Valve Says Steam’s Christmas Malfunction Affected About 34,000 Users

Valve Says Steam’s Christmas Malfunction Affected About 34,000 Users

Valve has finally apologised for last week’s Steam Christmas disaster, explaining that they were hit by a Denial of Service attack that led to the exposure of personal information belonging to around 34,000 users.

Full statement:

We’d like to follow up with more information regarding Steam’s troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorised actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimise the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologise to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.


    • DDOS attacks happen to all major companies all the time. Who can say why? Could be angry customers, could be rival companies. Either way, DDOS attacks are as common as cloudy days for any major company.

  • So, around middle of the day in Australia, on a Saturday? Did I do the gymnastics right?

    Oh, and just on TB(?)

    The News at 6pm is short, sharp and concise because it has to be. Report, than move on.

    Newspapers are similar, each article says what happened, anything that remotely seems partial is properly categorised as best as possible.

    These things aren’t an exact science, but most people move on in their daily lives with an understanding that this is how things usually work.

    Youtubers, especially those near the top of whatever food chain they are linked into, muddy these waters.

    One day TB is a tastemaker. The next he is a journalist.

    He’s a consumer advocate. Next minute, he’s doing a skit.

    This act in and of itself is okay, but that’s what it is. An act. A role. A personality that is broadcast.

    I don’t watch fictional movies to trust duplicitous characters, I watch them so other characters in the story can/cannot.

    So it’s hard to separate somebody wearing all these hats when they themselves don’t make it clear and delineate whatever it is they actually want me to listen to.

    A conflict of interests, is one way to put it. Eddie McGuire for example.

    Even Eddie is subject to popular opinion and whistle-blowers, Youtubers are increasingly not. Papa Google is a Goliath that many people would rather not want to go to blows with, so New Media types get to flourish and profit off of untried, untested and un-regulated means of communication and entertainment.

    Parents with young children can probably attest – how do you keep up with the Youtube channels your kids are bombarded with?

    At least our parents had the remote control as some sort of power over us.

    TB, and other media, will need to work hard to be less Top Gear about this, and more Woodward and Bernstein. Tell us what happened, when you know it. Otherwise, pipe down and leave the opinions in the comments sections.

  • I still do not understand what or who TB is. It’s not mentioned in the article but seems to be a key point of the comments section.

    So the service was troubled for 1.5 hours, but the explanation took 6 days. 34,000 users were affected when Valve has an estimated 125 million subscribers, of which 10% could be active at any one time… so about 1 in 1000 users were affected, or 0.1%, or 1% of their active users. No hyper critical information was leaked, like entire credit card info, but some important information may have been shown. :-S

    That’s not too bad I guess. I still don’t like Steam, and prefer to use GoG. At least this problem was not as bad as initial reports suggested it might have been. :-S

    • Based on context in guessing the you tuber Total Biscuit.

      Sorry haven’t seen his video and can’t summarise but that should let you find it.

    • While TB and TB share quite a few qualities, neither had much to do with this debacle.

      The initial reports were heavily exaggerated speculation.

  • Loving the disparity between Valve’s official statement, what I’ve seen, and what users are reporting. Specifically that I see my CC details as two-digits preceded by two asterisks, which is what Valve states, yet there have been numerous users baying for blood because the last four digits of their CC was revealed.

    Guess there are always going to be people who want to kick up as much dust as possible.

  • Valve are basically the Apple of the PC gaming world, except without the massive price tag. They’ve got a cult-like status where people will tolerate pretty much any mistake simply because it’s Valve.

    If this was EA/Origin or pretty much any other game company, there’d be blood.

Show more comments

Comments are closed.

Log in to comment on this story!