Video game giant Valve has apologised for the DDoS (distributed denial-of-service) attack on Steam Store between 11.50 am and 1.20 pm PST on 25 December, affecting 34,000 users whose personal information was exposed to other users.
Valve is working with its web caching partner to find out users whose data was served to others. It claims that there was no unauthorised action on any account except for viewing of the cached information.
The cached information includes users' billing addresses, the last four digits of their Steam Guard phone numbers, purchase history, the last two digits of their credit card numbers and email IDs. The cached pages do not include full credit card numbers, users' passwords or full details that could allow anyone to log in or perform transactions.
There is no official word on who was actually behind the cyberattack, although hacking group SkidNP had threatened to launch an attack on the Steam and Minecraft servers. Valve says early Christmas morning Steam Store was the target of a DDoS attack which prevented serving of store pages to users. During the attack, the traffic to Steam Store surged to 2000%, significantly more than the average traffic during Steam sales.
Explaining what it did to withstand the attack, Valve said caching rules were deployed to minimise the impact on the Steam Store server. Besides, legitimate users' traffic was routed.
The second caching configuration that was deployed during the second attack led to a configuration error that resulted in some users seeing the personal data generated for others. The error caused a wrong language in the front page of Steam Store. It was shut down and in response to that a new caching configuration was established.
Valve stated: "We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologise to everyone whose personal information was exposed by this error, and for interruption of Steam Store service."
More about DDoS attacks