Valve has finally addressed Steam’s Christmas caching fiasco. In an announcement today, it explains the problem: that for 90 minutes on Christmas day, people logging into the Steam store were shown cached pages containing “sensitive personal information” from other users who were also logging into the Steam store during that same period.
“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”
Those who didn’t log in during that timeblock are apparently safe. The company says it continues to work with its web caching partner to identify which accounts were affected — 34,000 in total — and will contact owners as it does so. “As no unauthorized actions were allowed on accounts beyond the viewing of cached page information,” Valve insists, “no additional action is required by users.”
So how did it all happen? A denial-of-service attack is at least partly to blame. During the DDoS, Valve reports,
“a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Valve has apologized to those affected and for the “interruption of Steam Store service.”