Recently, Steam was facing some serious security issues and as a result, the store was taken down forcefully for a while. A weird issue was raised that allowed users to view accounts that were not their own, with the ability to see some personal information of the other user. The digital distribution service went back up later in the day with Valve claiming that “no unauthorized actions” had occurred.
Today Valve released an official statement about what happened last week in a new post on the news channel of the Steam Store. There was a DoS (Denial of Service) attack on December 25th, as per the statement made by Valve. This made Steam the target and increased its traffic was a huge 2000 percent compared to normal traffic during a Steam sale. To solve this issue, Valve had to make some internal changes and this resulted in a caching issue. Caching rules managed by a web caching partner were made at this point to minimize the impact on the store as well as continue to route user traffic.
During the second DoS attack, an incorrect caching configuration was made that resulted in some users seeing Steam Store responses that were generated by other users. This resulted in some users seeing wrong language on Steam or getting access to a cache of another user account detailing some key information of them. Valve had to shut down the Steam Store at this point to launch a new caching configuration and remove the others. Valve says that almost 34,000 users were affected in some way.
During this phase, some information was seen which includes Steam user’s billing address, the last four digits of their Steam Guard phone number, purchase history, the last two digits of their credit card number and/or email address.
The company apologized for the interruption of Steam service and to everyone who’s information might have been seen in any way. They’re taking steps to reach out to affected users as well. Check out the original official statement of Valve about this issue below.
Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
What are your thoughts about this news? Let us know in the comments below.