Valve Explains How It Accidentally Leaked 34,000 Steam Users’ Information

Well it was about time there was some Christmas-related hacking shenanigans. It seems the holiday season just can’t catch a break from hacking attempts, what with the infamous PSN hacks of the last few years. Now it seems that Valve’s Steam platform has been the most recent target of personal data leakage.

You may have caught wind of Valve losing track of some of the personal details, but the PC gaming giant has not issued a formal statement until now. Posting on the Steam news page, Valve explained exactly what happened and how.

A summary of the important stuff:

  • The damage was the billing address, last four digis of Steam Guard phone number, purchase history, the last two digits of their credit card numbers, user passwords.
  • The affected users are anyone who logged in to the Steam Store page between 11:50PST and 13:20PST on December 25th.
  • The number of users affected is 34,000, and those affected will be contacted as soon as Valve discovers who exactly has had their details stolen.

According to Valve, it happened because of a denial of service attack against the steam store, exacerbated by the high amount of Christmas traffic. In response to this attack, Steam’s web caching partner deployed caching rules to reduce the impact on the store. A configuration error led to incorrectly cahced web traffic, which caused some users to see other users’ store pages, including access to their account details.

In laymen’s terms, some users received the view of the Steam store page that other users should have received. Some enterprising users took advantage of this situation. Valve has made great attempts to improve account security in recent years, including its Steam Guard system and most recently the addition of phone numbers to accounts. Ironically, the last four digits of said phone number was amongst the details leaked.

As always with such leaks, it’s advisable to check your bank statements and change your passwords. If you think you might have been affected, you can contact Valve via their support page here.