ONLINE AND OFFLINE AGAIN gaming service Steam has revealed that a configuration error combined with a denial-of-service (DoS) attack caused a leak of some sensitive personal information on 25 December.
We were expecting to see some problems with the online gaming world over the holidays and indeed there were some incidents.
Steam said that its problems were brought on itself, in a way, and led to the passing of information relating to some 34,000 users thanks to a DoS attack and the overwhelming of some systems.
The company revealed all in a blog post: "The content of these requests varied by page, but some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address.
"These cached requests did not include full credit card numbers, user passwords or enough data to allow logging in as, or completing a transaction as, another user.
"If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.
"Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified."
The firm said that users should stay cool, and that no "additional action" is needed at this stage. It looks like all the hard work happened behind the scenes.
"Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased by 2,000 percent over the average traffic during the Steam Sale," added the firm.
"During [the] second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users.
"Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."
This has been fixed, and Steam apologised to its users and promised that it would identify and presumably contact affected punters.
"Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged," the firm said.
"We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules. We apologise to everyone whose personal information was exposed by this error, and for interruption of Steam Store service." µ
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)