Valve’s Christmas mix-up leaves users steaming

Most Steam users are probably familiar with the flaky performance of the service during Valve's big sales. Unfortunately for Valve, the problems that hit the service on Christmas day weren't caused by legions of loyal fans. Instead, those issues were caused by a denial-of-service attack, and they were made worse by Valve's response to the attack.

Around the time that issues with Steam arose, Valve stated that a configuration change caused a caching issue that resulted in some users randomly seeing pages that were generated for other users. According to the company, the situation lasted for about an hour. No specific details about the configuration change, or why it was made on Christmas day, were shared. In a statement released yesterday afternoon, Valve explained in more detail its reasoning for the changes, and what information was mistakenly made visible.

The company says it made a caching configuration change to mitigate a denial-of-service attack on its services during the sale. As the attack continued, Valve apparently made a second configuration change that caused web traffic for authenticated users to be cached improperly.

That improper configuration caused some Steam users to see the front page of the service in the wrong language, while others saw account pages meant for different users. Valve outlined exactly what data got revealed in its statement:

"The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."

Valve assures users that if they did not browse their user account page or a checkout page during the time of the incident (11:50 AM to 1:20 PM PST Christmas day), they aren't one of the approximately 34,000 accounts that had personal information temporarily made visible. Valve says it's contacting the users that were affected by this error, but it claims that no user action is required to protect the affected accounts.

 

Colton Westrate

I post Shortbread, I host BBQs, I tell stories, and I strive to keep folks happy.

Comments closed
    • Crackhead Johny
    • 4 years ago

    Steam has done what they wanted to, they have become the local grocery of games. You want a game go to Steam.
    Mean while Origin (whole Foods?) has a limited, over priced selection of games, that only sell because they try to make themselves the sole distributor and then gouge the customer.
    Uplay (Salmonella Inc.) on the other hand just tries to infect the games you buy elsewhere.

    The thing that has tarnished the once amazing Steam sales is not things like DDOS attacks, it is Humble Bundle, which got us used to paying even less for games than we do at Steam sales. So “It was not really discounted this sale, it should be cheap next sale” is now “It was not really discounted this sale, I’ll probably find it in a bundle before next sale.”.

    • squeeb
    • 4 years ago

    My faith in GabeN never wavered.

      • torquer
      • 4 years ago

      Hopefully he’s found something better to do with his time than to manage daily operations of the platform he inspired. Unfortunately, he’s had some good ideas that are either past their time or too far ahead of it. His big thing has been removing the Microsoft middleman from gaming for a long time, but he’s not much closer to that goal than he was 15 years ago. Native (sorry, WINE users) Linux gaming on the desktop (not counting PS4 and Android) has just never taken a foothold. Neither has Mac gaming. Steam has done good things for both platforms but they remain very limited markets. Steam Machines don’t really offer anything all that compelling over a console unless they are running Windows. When/if Microsoft does finally enable reverse game streaming to the Xbone that’ll remove one of the only benefits offered by these devices.

      Valve has some amazing IP and franchises. They should really stick to cultivating the steam platform to ensure it does not go by the wayside and releasing award winning games people want to play.

      I think that a lot of Valve’s current or potential future issues are similar to other scrappy upstart companies that got very big, very quick. They lose sight of the core things that made them great and start doing things that aren’t helping their bottom line. It also doesn’t help that their boss seems to want to modify a business model to satisfy his irrational hatred of Microsoft.

      While an unpopular truth, all PC gamers have a lot to thank Microsoft for. Before the days of DirectX, we had games written for specific graphics and sound cards. There were no cross platform APIs and everything was proprietary. While they have made numerous missteps over the last 30 years (god I’m old), we all should still be thankful for what they have done for our beloved PC master race.

      Man that was a digression!

    • torquer
    • 4 years ago

    If this had been just about any other company that people love to hate, it’d be akin to the end of the world.

    Valve continues to get a free pass for mistakes and failures and I can’t fathom why that is.

      • DoomGuy64
      • 4 years ago

      Because it’s a non-issue, and it wasn’t their fault. Accounts weren’t compromised, and the info available wasn’t any worse than what you’re already leaving open to the public.

      If anything was a real issue, it wouldn’t be this, but how annoying and insecure steam guard is. Phone activation? What’s more likely to be stolen? A mobile phone, or my full tower sitting in my house? Steam guard should never ask me to activate my home pc from home, and yet it does all the time if I use a web browser instead of steam. Is it so hard to check that steam is already running on the same PC that I’m browsing from? Apparently.

