Update: 9:20 PM EST: Valve has released a statement to Gamespot, saying that it was not a hack but instead a cache issue as was guessed by some earlier, and that there is no additional action required by users. Here is what was said:
“Steam is back up and running without any known issues,” a Valve spokesperson told GameSpot. “As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”
Update: 6:36 PM EST: As of now, Steam appears to be back up and functioning properly – with you only accessing your own account again and the shop is functioning again. As of now, neither of the official Steam twitter accounts have posted an explanation nor has there been anything beyond what their Community Moderator has posted.
While some users are reporting issues with logging in, this is likely a delay or an issue with their cache. My testing with it has shown no issues logging in or other issues with Steam at this time.
If any purchases were made on your account, you should refund them and make sure to check all your information in general. If there are any unexplained expenditures on your credit card or Paypal in the coming days make sure to report them and keep an eye on everything.
Hopefully Valve will take the time to do the unusual for them and actually explain what happened to everyone as after a fail of this magnitude, they need to communicate with users what happened, what is being done to remedy it and the whole situation. Even if no other payment information happened or a hack as they claim did not occur, the privacy loss there in many areas is unacceptable, and Valve’s usual silence isn’t an appropriate response.
Update: 5:18PM EST: Steam has posted an update on their community site (which they seem to have partially re-opened) about the situation, confirming that it is not a security breach. It comes from Community Moderator Killah Instinct and I’ve copied it here for your ease and security (note though the community site is a different one from the store website)
We’ve gotten reports that people sometimes see other people’s account information on the account page. Valve has been made aware of this and are working on a fix.
Some frequently asked questions:
– No, Steam is not hacked
– Creditcard info and phone numbers are, as required by law, censored and not visible to users
Whether through a hack, or major server issue, it appears that Valve’s Steam platform is going through some major issues right now, as many users have noted. The problem appears to be that in essence the Steam website was having users log into random accounts on a rotating basis and showing as them – having you access that user’s wishlist, showing it in their language and other things.
Now, which happened as working on the story, it appears that Valve have turned their website completely offline and users cannot access the store in any way. You can still through the client get to your games and friends, but the community, store and other online store elements are completely offline.
This isn’t directly affecting the Steam client in the portions that are not loading the website – so you can load your games or talk with friends via that without issue. However, the store and various other things are impacted by it, and there are some concerns that have to be addressed.
The first thing to note is that Valve seems to be on the case. Since I began investigating this a little while back there have been some changes, and in particular you can no longer see account details. For a while, account details were visible to whoever was on the account as ‘normal’ only with different users showing. This meant that information such as your name, part of your phone number, part of your credit card number, and email address were all vulnerable. However, Valve has taken this offline and users can currently not access account details.
As for purchases, Valve has taken their purchasing servers offline, and are not allowing users to purchase anything. While it is possible (and perhaps even likely) some purchases were made before that happened, as of now there is no need to be concerned of some random stranger getting on your account and spending hundreds of dollars with your stored payment information.
While SteamDB is reporting that it is not a security breach, it is highly advised that users make sure to change their passwords and ensure that they turn on other security options in the future such as SteamGuard to protect your account as much as possible. In the next few days keep an eye on your credit card information and bills and any accounts that might have similar passwords (especially emails, given people could see that) should be changed as well. Other than being vigilant, right now there’s not much you can do other then waiting for Valve to fix their software and hope that it is indeed just an issue with page caching.
Also, stay off Steam if you have not been on it right now, and don’t load any new information into anything if you get some sort of site claiming to be Steam.
By the way, this is not a security breach. This is page caching gone rogue. Most likely not respecting Cache-Control headers.
— Steam Database (@SteamDB) December 25, 2015
At this time, Valve has not issued any statements about the situation and their support has not answered any questions on it.
As one might expect given it’s Christmas, there’s been a lot of talk from users who were expecting to purchase things with newly given Steam Cards or money that they received. The discussion dominates r/Steam right now, neogaf has a thread on it, as does r/games.
We’ll keep you up to date on any information as it comes out.