Valve issues statement about Christmas Day Steam kerfuffle
Following a major security disaster on Christmas Day, Valve has responded directly to Steam users.
On Christmas Day, Steam had one of its worst days ever, with users able to see sensitive account information of other Steam users. That led to people being able to see Steam libraries, Wallet information, and even email addresses. While Valve issued a vague statement to the gaming press, it had yet to address the Steam user base directly. Today, the company explained to the users exactly what happened.
The following was posted on Steam, noting that what happened was not the direct result of a DDoS attack, but rather resulted from a response to a DDoS attack:
On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.
The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.
If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.
Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.
Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.
In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.
Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.
We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
-
Shacknews
replyOzzie Mejia posted a new article, Valve issues statement about Christmas Day Steam kerfuffle
-
I love the use of kerfuffle in this headline. 10/10, would Ozz again.
-
-
[deleted]
-
-
[deleted]
-
-
-
[deleted]
-
-
I know when I'm trying to solve some major problem at work, I always work faster and better when people are pestering me for updates so they can go tell someone else that shit is still broken.
-
-
[deleted]
-
-
they released a statement to media. sorry it didn't live up to your expectations or land in the place you thought proper. maybe you should delete steam in protest.
basically, the very small vocal minority that has a beef about this wouldn't even hurt them if they all stopped buying today. they, like any business, are addressing their largest consumer base.
how much credence do you think microsoft would give a 2% userbase of abrasions not happy with their edge use cases? you're that userbase write now. this was a breach classified as 'minor' and received the appropriate response.
you work software, right? how do you not understand that security bugs or any bugs in general are classified based on risk, impact, and business value?
-
I do understand and the *only* thing I'm asking for is that they told the people who were asking questions that they were investigating instead of the hand waving statement that they issued.
They didn't have to send an email to everyone with an account saying something happened. Personally, I would have liked to see an official blog post stating that something happened and they were investigating. But I would have been happy with the replies to the forum posts and news inquiries saying that they were investigating and would provide further updates.
The "It was a configuration issue and it's fixed now" response that they had was in no way sufficient.-
[deleted]
-
-
[deleted]
-
-
-
[deleted]
-
-
[deleted]
-
[deleted]
-
-
[deleted]
-
-
-
-
-
-
-
-
-
-
What did you want them to say? lol we don't know what happened wtflol or wait for a proper reply when they have info?
-
-
No it's not. You take the time you need to make a definitive, clear statement. Anything sooner is "we're not sure and are investigating" or "we currently think X but need more time to confirm".
-
-
You should NEVER say what you think it is until you're sure. If you say you think it's X but it turns out to not be X then people will complain about X for years. People will discuss how your system failed because of X. Whatever X is it will never, ever be forgotten. No matter how many posts you put up saying how it WASN'T X will stop people from writing about how you fucked up X.
-
I never said they had to say WHAT happened. They just had to say SOMETHING happened and that they were looking into it.
http://www.shacknews.com/article/92647/steam-bug-causing-user-account-information-to-appear-to-other-customers-update-valve-responds
See Update 3.
If that statement was on their site with one more sentence at the end saying "We are investigating the issue and will respond with more information when we have completed the investigation" I wouldn't have had any issue. -
[deleted]
-
As the (only) software programmer for a GPS tracking company that deals with 2k+ trucks carrying millions of dollars in goods, i have to TOTALLY agree with you on that. Besides, unless actual credit card information was displayed or there was massive outage for more than a couple of hours, pasting that kind of news all over your business on your most profitable week of the year will only make your income drop to zero for weeks, even if the problem is already fixed, or did only affect a small ammount of customers to start with.
-
this is the worst username I ever seen
why didnt you add xxx's to the beginning and end of your name
-
-
-
-
-
5 days from impact to press release is not that bad. You would prefer them to issue a PR before they've fully identified the problem, scope and resolution?
-
-
[deleted]
-
[deleted]
-
What a mess that was, I couldn't login for days, and even when I could I got missing pages, errors, etc.
-
I wonder how often and how much bullshit is slung at Steam servers in an attempt to cause disruption and what sort of uber dudes they have working there to prevent that sorta stuff. In fact I wonder how big Steam really is compared to Amazon/Google in the whole scheme of things.
-
Fuck the guys who make Valve devs spend Christmas holidays at the office, deflecting attacks.
Even if the devs who are doing the work don't celebrate Christmas, they are likely in the Pacific Northwest which is cold and wet.
They better not give up and sell Steam to Microsoft for 2 billion dollars so it can be used in AR demos to hype Windows 11.
-
-
[deleted]
-
-
[deleted]
-
