UPDATE W/ VALVE’S OFFICIAL STATEMENT: “Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”
So yeah, as I said it looks like no purchases went through and your credit card info should be safe. However, this does still mean that your name/address may have been exposed to someone, somewhere, if you were the unlucky person whose information was cached.
If Valve releases a more detailed/technical statement we’ll be sure to keep you updated.
UPDATE, 3:40 PM PST: Steam seems intermittently back and the caching issue resolved, according to a Steam community moderator. That’s…sort of an official message from Valve, meaning you should be safe to use the service again. We’ll let you know if Valve releases a lengthier explanation or a more official statement.
ORIGINAL STORY:
Christmas and “major issues with online gaming services” go hand-in-hand at this point, so it was with little surprise I awoke this morning to a Steam seemingly crippled by DDOS attacks. Business as usual, I guess.
But I didn’t expect the problem to become much, much worse before the day was out. Like, “huge security flaw” worse. Due to some sort of page-caching error, users are now reporting they’ve been mysteriously logged into other people’s Steam accounts, with all of the user information stored. Threads on Reddit are titled “I’m logged in as someone random on Steam?” and “Signed into a random stranger’s account. I can see their email, address, etc.”
Others, like IGN’s Ben Janca [Disclosure: A friend of mine] report that purchases have even been charged to their account, seemingly by other people. [UPDATE: While some seemed to see charges going through from other people, the charges apparently only showed up in Steam. No purchases (as far as I know) made it through to banks/PayPal. You should be safe, although your name/address might still have been revealed to others.]
I AM ACTUALLY KINDA FREAKING OUT RIGHT NOW, SOMEONE, SOMEWHERE HAS MY STEAM ACCOUNT.
— Ben (@BenJanca) December 25, 2015
AW FUCK, SOMEONE ACTUALLY BOUGH SHIT ON MY STEAM ACCOUNT
— Ben (@BenJanca) December 25, 2015
@BenJanca APPARENTLY IT DIDNT REMOVE MY PAYMENT INFO FROM MY ACCOUNT EITHER, HOLY SHIT ALL THESE CHARGES.
— Ben (@BenJanca) December 25, 2015
So yeah, it’s a huge mess. Steam seems to be down at the moment, so hopefully Valve’s taking care of the issue. The best thing you can do though? Go about your day. Don’t check your Steam account. Don’t try to unlink your credit card. Do nothing.
That’s the paradoxical problem with caching errors—trying to check on anything actually opens you up to more risk. Hopefully you’ve set up Steam to alert you if anything is purchased, which should help you keep an eye on things remotely. But otherwise? Stay away from Steam today.
We’ll keep you updated on both Steam’s status and if we hear anything from Valve about today’s issues.