Valve explains how the Steam Christmas privacy mix up happened, and how many users were affected.
This year's Christmas turned out to be anything but merry for Steam gamers. The digital storefront was assaulted on all fronts, leading to users accidentally seeing other users sensitive account information. Billing addresses were revealed, and gamers everywhere were spooked, choosing to stay well and clear of Steam despite the holiday sale.
According to Valve's official statement, the account information of 34,000 users were seen by others. Valve says that no full credit card information was leaked and that if you didn't access the storefront between 11:50 PST and 13:20 PST "your information could not have been shown to another user". Check below for Valve's statements, and a brief synopsis detailing how the cache error happened.
"On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
"The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user. Check below for Valve's statement, along with a brief explanation on how this all happened.
"Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users."
How the cache error happened
According to Valve, the error occurred because the digital storefront was assaulted on all sides. First Steam was hit with a DDoS attack, which was then handled by Valve and its third-party companies. Essentially, Valve works with its partners to block DDoS traffic while allowing legitimate traffic through. The problem was that traffic had rose by 2000% due to the Winter Sale, and Valve had to release different waves of cache rules to keep the DDoS from affecting users.
Something went wrong with the second wave of the cache rules implemented to thwart the attacks, resulting in the privacy mishap. Valve then shut the entire store down to reset everything and implement a new cache rule, bringing everything back to speed. The problem was that many Steam users had inadvertently seen other people's info.