Valve Releases Statement Regarding Information Leak

Valve put out a statement today about the recent leak of user information via cached pages being presented to anyone who visited the Steam website on the 25th. Notably, if you didn’t visit the website during the attack, your information should be safe:

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve goes on to note that this issue did occur due to web caching rules implemented during a Distributed Denial of Service (DDoS) attack.

Those types of attacks are extremely common, and extremely disruptive when they occur.

Unfortunately I am very familiar with DDoS attacks, as the ioquake3 master server I operate for every game using the engine has been under daily assault for the past few months. Fortunately we don’t store sensitive user information within that project, though we have far fewer resources to deal with it I can’t get on board with Valve’s apology.

It makes sense that mistakes are going to happen in responding to a DDoS, but it is extremely out of the ordinary for those mistakes to include leaking personal data. Valve says that they will contact those whose information was leaked, but the help offered by companies like Valve in response to past leaks has been to offer users time-limited subscription accounts at predatory companies that provide almost no legitimate identity protection services.

We will see what Valve actually does in response for those who were affected, but this is not an acceptable kind of thing to have happen at what should be a fairly mature institution that has been in operation as an online storefront for over a decade.