      That, and if I ever lose my phone, Steam could lock my PC, when it should be the other way around. The caching bug isn’t a problem. Steam Guard is.

        • torquer
        • 4 years ago

        Thats really not my point. My point is that Valve hasn’t exactly had a stellar record over the last few years. Steam was great when it came out and is still my preferred method for buying games. That being said (for better or worse) we now have lots of competition in Uplay, Origin, etc. Not that those are good by any means, but Steam as a game buying and managing platform really hasn’t changed or improved much in the last several years.

        Steam machines have not revolutionized the industry or been a serious competitor to consoles. Linux gaming is Linux gaming. Mac gaming is Mac gaming. Steam is a non entity in mobile. The steam controller has gotten decidedly mixed reviews. As far as game development goes, Valve is the most micro transaction happy company in the world and yet no one seems to care. Other companies do it and its like the end of the world (Forza 5 anyone?)

        While you say this is a non issue, plenty of other people feel differently. Again, if it were another company the peasants would be gathering torches and pitchforks as we speak. I can only imagine if Apple or Microsoft had had a similar issue.

        What about Half-Life? Since Episode 2, Valve has basically given their most loyal (game) fans a big middle finger, flushing the very franchise that put them on the map in favor of Gabe Newell’s personal vendetta against Microsoft and other boondoggle projects that are destined for failure.

        It just speaks to a common double standard in the industry. If you are one of the favored sons of gaming or tech you get a free pass all day long. If you’re one of the hated few (EA, Microsoft, Apple, Ubisoft) y ou can do no right.

          • sweatshopking
          • 4 years ago

          You’re absolutely right. They’re forgiven for everything for literally no reason.

          • DoomGuy64
          • 4 years ago

          You’re just using the opportunity to bash Valve. Valve did not cause the DDOS attack or the caching bug, which didn’t compromise anything except some minor information that you’ve already left open to the public.

          Neither Uplay or Origin are valid “competition”. They’re specifically DRM storefronts for EA and Ubisoft. Amazon or D2D would be more accurate as competition, because they are actual storefronts. Calling Origin or Uplay “competition” just makes it seem like this is an anti-valve fanboy post, which in all likelihood is exactly that.

          Steam machines were never supposed to revolutionize anything, or directly compete with consoles. They’re not subsidized hardware, just M-ITX PC’s that run a custom Distro. It’s a niche product aimed for a niche market, and they’re not attempting to be some unrealistic expectation of yours.

          Micro-transactions? Nobody cares because it isn’t P2W. People hate P2W, not micro transactions.

          Steam controller? It’s not a 360 replacement, but a m/kbd emulator for the couch. You can use BOTH, and the steam controller would be used specifically for titles that don’t use a gamepad.

          HL3? When it’s done. Valve doesn’t have to release it either, and they probably won’t anytime soon. There been several good video’s on that. [url<]https://www.youtube.com/watch?v=50lSIaSR3zc[/url<] Conclusion? This isn't about a "double standard", but an anti-Valve bash fest. None of these things you've listed are relevant to the original story, and is just a "top 10" list of things Valve Haters gonna Hate on. Logic and reasoning with you probably won't work. You're just going to continue hating Valve no matter how wrong you are.

            • VincentHanna
            • 4 years ago

            [quote<]Valve did not cause the DDOS attack or the caching bug[/quote<] Valve did not cause the DDOS. They DID cause the caching bug. [quote<] Neither Uplay or Origin are valid "competition". They're specifically DRM storefronts for EA and Ubisoft.[/quote<] Steam is a DRM storefront for valve inc. It's primary purpose is DRM. EA and Origin both offer non EA/Origin titles on their stores as well... And what exactly is your point? Yeah, Amazon is yet another example of another library management storefront with DRM. And don't forget GoG. So, what? You aren't even contradicting him here, you literally agreed with him, continued arguing his point and then called him a "fanboy" because he wants to hold valve accountable for their own actions. Please explain the logic here, because I don't see it.

