Steam is currently in its busiest period of the year – the Christmas sale is running at full speed, and people have been enjoying the deals and spending a lot of money on new games. However, a group of hackers apparently wanted to act like the Grinch and threatened to shut down Steam’s servers on Christmas, and while many initially dismissed the threats as empty words, it turned out that the attackers were actually quite serious with their intentions. On December 24, Steam went offline due to an apparently serious DDoS attack that brought Valve’s servers down.
However, that was not the end of the story – the issue went much deeper than that, and Valve actually encountered a security issue that forced them to completely shut down access to the Steam website for several hours.
According to reports, at some point after the DDoS attack began, Steam’s content caching servers started acting strangely, although it’s not known if this was a side effect of the DDoS or a completely unrelated issue. Users reported that they regularly saw themselves as logged-in to someone else’s account, in some cases even seeing different languages and currencies in the store.
The main theory about the issue was that the caching server was incorrectly configured to cache pages that should normally not be cached, such as account-related pages, and subsequently delivered the cached versions to users requesting those pages, instead of freshly generating a new copy each time. As a result, if user A and user B wanted to open the same page at roughly the same time, it could happen that one of them saw the page meant to be delivered to the other user.
And while the pages were static – meaning that no actual actions could be performed on another user’s account – the situation was still not very pretty. Reports indicated that in the event that a user got served the account details page for someone else, they could see information including the user’s e-mail address and physical address, and the last four digits of the credit card they had associated with that account (if any). This kind of information could potentially be used for social engineering if it fell into the wrong hands, and in fact it’s pretty much guaranteed that attackers benefitted from the situation and collected bits of user details at some point.
Shortly after the chaos began, Valve decided to pull the plug on their servers and left the Steam Store inaccessible for several hours. During that time, users were actively discussing the situation online, and their frustration was compounded by the typical silence from Valve’s side. The company did eventually make a statement, but many saw it as far too late and not detailed enough in light of the seriousness of the situation. In the end, many people seem to have lost some trust in Valve after the incident, and the story might not be over yet with talks about class-action lawsuits on the horizon.
Some have taken the time to criticize Valve for the current state of their business, as the company still lacks any serious internal organization and the ability to address issues in a timely, responsive manner. Steam’s support has been particularly bad in many aspects and it doesn’t look like it’s going to change anytime soon, and on the other hand Valve are known for allowing their employees to freely contribute on projects outside of their area of expertise, which probably adds to situations like this one.