Steam Gaming Store Targeted in a DDoS attack

Valve, the parent company behind popular PC gaming store Steam has revealed that a DDoS attack was the cause behind an embarrassing error that saw the details of 34,000 Steam users exposed to other users of the gaming platform.

Valve has revealed that a recent error which saw over 30,000 users’ information exposed to others was the result of a DDoS attack that disrupted the web caching protocols implemented by its caching partner. The measure is one routinely implemented by major websites to ensure continued presence and access to users who gain access to pre-cached versions of the website.

Altogether, the cached information that authorized users (those logged-in) were able to view, albeit not modify, includes:

  • Steam Gard phone numbers
  • Purchase history in the Steam gaming store
  • Last two digits of the user’s credit card numbers
  • Email addresses
  • Billing address of the user as entered in tandem with the credit card.

Steam has revealed that its Christmas Steam sale, an annual event that normally sees increased traffic surged to 2000% of the expected traffic that routinely comes in annually this tiem of the year.

Caching rules were originally deployed to minimize the impact of the DDoS attack. The caching rules are also set to help ascertain legitimate user traffic, as opposed to the rogue botnet of machines crippling the online servers with excessive traffic.

In a post, Valve explained how the attack transpired on early Christmas morning, a time of year which routinely sees plenty of disruption for gamers.

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users.

After the initial round of attacks, the second string of attacks deployed a second caching configuration that was programmed incorrectly and inadvertently revealed the cached content of users’ account details to other users.

In adding to the explanation, Valve revealed:

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

Image credit: Valve