Valve finally addresses Steam’s Christmas fiasco, says a DDOS led to the caching error

    
35

Valve has finally addressed Steam’s Christmas caching fiasco. In an announcement today, it explains the problem: that for 90 minutes on Christmas day, people logging into the Steam store were shown cached pages containing “sensitive personal information” from other users who were also logging into the Steam store during that same period.

“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”

Those who didn’t log in during that timeblock are apparently safe. The company says it continues to work with its web caching partner to identify which accounts were affected — 34,000 in total — and will contact owners as it does so. “As no unauthorized actions were allowed on accounts beyond the viewing of cached page information,” Valve insists, “no additional action is required by users.”

So how did it all happen? A denial-of-service attack is at least partly to blame. During the DDoS, Valve reports,

“a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”

Valve has apologized to those affected and for the “interruption of Steam Store service.”

Source: Steam
newest oldest most liked
Subscribe to:
Chuki792
Guest
Chuki792

Ah.. so spending time with the family at Christmas and not gaming in the cave actually had some benefit this year? whodathunk? :-p

SirMysk Needs (More) Coffee, Probably
Guest
SirMysk Needs (More) Coffee, Probably

unixtimed Exactly. The original story was that it was less than an hour long and it was some little oops with configuring their caching servers. They’re trying very hard to recreate history here, and of course some were saying that they saw the last four digits of credit card numbers so that also puts cracks in Valve’s claims.

toomanywowclones
Guest
toomanywowclones

LordOfBread What about Target though…

MetaDune
Guest
MetaDune

unixtimed Regardless of what you “fall” for, it doesn’t really matter in the end, your info is going to get hacked anyways regardless how good the security is because of the complexity of programming and networking, there’s always going to a whole or zero day attack somewhere

unixtimed
Guest
unixtimed

Uh, right. Didn’t they say before it was due to configuration change? Buw since shit jut doesn’t go quiet it’s once again time to put the blame on a DDOS attack. Not falling for that lol

Metadirective
Guest
Metadirective

Maybe a reaction to Total Biscuit point of vue also,

Silvercat18
Guest
Silvercat18

I strongly suspect that saying “we were attacked” gives them some better legal defence than “we messed up” and this is just some hasty ass covering.

Karl_Hungus
Guest
Karl_Hungus
Armsbend
Guest
Armsbend

MetaDune Ceder we are saying it might be ddos or it might not.  Valve never approaches the truth.

MetaDune
Guest
MetaDune

Armsbend MetaDune Ceder you know how easy it is to ddos anything? Lol that’s why all those kidder scripters love doing it during Xmas week. In the end it doesn’t matter because the larger the target, the higher the chance something is going to get hacked.

Might as well delete your profile off and anything on the internet if you don’t want it to get stolen.