Five days after popular PC gaming store Steam went on the fritz, Valve has issued an apology and an explanation for just went wrong.
As we reported at the time, Steam users logging into the app Christmas day were randomly finding themselves logged into other users' accounts, with a bunch of personal information exposed in the process.
After a few hours of this, Valve shut the Steam Store down temporarily until the problem was solved. Then, for nearly a week, we heard no explanation for what exactly went wrong save for a rather vague statement from the company at the time.
Now Valve has revealed what went wrong. A DDoS (or Distributed Denial of Service) attack hit Steam particularly hard as traffic was already at 2000% its usual volume over the Christmas holiday. When one of Valve's partner companies issued a new caching configuration to help offset the effects of the attack and keep legitimate traffic flowing, something went terribly wrong.
"In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic," Valve said in a statement. "During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."
Approximately 34,000 accounts were compromised between 11:50 PST and 13:20 PST, though Valve assures us that the "cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."
If you didn't browse the Steam Store while logged into your account, then your account was not compromised, according to Valve. So if you were spending time with family instead of playing games on your PC, Santa was watching and rewarded you accordingly.
"We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward," Valve assures us. "We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service."
Five days seems like a long time to wait to make this clear to users. Certainly they needed to fully understand what was going on before informing the world. And mistakes happen when dealing with cyber attacks. But waiting five days to utter the words "We're sorry, here's what happened" seems a bit on the slow side of things, especially when users have no idea how they've been impacted or what sort of sensitive data has been exposed. Yes, it's fantastic that this isn't all cloaked in PR doublespeak. Honesty is lovely. But the silence has been deafening.
Steam is far and away the biggest digital storefront for PC gaming, with over 125 million users and over 4,500 games. I suppose when you're king of the hill, you can take your time with this sort of thing. At least 34,000 users only comprises a very tiny sliver of their total customer base.
You can read the full statement from Valve here.
