Valve has revealed that its Steam store was struck with a DDoS (Distributed Denial of Service) attack on Christmas, an attack which eventually resulted in the reason behind the exposure of thousands of users’ account data among the gaming community.
The most popular PC gaming store of them all ran into trouble recently, on Christmas of all days. Steam users were able to see other users’ account data including phone numbers, email addresses, purchase histories and even partial credit card details. Confusion predictably reigned in for about nearly 90 minutes, between 2:50 PM and 4:20 PM on Christmas Day. The glitch affected 34 thousand users’ personal information which may have been seen by other users.
In a public post, Valve has revealed that the Steam Store was the target of a DDoS attack early Christmas morning. While such attacks are a regular occurrence, this particular attack saw traffic increase by 2000% compared to the average traffic during the Christmas Steam sale, a time when gamers look for bargains.
This particular attack saw caching rules deployed by Steam’s web caching partner, a means to mitigate the DDoS attack and continue operations by allowing legitimate traffic to flow through to the website. However, the second wave of the DDoS attack saw a second caching configuration deployed that resulted in authenticated users having access to view cached web traffic. It was this configuration error that was the culprit, triggered due to the DDoS attack.
“Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user,” Steam revealed.
A new caching configuration was quickly deployed soon after the error was identified, following a complete shut-down of the Steam store.
Valve also noted that it is currently in the process of identifying every affected user. Upon completion of the task, the company notes that it will contact every user. Despite the faux paus, Valve insists that there is no risk of identity theft or fraud in noting that no unauthorized actions took place. Furthermore, Valve claimed “no additional action is required by users.”
Featured image from Shutterstock.