Valve reveals details of Christmas Day Steam hack

A bucket with holes leaking water

Valve has broken its silence on the massive hack suffered by its game distribution platform Steam on Christmas Day.

Through a caching error, up to 34,000 customers could have had their personal information inadvertently shown to other users.

The fault, which lasted for about an hour and a half and started at 7.50pm on 25 December, has now been repaired.

Among the information displayed was customers’ email and registered billing addresses, purchasing histories, and the last two digits of their credit card numbers.

According to an official Valve blog post, this is the result of a DDoS attack that saw traffic to Steam’s servers increase by over 2,000 per cent more than the expected average.

As part of its process for dealing with cyberattacks – of which the company says it receives 77,000 a month – Valve and “a Steam web caching partner” used caching rules to route the genuine traffic.

However, during the second attack wave, an error in the caching configuration caused Steam’s servers to begin mixing up requests.

This resulted in the servers showing some users the page results that other customers had asked for.

This included store pages for other countries as well as the purchase histories and account pages of other users.

The store was shut down while new caching configurations were deployed and tested, with Valve bringing them back online once the errant caches had been purged from servers.

Anyone that did not use Steam to access a page containing their personal information can rest assured that their information is safe, the company has said.

The revealed information also “did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user”.

“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward”, Valve stated.

“We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.