Valve explains "Steam's troubled Christmas"

by Mark Tyson on 31 December 2015, 08:31

Tags: Valve

Quick Link: HEXUS.net/qacxea

Add to My Vault: x

Valve has made a statement explaining the reasons behind "Steam's troubled Christmas". Thanks to the official explanation we learn that - as a response to a DoS attack Steam used cached pages to serve to users - however one of its caching partners made an error and served cached page copies to 'other' users. It was widely reported as 'odd' or 'weird' rather than a serious breach, as the cached info revealed was partly obfuscated - like showing only the last four digits of your Steam Guard phone number, or the last two of your credit card number. The random other user seeing your cached recent Steam page couldn't log in as you.

The DoS attack started on Steam early Xmas morning (PST) increasing traffic to the site 20-fold. Valve is used to this kind of attack so its web hosting partner deployed caching to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. However in a second DOS attack wave "a second caching configuration was deployed that incorrectly cached web traffic for authenticated users". This is what caused the 'weirdness'.

"This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."

As soon as these errors were noticed Valve shut down the Steam Store until all the caching configurations had been reviewed, to find out the cause of the problem. Then the caches were purged before Steam reopened its virtual doors to the correct legitimate users again.

Valve stresses that information revealed "did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user." It was noted that only those who had browsed a Steam Store page with their personal information (such as an account page or a checkout page) in the affected time frame were involved in the weirdness. The explanatory news post is rounded off with an apology for the exposure of any personal information and the interruption of the Steam service during Christmas.



HEXUS Forums :: 10 Comments

Login with Forum Account

Don't have an account? Register today!
I can't understand the mentality behind DDoS attacks, the people, and i use that term loosely, often claim it's to highlight vulnerabilities but I'm not sure what the claimed vulnerability is, if it's that their vulnerable to DDoS what exactly do they expect companies to do about that?
so did this stop people playing their games over Christmas?
I think it only affected the store side of steam which has been buggy as hell all through the sale anyway.
ik9000
so did this stop people playing their games over Christmas?
No.I played over the holiday. It was only the store that was affected.
I think it's good that they are going to individually address to each victim, but taking so long to communicate with the community (it's the lack of communication which caused the ****storm on Reddit and Twitter more than the **** up) really damaged valves reputation