If you were using Steam on Christmas day, you might have faced security issues where users’ information was presented to the wrong accounts before the store got shut down.
Valve Corporation has spoken up about the problem and revealed that about 34000 users were affected as the result of a DDoS attack and mismanagement of their caching partners in response to the attack.
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
The type of data that might have been exposed includes Guard phone number’s last four digits, billing addresses, last two digits of credit cards, purchase histories, and email addresses in some cases. Valve confirmed that a DDoS attack was to blame (partly) for everything that happened:
Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.
They say that when the attack was made, certain caching rules were put in place by one of their web caching partners. Then, another wave of DDoS attacks was made after which another caching configuration was put in place. This time, however, “traffic for authenticated users” was incorrectly cached which resulted in wrong data being shown to the users.
As soon as Valve figured out what was happening they had to shutdown the store in order to fix the incorrect caching configurations – which everyone found out first hand.
Valve apologizes for exposing the details of some users as well as for having to disrupt the service on such a tough time.