Data of 34,000 Steam users exposed due to buggy caching configuration

Valve company publicly confirmed that Steam deployed a buggy caching configuration to mitigate a DDoS attack which exposed Steam users personal information.

Still problems for the Steam gaming platform, details of 34,000 Steam users have been exposed during a DDoS attack. Last week, as a result of a configuration change, a security issue allowed some Steam users to randomly see pages generated for other users for a period of less than an hour.

Steam users who did not access their account details page or checkout page between 11:50 PST and 13:20 PST on December 25 are not affected.

The Valve company that owns the Steam platform confirmed the serious security issue caused by an internal error that the company has quickly fixed.

On Wednesday, Valve company provided an explanation of the incident and apologized for the problem caused.

In a statement detailing the incident, the company explained that it suffered DDoS attacks against the Steam Store and Steam.

“On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.” states the official statement published by Steam” The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”

The company in response to the attack deployed caching rules designed to mitigate the threat and minimize the impact on the platform. The rules have been prepared by a Steam web caching partner and deployed to continue to route legitimate user traffic.

The company handles web caching for Steam deployed two different caching configurations, but, unfortunately, one of them incorrectly cached traffic for authenticated users.

Valve has highlighted that the cached requests did not include passwords and financial information that could expose users to fraudsters.

“Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users,” Valve said.

Pierluigi Paganini

(Security Affairs – Steam users, Personal data)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.