Those playing on Steam over the most festive of periods will have noticed that it kinda lost its shit, and began to show private account information of random users across the globe.
Though the problem was fixed, Valve have remained curiously tight-lipped about what the hell actually happened, only releasing a brief statement acknowledging the problem – until now.
According to the statement, around 34,000 users’ info was accidentally shown due to a “configuration error”. This only affected people who’d visited a page on the Steam store containing their personal info between a small time frame on Christmas day. Those who did not use Steam on Christmas day have nothing to worry about, and your details are still secret safe.
It seems Valve has fucked up MONUMENTALLY on Christmas day. People are being logged into random Steam account
— John Bain (@Totalbiscuit) December 25, 2015
Valve say in the statement:
Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
So what actually did happen? Well, Valve explain that too:
Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.
In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.
Steam went offline for a brief period while the problem was sorted, but there’s nothing to worry about now, and the service can be used fully for all those glorious sales. Good news all round.