Steam finally reacts to privacy breach issues, affected 34,000 customers

Last Updated: 31 December, 2015

On the busiest eve of Christmas, Steam, the game distribution service was taken down, after users reported that they were able to access other customer’s sensitive information on their account. Steam backed by Valve has released a statement citing a “caching issue” that did little to inspire confidence.

Valve announced today that up to 34,000 Steam members were able to view other users’ private information, including billing and email addresses, following a glitch triggered by a denial-of-service attack.

Here’s what Valve posted on its site:

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic,” Valve writes. “During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged,” claims Valve’s statement. “We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user, it stated.