Steam's Christmas shenanigans affected 34,000 users, Valve says

Valve delivers official statements on the Christmas outage, assuring gamers that no credit card info has been leaked.

Published Wed, Dec 30 2015 8:09 PM CST   |   Updated Tue, Nov 3 2020 12:02 PM CST

Valve explains how the Steam Christmas privacy mix up happened, and how many users were affected.

Steam's Christmas shenanigans affected 34,000 users, Valve says |

This year's Christmas turned out to be anything but merry for Steam gamers. The digital storefront was assaulted on all fronts, leading to users accidentally seeing other users sensitive account information. Billing addresses were revealed, and gamers everywhere were spooked, choosing to stay well and clear of Steam despite the holiday sale.

According to Valve's official statement, the account information of 34,000 users were seen by others. Valve says that no full credit card information was leaked and that if you didn't access the storefront between 11:50 PST and 13:20 PST "your information could not have been shown to another user". Check below for Valve's statements, and a brief synopsis detailing how the cache error happened.

"On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

"The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user. Check below for Valve's statement, along with a brief explanation on how this all happened.

"Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users."

How the cache error happened

According to Valve, the error occurred because the digital storefront was assaulted on all sides. First Steam was hit with a DDoS attack, which was then handled by Valve and its third-party companies. Essentially, Valve works with its partners to block DDoS traffic while allowing legitimate traffic through. The problem was that traffic had rose by 2000% due to the Winter Sale, and Valve had to release different waves of cache rules to keep the DDoS from affecting users.

Something went wrong with the second wave of the cache rules implemented to thwart the attacks, resulting in the privacy mishap. Valve then shut the entire store down to reset everything and implement a new cache rule, bringing everything back to speed. The problem was that many Steam users had inadvertently seen other people's info.

Derek joined the TweakTown team in 2015 and has since reviewed and played 1000s of hours of new games. Derek is absorbed with the intersection of technology and gaming, and is always looking forward to new advancements. With over six years in games journalism under his belt, Derek aims to further engage the gaming sector while taking a peek under the tech that powers it. He hopes to one day explore the stars in No Man's Sky with the magic of VR.

Newsletter Subscription

Related Tags

Newsletter Subscription
Latest News
View More News
Latest Reviews
View More Reviews
Latest Articles
View More Articles