nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Cache-astrophic: Why Valve's Steam store spewed players' private profiles to strangers

Lid blown on web riddle

By Chris Williams, 30 Dec 2015

PC gaming biz Valve has explained why its Steam software store blurted people's personal details to strangers on Christmas Day.

As reported in these pages, some gamers logging into the website on December 25 were in fact greeted by profile pages belonging to others. Those pages included home addresses, email addresses, details of past purchases, and partial credit card and phone numbers.

According to Valve today, someone launched a hefty denial-of-service attack on its servers, causing them to be flooded offline. In the chaos, a bunch of web caches, built to keep the site running, served the wrong webpages to people. Valve said 34,000 gamers' profiles were leaked this way. If you didn't log in that day, your information is safe because your profile didn't end up in the dodgy caches.

Here's what Valve said in its apology:

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

Valve didn't name its caching partner. Meanwhile, store.steampowered.com resolves to an akamaitechnologies.com host. Just saying. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing