Data of 34,000 Steam users exposed due to buggy caching configuration

Valve company publicly confirmed that Steam deployed a buggy caching configuration to mitigate a DDoS attack which exposed Steam users personal information.

Still problems for the Steam gaming platform, details of 34,000 Steam users have been exposed during a DDoS attack. Last week, as a result of a configuration change, a security issue allowed some Steam users to randomly see pages generated for other users for a period of less than an hour.

Steam users who did not access their account details page or checkout page between 11:50 PST and 13:20 PST on December 25 are not affected.

The Valve company that owns the Steam platform confirmed the serious security issue caused by an internal error that the company has quickly fixed.

On Wednesday, Valve company provided an explanation of the incident and apologized for the problem caused.

In a statement detailing the incident, the company explained that it suffered DDoS attacks against the Steam Store and Steam.

“On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.” states the official statement published by Steam” The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.”

The company in response to the attack deployed caching rules designed to mitigate the threat and minimize the impact on the platform. The rules have been prepared by a Steam web caching partner and deployed to continue to route legitimate user traffic.

The company handles web caching for Steam deployed two different caching configurations, but, unfortunately, one of them incorrectly cached traffic for authenticated users.

Valve has highlighted that the cached requests did not include passwords and financial information that could expose users to fraudsters.

“Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users,” Valve said.

Pierluigi Paganini

(Security Affairs – Steam users, Personal data)