Steam confirms DDoS attack on Christmas day, says the attack leaked 34000 user accounts
World’s most popular gaming platform Steam has confirmed its servers suffered a massive denial-of-service (DoS) attack on Christmas Day. Moreover it said that the DoS attack had caused around 34,000 users to have their sensitive personal information leaked.
Readers and gamer may remember that Steam servers were down on Christmas day between 11.50am PST and 1.20pm PST. At that time, many sources tried to dispel the DoS attack fears and sought to blame the outage on a “configuration error.”
However as per the statement released by Steam, its servers had indeed been blasted with a DoS attack and the attack allowed some users to see Steam Store pages that had been generated for other users.
“The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address,” Valve explained in a statement on its website.
“These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”
The statement also said that only those users who browsed a Steam page containing their personal information during the time of attack could have seen account information of other Steam users. While the users who suffered the information leak is yet to be ascertained, Valve said it is working with its web caching partner on identifying which users had their information revealed to others, and will contact those users personally once they are identified.
Attacks against Steam “are a regular occurrence”, according to Valve. Steam had been a particularly lucrative target on Christmas Day due to its traffic increasing by around 2,000 percent during its sale.
“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic,” Valve wrote.
“During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.”
Once it had identified the error, Valve said that it shut down the Steam Store to prevent any more leaks. The store was brought back online only after its engineers had reviewed and deployed all new caching configurations.
“We will continue to work with our web caching partner to identify affected users, and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service,” Valve concluded.