Steam, the online game store, delivered users anything but a Merry Christmas when last minute shoppers found themselves getting directed to other users’ accounts, giving them access to other people’s personal information such email addresses, credit card information and home addresses. Gaming community websites were abuzz with frustrated users and Valve, Steam’s creator, did little to assure users they were getting the malfunction under control.
The service was back to normal late in the day, but as of Saturday evening, many users were not satisfied the matter was handled properly and worried that many peoples’ personal information was compromised.
As of 7:45 p.m. Eastern Standard Time Saturday, there was nothing about the problem on Steam’s website, nor of Valve.
Users Find Themselves On Strange Pages
Some Steam users were landing on foreign language landing pages, according to Forbes and other news websites. Others found themselves only able to log into a limited number of accounts when they tried to sign in, refresh the page or navigate to a different page. Users were trying to log into their accounts to delete personal information to protect themselves.
At 12:50 p.m. on Christmas day, Steam Database, a user website, encouraged users not to use the Steam website.
Many users wondered why Steam had not taken the store offline. Many were frightened by seeing other users’ personal information.
Steam Database reminded users it was not affiliated with Steam. It noted it had not heard from Valve in an official capacity.
Steam Database said it suspected a caching misconfiguration caused Steam to incorrectly send users to cached pages that it intended for a single user. It noted that users’ private information was at risk.
Steam Database said the problem was not a DDoS attack or a hack. It was rather a misconfiguration in a Valve caching layer.
The user website urged users not to store billing information on the Steam store. It said Valve has repeatedly proven it is unable to maintain security standards at a high level.
At 4:32 p.m., Valve shut down the Steam store and community sites, Forbes reported.
At 4:51 p.m. SkidNP, a hacking group, launched a DDoS attack against Steam, as they promised they would do over Christmas, Forbes reported. But it was not clear if that attack was responsible for the earlier reported problems users were having.
Troy Hunt, a security expert, told Forbes the two attacks could be related. There have been other cases where environments under heavy load suffered management problems and assigned identities to the wrong person, Hunt said. He said it would be “enormously coincidental” for both issues to occur simultaneously and not be related.
6:05 P.M.: Kotaku Reports Progress
At 6:05 p.m., Kotaku.com, a game site, said Steam was allowing users to log in, and the user information was correct, although Steam provided no official word on Valve.
Later in the day, Valve sent statements to Kotaku.com and Gamespot.com, another gaming website.
At 8:25 p.m., Kotaku reported that Steam was restored to normal.
Gamespot at 9:36 p.m. reported that as a result of a configuration change early in the day, Valve said a caching issue caused some users to randomly see pages created for other users for less than an hour, but the issue was resolved. Valve said it does not believe any unauthorized actions occurred on accounts other than the viewing of cached page information.
Forbes said the exposed information was serious, and Valve was trying to understate the seriousness. Forbes noted there was not anything said about it on their official Twitter channels.
Steam’s Twitter support hasn’t mentioned the problem.
Forbes: Timing Suspicious
The timing of the attack was suspicious in light of attacks on PSN and Xob Live on Christmas, Forbes noted.
Writing on Gamespot, videogame writer Chris Pereira said it was unclear what happened. He said users were allowed to see Steam Wallet money, purchase history and other persons’ email addresses. Two tools for protecting one’s Steam account, Steam Guard and Steam Mobile Authenticator, appeared to be ineffectual for preventing these mishaps.
Pereira said there was no evidence hackers were causing the problem.
Featured image from Shutterstock.