PC gamers had a rather unhappy Christmas this year, as gaming hub Steam was affected by some extreme account vulnerability errors. Almost a week later, Steam operator Valve has explained what happened.
On 25 December, some Steam users began noticing strange things happening on the service. Principally, their landing page, when accessed through the Steam client, might appear in languages different to their own, most commonly Russian. Game recommendations would be generated for alien tastes. More seriously, if users went to their account settings, they would see the details of random other people, including personal information.
Even players using the Steam Guard authenticator to log in were affected, their details offered up as readily -- if randomly -- as anyone else's despite the authenticator's entire purpose being to protect accounts. Eventually, Steam was taken offline for a short period, as Valve attempted to fix what was rapidly appearing like a huge security breach.
While many suspected a hacker attack similar to the Lizard Squad assault on PSN and Xbox Live of Christmasses past, many were frustrated by Valve's broad silence on the issue. However, in a new blog post, the company has finally detailed what happened. "Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users," Valve writes. "Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000 percent over the average traffic during the Steam Sale."
Steam Sales are events unto themselves, and the opening hours usually see the site struggle to meet demand as players rush to buy heavily discounted games. A 2000 percent increase above even the expected heavy traffic load would be an incredible challenge to deal with -- though given Steam sales are a fairly regular occurrence, perhaps not unprecedented. "In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimise the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users."
In essence, Steam's backend was storing information it shouldn't have been, then showing them back to the wrong people. Thankfully, the error was caught early enough that no serious harm seems to have come from it, and after taking the store offline to deploy a new caching configuration, affected data will no longer be served up. Valve confirms, "The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged."
Approximately 34,000 users were impacted by the DoS attack, although Valve "is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified."
Thankfully, if you were one of the affected, there should be little to worry about. Valve says "as no unauthorised actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users."
This article was originally published by WIRED UK