            • DoomGuy64
            • 4 years ago

            [quote<]They DID cause the caching bug.[/quote<] No they didn't. It was a 3rd party caching service, or whatever a "Steam web caching partner" is. Could it have been handled better? Sure, but the official valve servers were dealing with the DDOS attack, and it was the web caching partner that had the problem. [quote<]Steam is a DRM storefront for valve inc.[/quote<] Is it now? Steam started off as an update service for CS, and other valve titles, but that isn't what it is today. [quote<]It's primary purpose is DRM.[/quote<] What are all those DRM-free titles doing on steam then? DRM as we knew it, no longer exists. I'd say the true function is SAAS, and [i<]everybody[/i<], including GOG are using the same model. [quote<]EA and Origin both offer non EA/Origin titles[/quote<] Not many, and nowhere near what Steam has. [quote<]don't forget GoG[/quote<] I didn't, but it's not a steam competitor. Neither is Origin or Uplay. GOG sells old games. Origin sells EA games. None of these services match Steam for content or features, and that's why Steam is still the #1 digital distributor on the internet. I wouldn't put Amazon, d2d, or GamersGate in it's class, but at least those services are dedicated storefronts, and not a Vendor lock-in scheme to corner the market. [quote<]he wants to hold valve accountable[/quote<] For what exactly? No harm, no foul. This is just an excuse to bash Valve. [quote<]explain the logic here, because I don't see it.[/quote<] How can I explain logic to one who can't understand logic in the first place? That's like asking to explain sight to a person who's been born blind. You have to open your mind, before you can understand anything that differs from your own perspective. You'll never know what the shadows on the cave walls represent, unless you walk outside. True understanding always requires effort on your part. [quote<]what exactly is your point? [/quote<] You need to ask when I've already stated it? Pointing out Valve Haters. There is no issue, except what exists in the minds of the delusional. The fact that you're bringing up issues other than the original topic, and referencing EA/Ubi proves it. Anyways, this post has gotten too lengthy and annoying to correct for my own good.

            • torquer
            • 4 years ago

            Whoa bro. Defensive much? I don’t even have to post a response because you’ve illustrated my point beautifully.

            Theres no way in hell you would do the same for any other publisher, guaranteed. I’m far from a Valve hater. Had you read my post you’d have seen that I buy most of my games from steam and you could have inferred I’m a fan of some of their games, which I am. I’m merely pointing out that people like you pick and choose who to apply your rules to. Valve gets a free pass from you and others like you due to some emotional attachment I don’t understand and the vehemence of your defense just underscores that point.

            Much of what is wrong with the tech community comes down to blind hatred or love of a brand/company.

            • DoomGuy64
            • 4 years ago

            No, I don’t give Valve a free pass, and I would stick up for GOG as well. All I’m saying is that you’re taking a complete non-issue, and using it as an excuse to bash Valve, and Valve supporters. By all means bash Valve if you have a valid reason, but this isn’t one.

            The only reason why I’m defending Valve here, is that you don’t have a valid argument, and whether or not you’re a Valve hater, that’s what a Valve hater would do. Not to mention you’re bashing Valve supporters, and saying they get a “free pass”. Like hell. Valve “supporters” complained up a storm over the paid Skyrim mods. Valve doesn’t get a free pass, that’s complete nonsense. They’re just better than everyone else, and that’s reflected in user and sale statistics.

          • Crackhead Johny
          • 4 years ago

          We simply do not have lots of competition in Uplay, Origin while Ubi is evil and incompetent and EA is not much better. Friends do not let friends buy Ubi until they can drop their stance on DRM and consumer abuse for say 2 years.

          Steam is the best legal option we have by a huge margin.

          As for micro transactions.. You mean selling cards? That is free games for those who mine thier cards and sell them. Free games does not compare with ~1,500$ for everything in GT5 (Sony changed this IIRC after fan outrage) or millions of dollars for everything in Marvel Puzzle Quest (seriously millions to max everything in a 2-3$ matching game, done by people who do not understand math)… or are you considering all the games that offer microtransaction on Steam to be “Steam microtransactions”?

        • VincentHanna
        • 4 years ago

        How is Valve adjusting the way that their servers authenticate users in such a way that it makes cached information available not their fault?

        I think the site going down for an hour would have been preferable.

          • Pholostan
          • 4 years ago

          Exactly, it was their fault. They fucked up their cache servers big time. And took almost a week to respond to customers. Pretty bad.

            • torquer
            • 4 years ago

            Not according to DoomGuy64. Remember, its “no big deal” and if YOU think its a big deal, then you’re just a Valve basher and Valve hater…

            • DoomGuy64
            • 4 years ago

            Accounts were not compromised, so it isn’t a big deal, and you ARE a hater, because that’s specifically what your original post was about. It’s not just Valve either, you’re also bashing Valve supporters.

            You’re contradicting yourself, because you can’t bash Valve and not be a Valve basher.

