Over Christmas, we reported on Valve’s major issues with their Steam store. As we all know, Steam gets pretty busy this time of year, due to their massive holiday sale. Unfortunately, this year it ended up being a complete mess during Christmas, as users were encountering pages showing another user’s personal information. Almost a week later, Valve has finally released a statement, explaining exactly what happened.
So what did happen? Well, it started out with a DoS attack. If you’re not familiar, a DoS attack is where a group will flood a website with traffic, in attempt to bring it down. Naturally, this is something at Valve is more than used to, and they took the appropriate action. This involved utilizing a set of caching rules managed by another company that specializes in web caching. Unfortunately, this is where things went wrong.
The caching configuration that they used started to incorrectly cache traffic for authenticated users. So when other authenticated users attempted to access certain pages, they were shown a page that belonged to someone else. This was suspected to be the case, and according to Valve, they have tracked down the issue with the caching configuration, and have taken the necessary steps to ensure that it doesn’t happen again.
Valve also specified that while information such as billing address, purchase history, and the last digits of a user’s phone number and credit card were displayed, nothing was shown that would allow someone to gain access to your account, or to make an unauthorized purchase. They are still working with their caching partner to find out which users were affected, so that they can be contacted directly and made aware. You can read the statement in its entirety here.