Valve Explains Christmas Day Issue On Steam

By Rexly Peñaflorida
published

Last week on Christmas, something went wrong on Steam. As players browsed through the massive catalog of discounted games as part of the Steam Winter Sale, they saw the private information of other Steam users, such as their billing addresses, purchase history and the last two digits of their credit card number. According to Valve, the issue lasted for two hours, and then service was back to normal. Almost a week after the issue, the company finally provided details about the problem.

It started with a denial of service (DoS) attack on Steam which increased traffic to the store 2000 percent above average. The attacks are common and Valve stated that it handles the problem in-house or with the help of other companies. Once the attack was detected, a series of caching rules set by what Valve called a “Steam Web caching partner” were implemented to soften the blow on the Steam store while continuing to allow legitimate users access to the site.

However, the second wave of the DoS attack prompted another caching configuration, but it incorrectly stored data for a few authentic users. This in turn showed another user’s account on various pages, and even a change in the language presented in the store (some users saw Russian or Chinese words on the page).

In light of the error, the store closed while another cache configuration was placed. Once it was confirmed that the new processes worked and the sensitive data was no longer visible, the digital store reopened for business.

Obviously, Valve apologized for the incident and promised to work with its partners to not only identify those whose partial information was revealed, but to also improve the caching process to prevent the issue from reappearing in the future.

The fact that the DoS attack came on Christmas Day is no coincidence. During the holiday season, many players receive presents through other friends on Steam, while some also get store credit through physical gift cards. Combine that with the ever-popular Winter Sale on the site, and Steam becomes a major hub with a large volume of players who all want to spend money on heavily discounted games.

Follow Rexly Peñaflorida II @Heirdeux. Follow us @tomshardware, on Facebook and on Google+.

Rexly Peñaflorida
Topics
Gaming
Security
17 Comments Comment from the forums
  • nukemaster
    It was MORE than 2 hours and I could not get email(authentication or trade/community market) from steam for days after.

    I am not sure what else happened, but it was strange to buy games for people and not get email confirmation and be unable to log in on other computers/browsers/ect because the confirmation emails never made it.
    Reply
  • RCguitarist
    Thanks hacking nerds. Another one of those helping society things you do all the time.
    Reply
  • 10tacle
    17227306 said:
    Thanks hacking nerds. Another one of those helping society things you do all the time.

    Things like this do not make the Hacktivist community look any better, to be sure. But you also have to remember that they are not a coordinated and self-policed group. There are rogue young and up-and-comers who try and make a name for themselves or are just otherwise exploring their newfound "skills." Others are just criminals.

    In any event, one of my Christmas gifts was a Steam card for Christmas, but fortunately I was out of town spending the holidays with family and was not with my gaming PC when this went down. This is one reason why I never, EVER store any credit card info online. I've been through both Sony PSN hacks, so I leave nothing to chance anymore.
    Reply
  • TechyInAZ
    It seems like Steam is always getting hit by DOS attacks. I hope that in the future, firewalls will get good enough to prevent something like this from happening.
    Reply
  • dstarr3
    Thanks hacking nerds. Another one of those helping society things you do all the time.

    It reminds me of when Anonymous vowed to take down ISIS. It's like... yeah. Twitter hacking will bring down a terrorist organization, no problem. Go for it, guys. Thanks for your help. Now kindly step aside while the adults come in to do the real work.
    Reply
  • Alec Mowat
    You should thank the hacking nerds (on every site) for showing how vulnerable your info really is.

    On the other hand, maybe you should reconsider how much information you allow steam to hold? I certainly wasn't going to give them my phone number for "security reasons"
    Reply
  • beayn
    17227306 said:
    Thanks hacking nerds. Another one of those helping society things you do all the time.

    There are rogue young and up-and-comers who try and make a name for themselves or are just otherwise exploring their newfound "skills." Others are just criminals.

    We call these "script kiddies"
    Reply
  • Alec Mowat
    17228070 said:
    Thanks hacking nerds. Another one of those helping society things you do all the time.

    It reminds me of when Anonymous vowed to take down ISIS. It's like... yeah. Twitter hacking will bring down a terrorist organization, no problem. Go for it, guys. Thanks for your help. Now kindly step aside while the adults come in to do the real work.

    None of the accounts flagged were even ISIS accounts.
    You seem to think Anonymous supports the US agenda, they do not. They troll more often than they help.
    Reply
  • dstarr3
    17228070 said:
    Thanks hacking nerds. Another one of those helping society things you do all the time.

    It reminds me of when Anonymous vowed to take down ISIS. It's like... yeah. Twitter hacking will bring down a terrorist organization, no problem. Go for it, guys. Thanks for your help. Now kindly step aside while the adults come in to do the real work.

    None of the accounts flagged were even ISIS accounts.
    You seem to think Anonymous supports the US agenda, they do not. They troll more often than they help.

    Oh, I'm well aware that they are trolls more than they are activists or warriors. I always laugh when a Facebook friend who's watched the Matrix one too many times gets all excited about new Anonymous threats.
    Reply
  • TechyInAZ
    17228162 said:
    You should thank the hacking nerds (on every site) for showing how vulnerable your info really is.

    On the other hand, maybe you should reconsider how much information you allow steam to hold? I certainly wasn't going to give them my phone number for "security reasons"

    Agreed. I don't give them any private info for both hacking reasons and because steam doesn't need to know.
    Reply