how this happened in the first place, Valve says a denial-of-service attack targeted Steam in the early morning hours of Christmas. This in and of itself is not unusual, but it was the response that then caused the problems to occur.
“[C]aching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic,” Valve explains. “During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Once it was discovered this was happening, the Steam store, as we already know, was taken offline for a period of time. Valve says it “remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.”
The company goes on to say it’s working to ensure this kind of thing doesn’t happen again in the future and apologizes to affected users: “We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
Valve was criticized last week for what was perceived as a slow response, both in terms of a fix and an official statement. The latter ended up being sent to the media, including GameSpot, but until today there had been no official statement on Steam itself informing users that anything had happened.