• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • Hey Guest. Check out the NeoGAF 2.2 Update Thread for details on our new Giphy integration and other new features.

Valve releases statement on Steam's Christmas issues

chadskin

Member
May 27, 2013
13,088
3
0
We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
http://store.steampowered.com/news/19852/
 

Broken Joystick

At least you can talk. Who are you?
Apr 30, 2013
11,029
8
730
25
Took long enough but I'm glad they're looking into it and contacting those affected.
 

rakkadakka

Member
Oct 27, 2011
3,335
0
0
And here I thought they'd just sweep it under the rug

I think if the internet remains mad for more than a day or two Valve will respond.

There's probably a formula you could write that predicts a Valve statement in relation to the number of reddit posts about the issue.
 

kirbyfan407

Member
Jul 16, 2014
5,071
0
445
So if I'm reading this correctly, the fact that I didn't go on Steam during that time and view any pages means my info couldn't have been shared with anyone? Is that right?
 

Durante

Member
Oct 1, 2006
48,836
1
0
peter.metaclassofnil.com
Hmm, the only relevant parts are the billing and email addresses, but it seems like the chance of a random person who sees them having both the opportunity and the will to use these to some nefarious end is very low.

So if I'm reading this correctly, the fact that I didn't go on Steam during that time and view any pages means my info couldn't have been shared with anyone? Is that right?
Yes.
 
Nov 22, 2014
4,105
1
0
Alright, so it sounds like they had a system that helps them against DoS attacks ( and the fact they are regular sucks) but it had a glitch that caused the problem. Wish they sent out a statement earlier, but it's reassuring to know they'll be trying to contact the people who had their information displayed. 34000 people though, jeez
 

oti

Banned
Aug 5, 2012
37,119
0
0
I was playing Phase 10 with the family while that happened. Guess I should write an Amazon review or something.

5/5
Saved my Steam
 

Plasma

Banned
Dec 24, 2008
9,289
0
0
Can't believe it took them 5 days to get that out they really need to work on their customer support.
 

Denton

Member
Mar 11, 2014
6,425
1,555
715
Good on Valve to provide detailed explanation. Transparency is nice.

Glad I wasn't affected though.
 

Shenmue

Banned
Jul 23, 2015
2,468
0
0
Er why is everyone automatically taking their word for the 34k number?

Do you guys not remember they also said the caching issue lasted under an hour when that was patently false?
 

jay

Member
Oct 25, 2006
9,198
0
1,000
This explains why I was having trouble checking out during that time.

What do I win?
 

Nif

Member
Jan 7, 2007
2,223
0
0
So it does sound like it was one of their partners and not Valve themselves that pushed the configuration change which blew things up. Have had experiences in the past where a server host or CDN noticed suspicious activity and took matters into their own hands to fix it without notifying our company, and therefore making things worse. Glad they got things straightened out and are going to find the people affected. That must not be easy.
 
D

Deleted member 284

Unconfirmed Member
Can't believe it took them 5 days to get that out they really need to work on their customer support.
Uh that's a pretty damn good turn arou considering how thoroughly the the discovery and response has been. Annoying at first, but responding in this manner during the holiday time is commendable. Compare this turnaround to how long it took other companies in similar situations.
 
D

Deleted member 125677

Unconfirmed Member
This is all I wanted to hear, gabarooni! Good show, apology accepted
 

cyba89

Member
Feb 22, 2015
4,875
3
0
Maybe they wanted to figure out exactly what happened before just saying something broke.

You should not wait five days to say anything when personal user data is exposed. They should have informed their costumers asap about this and give a more detailed explanation later.
 

megalowho

Member
Jan 3, 2009
6,126
0
1,005
"some users" lol, anyone who hit refresh while logged in more like.
Or anyone that directed their browser to the steam account URL, whether they were a user or not. That's my biggest issue with the statement.. but at least it's a statement with new information directly from Valve.
 

Dunkley

Member
Jun 17, 2014
5,335
0
0
Well it took them long enough, but good that they released a statement after all. At least now we actually have some information beyond "people got to see pages generated for others".

Shoutouts to Kotaku, Destructoid, TotalBiscuit and everyone else who kept bringing this to attention. Don't think we would have gotten a statement on this if people had just dismissed it and moved on.
 

KZXcellent

Member
Oct 1, 2014
5,981
1
290
TX
What happened was inexcusable and terrible. I'm relieved Valve's finally put out a long-overdue statement on this. Especially since it's on Steam and not a random gaming site. Kudos to the many people at Kotaku, Totalbiscuit ect who helped give this the attention it needed.
 

Basileus777

Member
Aug 6, 2008
33,948
1
0
5 days to inform users that their personal information may have been potentially compromised is a long ass time, spinning it as a quick response is utterly bizarre.
 

FoneBone

Member
Jun 7, 2004
15,206
2
0
Philadelphia, PA
How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

Yes? It's understandable that they may not have a detailed explanation on the spot for what happened and why, but their initial statement didn't offer any apology, or even acknowledge that there was a security breach.
 

BiggNife

Member
Aug 15, 2007
9,512
3
1,180
How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

When personal information is at stake I think it's pretty reasonable that people want a response as soon as humanly possible. Remember that before today, 98% of the information we had about this was gleamed from other sources, mainly SteamDB.

Yup, 0.02% of active users were affected.

34,000 is still plenty. Percentages don't mean squat.