Most Steam users are probably familiar with the flaky performance of the service during Valve's big sales. Unfortunately for Valve, the problems that hit the service on Christmas day weren't caused by legions of loyal fans. Instead, those issues were caused by a denial-of-service attack, and they were made worse by Valve's response to the attack.
Around the time that issues with Steam arose, Valve stated that a configuration change caused a caching issue that resulted in some users randomly seeing pages that were generated for other users. According to the company, the situation lasted for about an hour. No specific details about the configuration change, or why it was made on Christmas day, were shared. In a statement released yesterday afternoon, Valve explained in more detail its reasoning for the changes, and what information was mistakenly made visible.
The company says it made a caching configuration change to mitigate a denial-of-service attack on its services during the sale. As the attack continued, Valve apparently made a second configuration change that caused web traffic for authenticated users to be cached improperly.
That improper configuration caused some Steam users to see the front page of the service in the wrong language, while others saw account pages meant for different users. Valve outlined exactly what data got revealed in its statement:
"The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."
Valve assures users that if they did not browse their user account page or a checkout page during the time of the incident (11:50 AM to 1:20 PM PST Christmas day), they aren't one of the approximately 34,000 accounts that had personal information temporarily made visible. Valve says it's contacting the users that were affected by this error, but it claims that no user action is required to protect the affected accounts.