Valve and Steam have both been a pretty big topic in the news over the past few weeks, and the news hasn’t been all that great.
If you were online last Christmas day you may have noticed the Steam store was having issues in both the application’s browser and the internet browser when loading information about games. Apparently, the issue was bigger than that as many users found themselves able to access information in other users accounts. The information ranged from wishlists to email addresses and mobile phone numbers.
Valve’s initial canned response about this problem being a “caching issue” has been met with much dismay. We even covered the issue with the response earlier this week.
Fortunately, Valve has taken the time to give an actual detailed response on the Steam Blog, which goes over the specifics of what happened and how it happened.
According to the blog, and following along with what we already know, a “…configuration error resulted in some users seeing Steam Store pages generated for other users.” These Steam Store pages had the potential to display variety of information including “…the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address”, but no full credit card data or passwords.
Those who weren’t browsing the Steam Store during the time period it was down can breathe a sigh of relief. Your information was never cached within that time frame, therefore you won’t have to worry that someone may have seen it.
Now on to the how…this is where it gets interesting.
The blog says that on Christmas morning, the Steam Store became the focus of a DOS attack (not to be confused with a DDOS attack), which created the havoc with the store pages. The traffic directed at the Steam Store increased by “2000% over the average traffic“.
Apparently these kinds of attacks are a “regular occurrence”, which has forced Steam to rely on specific caching configurations provided by a third party web caching service.
Unfortunately, that’s where things went wrong. During the second wave of the DOS attack, a second caching configuration was used and “incorrectly cached web traffic for authenticated users.” This led to the information being presented to users who were already logged in.
Once the error was identified, the Steam Store was shutdown until the caching configuration was removed and replaced.
While this Steam blog post provides a reason for the events that led up to a number of users personal information being displayed online, it may not satisfy those who feel they’ve lost trust in Steam’s ability to protect their private information. Whether things will be affected in the long run remains to be seen.
What do you think? Is Valve taking this issue too lightly, or was their response genuine enough to alleviate concern?