This morning, Valve finally reached out to Steam users whose account information may have been exposed during last year’s Winter Steam Fail.
As you may remember, bedlam hit Steam on Christmas Day after users logged in to find that they had apparent access to other people’s accounts. For around an hour, anyone who opened up the Steam store would see themselves logged in as other users. Although nobody could make purchases on other people’s accounts, they could see other users’ personal information including email addresses and purchase histories.
A few days later, Valve apologised and said they’d notify anyone who may have been affected. Now, they have finally done it.
“This event did not make it possible to compromise your Steam account or make a fraudulent transaction from your account, but we want you to be aware of what information could have been seen by another Steam user,” Valve wrote to affected users. “We’re sorry this happened and have taken steps to prevent this problem from occurring in the future.”
You can read the full email here:
Dear Steam User,
As you may know, for a brief period on December 25th, a configuration error resulted in some Steam users seeing incorrectly cached Steam Store pages generated for other Steam users. If you are not familiar with the issue, an overview of what happened is available at http://store.steampowered.com/news/19852/.
If you accessed the Steam Store between 11:50 PST and 13:20 PST on December 25th, your account could have been affected by this issue. If you did not use the Steam Store during that time, your account was not affected.
Between the times above, a requested web page for information about your Steam account may have been incorrectly displayed to another Steam user in your local area. This page may have included your email address, country, purchase history and last 4 digits of your phone number if one was associated with your account. It may have also included the last two digits of a credit card number or a PayPal email address, if previously saved for future purchases. It did not include full credit card numbers, Steam account passwords, or other information that would allow another user to complete a transaction with your billing information.
We are contacting you because an IP address previously used by your account to access Steam made a web page request as described above. Because IP addresses are commonly shared for home networks, mobile devices and by internet providers, we are unable to verify that your account was actually the one that made this request. For example one affected IP address was previously used by over 1,700 Steam accounts. Consequently we are notifying all users who have previously used this IP address.
This event did not make it possible to compromise your Steam account or make a fraudulent transaction from your account, but we want you to be aware of what information could have been seen by another Steam user.
We’re sorry this happened and have taken steps to prevent this problem from occurring in the future.
If you used the store between 11:50 PST and 13:20 PST on December 25th and you have questions please email cachingissue@steampowered.com.
– Valve
Comments
2 responses to “Valve Finally Notifies Steam Users About The Christmas Breach”
It only took them over two months to respond. I think we should all rise and do nothing about it. And murder death kill Valve.
It looks like it probably would have taken a decent chunk of time just to parse the data. The information from the cache where the problem happened seems to only contain the IP address, not the account information, so they had to pull that data from cache logs, build a list of every account that ever used that IP (because of dynamic addresses) and then send the mail out to everyone on that list.
I mean, it’s not like this was a typical data breach or anything. No unauthorised external access occurred to the underlying data. In terms of figuring out that the above is what’s needed given the limited amount of information available, added to any time spent on possibly trying to write a more specific solution that didn’t end up giving the results they needed, I don’t think the time frame is that unreasonable. Especially since the only identifying information leaked was the email address, which I still maintain isn’t especially serious.