Support NeoGAF

[chadskin]

We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

http://store.steampowered.com/news/19852/

 

[Flandy]

And here I thought they'd just sweep it under the rug

 

[KINGofCRA5H]

I figured they wouldn't say anything. Good for them.

 

[Baron von Loathsome]

34,000?

 

[Broken Joystick]

Took long enough but I'm glad they're looking into it and contacting those affected.

 

[UnluckyKate]

34,000?

seems low isn't ?

 

[Transistor]

2000% increase? That's a lot of percents

 

[pizzacat]

I'll be expecting my free copy of bad rats through email please

 

[Krejlooc]

34,000?

Yup, 0.02% of active users were affected.

 

[chaobreaker]

I figured they wouldn't say anything. Good for them.

I think it was just a matter of "when" rather than "if". I don't blame anyone for thinking otherwise, though. This came way too late.

 

[oti]

wherez ma gaddamn undertow

 

[Crono27]

But this is worse than psn and microsoft/fifa issue!!!!!!!

 

[strafer]

We apologize to everyone

All I wanted to hear.

Thank you Steam.

I will buy Half Life 3 again.

 

[rakkadakka]

And here I thought they'd just sweep it under the rug

I think if the internet remains mad for more than a day or two Valve will respond.

There's probably a formula you could write that predicts a Valve statement in relation to the number of reddit posts about the issue.

 

[CypherSignal]

seems low isn't ?

That's the number of users who got cached and later served up, not the number of users who retrieved and looked at those cached pages.

 

[joeygreco1985]

5 days is too long for them to wait to acknowledge this though. But it's valve so hail gaben and all that bullshit...

 

[Aeana]

Kudos on the quick response.

 

[Diablohead]

"some users" lol, anyone who hit refresh while logged in more like.

 

[Deleted member 465307]

So if I'm reading this correctly, the fact that I didn't go on Steam during that time and view any pages means my info couldn't have been shared with anyone? Is that right?

 

[jacobeid]

Kudos on the quick response.

poeslaw.jpg

Thanks for apologizing, Steam.

 

[Durante]

Hmm, the only relevant parts are the billing and email addresses, but it seems like the chance of a random person who sees them having both the opportunity and the will to use these to some nefarious end is very low.

So if I'm reading this correctly, the fact that I didn't go on Steam during that time and view any pages means my info couldn't have been shared with anyone? Is that right?

Yes.

 

[WhateverItTakes]

Alright, so it sounds like they had a system that helps them against DoS attacks ( and the fact they are regular sucks) but it had a glitch that caused the problem. Wish they sent out a statement earlier, but it's reassuring to know they'll be trying to contact the people who had their information displayed. 34000 people though, jeez

 

[DarkLordMalik]

34k users? Jesus, that's a lot.

Good to have a detailed statement though.

 

[oti]

I was playing Phase 10 with the family while that happened. Guess I should write an Amazon review or something.

5/5
Saved my Steam

 

[MUnited83]

seems low isn't ?

Considering how many people reported seeing several of the same accounts, it seems kinda accurate.

 

[FoneBone]

Glad that they finally said something, but five days is still an unacceptably long time.

 

[-tetsuo-]

Valve is done

 

[Plasma]

Can't believe it took them 5 days to get that out they really need to work on their customer support.

 

[maquiladora]

It almost took them as long to release a statement as it did to shut down Steam.

 

[Skytylz]

Can't believe it took them 5 days to get that out they really need to work on their customer support.

Maybe they wanted to figure out exactly what happened before just saying something broke.

 

[cw_sasuke]

Yes.

Oh okay..thats good to know.

 

[Denton]

Good on Valve to provide detailed explanation. Transparency is nice.

Glad I wasn't affected though.

 

[Shenmue]

Er why is everyone automatically taking their word for the 34k number?

Do you guys not remember they also said the caching issue lasted under an hour when that was patently false?

 

[adamantypants]

Dude that transparency... did not expect that from Valve.

 

[jay]

This explains why I was having trouble checking out during that time.

What do I win?

 

[Nif]

So it does sound like it was one of their partners and not Valve themselves that pushed the configuration change which blew things up. Have had experiences in the past where a server host or CDN noticed suspicious activity and took matters into their own hands to fix it without notifying our company, and therefore making things worse. Glad they got things straightened out and are going to find the people affected. That must not be easy.

 

[Deleted member 284]

Can't believe it took them 5 days to get that out they really need to work on their customer support.

Uh that's a pretty damn good turn arou considering how thoroughly the the discovery and response has been. Annoying at first, but responding in this manner during the holiday time is commendable. Compare this turnaround to how long it took other companies in similar situations.

 

[UnemployedVillain]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

 

[Deleted member 125677]

This is all I wanted to hear, gabarooni! Good show, apology accepted

 

[cyba89]

Maybe they wanted to figure out exactly what happened before just saying something broke.

You should not wait five days to say anything when personal user data is exposed. They should have informed their costumers asap about this and give a more detailed explanation later.

 

[Crono27]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

People like to watch the world burn

 

[megalowho]

"some users" lol, anyone who hit refresh while logged in more like.

Or anyone that directed their browser to the steam account URL, whether they were a user or not. That's my biggest issue with the statement.. but at least it's a statement with new information directly from Valve.

 

[Dunkley]

Well it took them long enough, but good that they released a statement after all. At least now we actually have some information beyond "people got to see pages generated for others".

Shoutouts to Kotaku, Destructoid, TotalBiscuit and everyone else who kept bringing this to attention. Don't think we would have gotten a statement on this if people had just dismissed it and moved on.

 

[KZXcellent]

What happened was inexcusable and terrible. I'm relieved Valve's finally put out a long-overdue statement on this. Especially since it's on Steam and not a random gaming site. Kudos to the many people at Kotaku, Totalbiscuit ect who helped give this the attention it needed.

 

[SliceSabre]

Yup, 0.02% of active users were affected.

And? The number affected doesn't matter it is the fact it happened that matters and those 34,000 people certainly aren't happy it happened to them.

 

[Aeana]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

...Yes. Why is that unreasonable?

 

[Basileus777]

5 days to inform users that their personal information may have been potentially compromised is a long ass time, spinning it as a quick response is utterly bizarre.

 

[Joqu]

Glad they finally gave us that response. Took them too long but it's a good start.

 

[FoneBone]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

Yes? It's understandable that they may not have a detailed explanation on the spot for what happened and why, but their initial statement didn't offer any apology, or even acknowledge that there was a security breach.

 

[BiggNife]

How is 5 days too long for some people? Do you expect a response as it's going on and they're figuring out wtf happened?

When personal information is at stake I think it's pretty reasonable that people want a response as soon as humanly possible. Remember that before today, 98% of the information we had about this was gleamed from other sources, mainly SteamDB.

Yup, 0.02% of active users were affected.

34,000 is still plenty. Percentages don't mean squat.