Steam confirms DoS revealed 34K user details

A denial-of-service attack was responsible for Steam account details being revealed to other users and the service shutting down on Christmas Day, with the company working on identifying affected users.
Written by Corinne Reichert, Contributor

Gaming platform Steam has confirmed that a denial-of-service (DoS) attack took place on Christmas Day, which it said caused around 34,000 users to have their sensitive personal information returned and possibly seen by other users.

Between 11.50am PST and 1.20pm PST on December 25, a "configuration error" meant some users saw Steam Store pages that had been generated for other users.

"The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address," Valve explained in a statement on its website.

"These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."

Only users who browsed a Steam page containing their personal information during that time, such as their account page or a checkout page, may have had their information revealed to other users.

Valve said it is working with its web caching partner on identifying which users had their information revealed to others, and will contact those users personally once they are identified.

The incident occurred as a result of a DoS target that prevented store pages from being served to users. Attacks against Steam "are a regular occurrence", according to Valve. Steam had been a particularly lucrative target on Christmas Day due to its traffic increasing by around 2,000 percent during its sale.

"In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic," Valve wrote.

"During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."

Valve shut down the Steam Store once it identified the error, and did not bring the platform back up until the company had reviewed and deployed all new caching configurations.

"We will continue to work with our web caching partner to identify affected users, and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service," Valve concluded.

Earlier in December, Valve admitted that up to 77,000 accounts each month are hijacked on Steam, with users having their digital items stolen and sold, resulting in the company implementing increased security measures.

In a statement published on December 11, Valve said the introduction of Steam Trading has increased account theft twentyfold.

"Enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers ... practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time," Valve noted.

"What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items ... We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, Reddit contributors, item traders, etc."

The gaming company said it has since increased account security by implementing two-factor authentication, introducing Steam Guard Mobile Authenticator to confirm digital item trades, closing loopholes, including self-locking features, and improving how and when it notifies users that their accounts are at risk.

Editorial standards