TR Member Perks!

Valve and Steam have both been a pretty big topic in the news over the past few weeks, and the news hasn’t been all that great.

If you were online last Christmas day you may have noticed the Steam store was having issues in both the application’s browser and the internet browser when loading information about games. Apparently, the issue was bigger than that as many users found themselves able to access information in other users accounts. The information ranged from wishlists to email addresses and mobile phone numbers.

Valve’s initial canned response about this problem being a “caching issue” has been met with much dismay. We even covered the issue with the response earlier this week.

Fortunately, Valve has taken the time to give an actual detailed response on the Steam Blog, which goes over the specifics of what happened and how it happened.

According to the blog, and following along with what we already know, a “…configuration error resulted in some users seeing Steam Store pages generated for other users.” These Steam Store pages had the potential to display variety of information including “…the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address”, but no full credit card data or passwords.

Those who weren’t browsing the Steam Store during the time period it was down can breathe a sigh of relief. Your information was never cached within that time frame, therefore you won’t have to worry that someone may have seen it.

Now on to the how…this is where it gets interesting.

The blog says that on Christmas morning, the Steam Store became the focus of a DOS attack (not to be confused with a DDOS attack), which created the havoc with the store pages. The traffic directed at the Steam Store increased by “2000% over the average traffic“.

Apparently these kinds of attacks are a “regular occurrence”, which has forced Steam to rely on specific caching configurations provided by a third party web caching service.

Unfortunately, that’s where things went wrong. During the second wave of the DOS attack, a second caching configuration was used and “incorrectly cached web traffic for authenticated users.” This led to the information being presented to users who were already logged in.

Once the error was identified, the Steam Store was shutdown until the caching configuration was removed and replaced.

While this Steam blog post provides a reason for the events that led up to a number of users personal information being displayed online, it may not satisfy those who feel they’ve lost trust in Steam’s ability to protect their private information. Whether things will be affected in the long run remains to be seen.

What do you think? Is Valve taking this issue too lightly, or was their response genuine enough to alleviate concern?


Jon Schear

Staff Writer

Graphic and web designer by day, amateur digital artist/illustrator and writer for Techraptor by night. When I’m not doing any of those things, you can find me getting extremely angry in WoW as I watch my Moonkin get killed multiple times in PVP or drinking scotch.



  • webkilla

    TotalBiscuit just released a scathing response to this ‘coming clean’ – he ain’t happy…. and to be frank, then his reasons for that seem quite sound. People might not have been able to alter people’s accounts, or buy games on other people’s accounts, but you could access the purchase confirmation pages of people, which gives your name, address and phone number IIRC.

    That’s prime doxing information – hell, it is doxxing – and like TB seemed to say: If a class action suit comes out against Valve because of this, due to injuries derived via swatting commited via this doxxing information… then he really wouldn’t be surprised

  • Crizzyeyes

    Honestly, I’ve become jaded to the whole doxxing thing. Anyone can type your name in the white pages and find the same information displayed on that Steam page. If someone really wanted ypur name and address, there really isn’t much you can do to stop them other than move off the grid. I think Valve realizes this.

  • I’m sort of the same feeling at this point. Doxxing has become a huge buzzword too, which doesn’t help for it being thrown around for every little occurrence of information being released.

    I also agree it’s almost impossible to avoid.

    However, the release of private information is still fresh in peoples minds since Snowden. Whether this issue with the Steam Store is small or big, it doesn’t change the fact that it’s fanned the flames.

  • Travis

    I think there really has been a huge overreaction.

    It’s not like Valve dumped 100,000 people’s addresses into a list and sent them out to mass mailers. So some confused dude in Italy may have stumbled on my address while trying to check out. Oh well.

    The odds of this error putting my personal information into the hands of somebody with the means and ability to misuse it are astronomically small.

  • webkilla

    I get what you mean – for most people that kind of stuff is largely irrelevant, since there’s nobody after them or anything

    But SWATing is a very real thing these days – and its very difficult to defend against unless you actually know that you’re about to be SWATed, and its kinda rare to get advanced notice on those things.

    That’s part of TB’s main issue with the leak: When your home address goes out on the internet, you can get SWATed and the only remedy is to up and move at that point

  • GrimFate

    My password and credit card information weren’t exposed? My games library and inventory are as I left them? Unless someone comes forward and exposes this as serious negligence on Valve’s part (which I highly doubt is the case), then I’m going to assume that this was simple mistake that could happen to anyone, and keep my faith in Valve. Once my credit card details or password are leaked, then I will consider joining in with the pitchfolks and torches.

    Suppose a heads up from Valve would have been nice too, though.

  • Ahhh good point.

  • webkilla

    There have been people who got killed because of SWATing

    http://www.theblaze.com/stories/2015/07/16/swatting-prank-ends-horribly-for-victim-and-he-has-the-injury-to-prove-it/

    http://www.salon.com/2014/06/24/a_swat_team_blew_a_hole_in_my_2_year_old_son/

    – here the SWAT team tossed a flash bang into the room they thought the ‘perp’ was in.

    – it landed in the crib of a 2yr old

    – it burned a hole in the kid’s chest, leaving rib bone exposes

    (the kid lived through it…)

    http://bearingarms.com/ex-marine-swatted-black-shopper-death-walmart-changes-story/

    – an ex-marine calls the cops on a black man who was playing around with a toy gun at a walmart

    http://bearingarms.com/12-yo-swatted-death-cleveland-park-playing-airsoft-gun/

    – link name says it all

    People calling the cops on people they don’t like is the new hotness. Amp it up to get a SWAT team called in. Say you’re holding your family hostage, that you’re going to kill yourself and your children… they’ll come in guns blazing to stop you.

    …its only been prevented once AFAIK, when the victim was alerted via social media because the swatters were coordinating their actions via twitter