            • ajira99
            • 4 years ago

            So accounts weren’t “compromised” and all is good with the world? I’m not a diehard Valve supporter or mindlessly bashing them. Regardless of the circumstances, Valve had duty of care for their customer information (or should have). Even if email addresses and phone numbers are a form of public information, they can and probably will be used in social engineering attacks against users. But I suppose we (as consumers) shouldn’t have a care for harassment or swatting tactics because a billion dollar vendor royally messed up.

            @Vincent Hanna: I want to know what they’re doing now and will do in the future to secure user information. Instead of people harping about getting free games and the like, we should all be pressuring Valve for more transparency about the incident. There’s still some disparity about the actual length of the incident (I know that Valve claimed it was just an hour), and no reports of any users getting contacted about their accounts.

            Slightly OT, but I’d have more faith in mobile SteamGuard if I didn’t have to authenticate in the app when it logs me out while I’m trying to authenticate the client on my PC.

            • DoomGuy64
            • 4 years ago

            [quote<]So accounts weren't "compromised" and all is good with the world?[/quote<] Bingo, that's exactly it. Nothing happened, and you're over-reacting. Some people are bringing out the pitchforks, and wondering why nobody else is. Well, that's why. Valve has a big customer base, and you're not going to incite a mob riot mentality over something so insignificant. [quote<]I'm not a diehard Valve supporter or mindlessly bashing them.[/quote<] No, your head clearly isn't screwed on straight if you're claiming account information was compromised, when it wasn't. [quote<]Regardless of the circumstances, Valve had duty of care for their customer information (or should have).[/quote<] So far, so good. Valve has been around the block, and I like to think they know what they're doing by now. Caching bug != compromised accounts. [quote<]Even if email addresses and phone numbers are a form of public information, they can and probably will be used in social engineering attacks against users. But I suppose we (as consumers) shouldn't have a care for harassment or swatting tactics because a billion dollar vendor royally messed up.[/quote<] Then delete your public steam profile, remove your name from the phonebook, and get off facebook. There are organizations that investigate social engineering attacks. I'm not going to lose sleep over an imaginary problem, unless it was stated to actually be a problem, and neither is anyone else. Social engineers have more reliable sources that waiting around for a random cache bug that only affected a small percentage of users, and wasn't available in any large, parsable format.

            • torquer
            • 4 years ago

            I’m bashing people who blindly support one company while criticizing another for the same thing. I’m sorry that inconvenient truths are considered “bashing” in your world. Unfortunately you are as lacking in objectivity as a lot of folks on the internet because you can’t see past your own emotional attachments to corporation A or B to see them objectively.

            You intentionally ignore the fact that I buy a lot of games through steam and applaud it as a good platform. I’m a fan of the HL franchise and am disappointed that they’ve chosen to flush it. I criticize because they are capable of being better and doing better but it is my opinion that the company is suffering due to its own collective ego.

            You on the other hand offer no defense whatsoever to cogent arguments, dismissing anyone who disagrees with you as a “hater” and “basher” and only saying that because you personally do not think this (or any other Valve mistake/failure/screwup) is a big deal that it shouldn’t be to anyone. Again, just illustrating my point about people who think more with raw emotion than with logic when it comes to their favored businesses.

            • DoomGuy64
            • 4 years ago

            It’s all a vast conspiracy involving little green men, isn’t it? Never mind that [i<]you're[/i<] the instigator here, and since it wasn't a hack or full leak, there was no actual harm done to any users. It's all in your head. Completely imaginary, and you wonder why someone would call you out on your bull. Q: Was this a real problem? A: No. That's not an "emotional" attachment, but a statement of fact. You're the one with an emotional attachment, as you keep making a problem out of nothing. Get back to me when you have something real to complain about.

            • torquer
            • 4 years ago

            Don’t worry everyone! Having your personal credit card information, purchasing history, and friends list exposed without your consent isn’t a real problem because DoomGuy64 says so. Nothing to see here, move along!

            • DoomGuy64
            • 4 years ago

            You’re a freaking liar. No card info, or detailed information was exposed. If you actually read the report, you’d know that.

            Quote: [quote<]These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.[/quote<] End of Story, moron. This was not a leaked database, but a caching bug that "varied by page". Do you even know what a cache is? Apparently not. The full cache was not made available to any social engineers. It was users getting redirected to an improperly cached page, which did not permit logging in, or completing a transaction. If you think there's a bigger problem here, then you're on crack.

