Steam confirmed in a statement on its website that a midday denial-of-service attack on Christmas likely exposed the personal information of 34,000 users via store page requests made between 11:52 a.m. and 13:20 p.m. PST.
While the statement said the information varied according to page, some pages included a Steam user's billing address, the last four digits of their Steam Guard phone number, the last two digits of their credit card number, and/or their email address.” The company assured users that the “cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”
Referring to “Steam's troubled Christmas,” the statement noted that users who did not browse a Steam Store page with personal data during that time period shouldn't worry that their information had been exposed. Valve, the form behind the Steam gaming platform, and its web caching partner are trying to identify the users affected and will contact them accordingly. No unauthorized activity has been spotted.
The statement said the attack that began on Christmas morning “prevented the serving of store pages to users,” particularly confounding since the Steam Sale had generated a 2,000 percent increase in traffic to the Steam store. Cache management rules were deployed, in an effort to reroute “legitimate” traffic as well as “minimize the impact on Steam Store servers.”
But a second caching configuration deployed in response to the second wave of the attack “incorrectly cached web traffic for authenticated users” and inadvertently let some users see “Steam Store responses which were generated for other users.” When the error was spotted, the store was shuttered until the company deployed a new caching configuration and remained down until all the caching configurations had been reviewed and confirmation was received that “the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.”