    • DrCR
    • 4 years ago

    Banner Saga, Bastion, Invisible Inc., Transistor, I already own all the games I’m interested in and waiting for Banner Saga 2 right now. Any must-have recent indie games I missed?

      • Voldenuit
      • 4 years ago

      [quote<]Banner Saga, Bastion, Invisible Inc., Transistor, I already own all the games I'm interested in and waiting for Banner Saga 2 right now. Any must-have recent indie games I missed?[/quote<] I've recently had a lot of fun with Jotun (I really want EITR, but in the meantime, Jotun will supply my Nordic fix), Convoy, Party Hard, Lovers in a Dangerous Space Time and RWBY. Going back a bit, I really enjoyed Papers Please, Don't Starve and Dungeon of the Endless. I played quite a bit of Binding of Isaac (original) and A Wizard's Lizard. I've heard good things about Rocket League, Shelter 2 and Broforce, as well as Life Is Strange. Like you, eagerly awaiting Banner Saga 2, also EITR and Below. I'm also on the Kickstarter for Hyper Light Drifter, fingers crosed. EDIT: As for indie games that disappointed me, I was a bit let down by Windward (really slow grinding and got bored of the mechanic after a while) and massively so by Sunless Sea (sailing game that isn't a sailing game, but a ridiculously verbose text adventure game with an engine that doesn't scale the text with high res displays wtf). Also, I ragequit Guacamelee after getting to the final stages, because the controls were ****, and the levels demanded too much precision for the input scheme (used both kb and analog controller).

        • DrCR
        • 4 years ago

        Cool, thanks. A few of those are new to me, and I’ll check them out.

        One additional one I did purchase relatively recently is Renowned Explorers: International Society. It may be something you’d be interested in checking out if you are not already familiar with it. It didn’t come to mind for me since at the moment, I’m having an issue getting it to run.

    • One Sick Puppy
    • 4 years ago

    Odd. The only thing I noticed different with Steam is the [i<]lack[/i<] of compelling deals this christmas.

      • Meadows
      • 4 years ago

      I’ve actually seen several sales I was interested in but I decided to practise self-control. I won’t have time for all of them anyway.

      • DrCR
      • 4 years ago

      This, though I did buy and gift an old (and super cheap) game to a friend. I’ll have to check my email to see if I’m in this group of 34,000.

      • Voldenuit
      • 4 years ago

      The main problem is that daily deals are hidden and not highlighted.

      Picked up Rocksmith 2014 for $9.99 (down from $39.99) on a 24 hr sale this past week.

      Would never have known about it if I wasn’t specifically searching for Rocksmith at the time.

      • VincentHanna
      • 4 years ago

      I ended up buying more stuff this year than the last couple of christmastides. I was beginning to think that the only sale worth following was the summer sale, but this year had several 75% off deals.

    • ronch
    • 4 years ago

    They should’ve let the [url=http://tinypic.com/r/6pycnc/9<]AMD Elves[/url<] handle it. Good grief. I swear, AMD marketers are a dime a dozen.

      • Meadows
      • 4 years ago

      While completely tangential, that link is terrifying.

    • SkyWarrior
    • 4 years ago

    Where is my free game?

    • Meadows
    • 4 years ago

    Well hello, DrFish.

      • drfish
      • 4 years ago

      *now bringing you more than just giveaway write ups*

    • atari030
    • 4 years ago

    I experienced this firsthand on Christmas day while walking through the set up of a new account for my nephew. After creating his account and logging in, we were on the page for another user…completely different account name and details. Scratched our heads at that….then noticed the main Steam page was being displayed in Russian.

    A few quick web searches turned up warnings about the issue and the possibility Steam had been hacked (which we now know not to be the case), so we promptly signed off to ‘wait it out’.

    • chuckula
    • 4 years ago

    SSK! YOU GOT SOME ‘SPLAININ TO DO!

      • sweatshopking
      • 4 years ago

      YOU’LL NEVER CATCH ME!!!!!!!!

        • chuckula
        • 4 years ago

        [url<]https://www.youtube.com/watch?v=By9sHP1MWVk[/url<]

          • sweatshopking
          • 4 years ago

          THANK YOU FOR SHARING THAT.

            • chuckula
            • 4 years ago

            THANK YOU FOR BEING A FRIEND!

            • sweatshopking
            • 4 years ago

            I LOVE YOU.

            • ermo
            • 4 years ago

            GET A ROOM!

Pin It on Pinterest

Share This