Valve has made a statement explaining the reasons behind "Steam's troubled Christmas". Thanks to the official explanation we learn that - as a response to a DoS attack Steam used cached pages to serve to users - however one of its caching partners made an error and served cached page copies to 'other' users. It was widely reported as 'odd' or 'weird' rather than a serious breach, as the cached info revealed was partly obfuscated - like showing only the last four digits of your Steam Guard phone number, or the last two of your credit card number. The random other user seeing your cached recent Steam page couldn't log in as you.

The DoS attack started on Steam early Xmas morning (PST) increasing traffic to the site 20-fold. Valve is used to this kind of attack so its web hosting partner deployed caching to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. However in a second DOS attack wave "a second caching configuration was deployed that incorrectly cached web traffic for authenticated users". This is what caused the 'weirdness'.

"This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user."





As soon as these errors were noticed Valve shut down the Steam Store until all the caching configurations had been reviewed, to find out the cause of the problem. Then the caches were purged before Steam reopened its virtual doors to the correct legitimate users again.

Valve stresses that information revealed "did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user." It was noted that only those who had browsed a Steam Store page with their personal information (such as an account page or a checkout page) in the affected time frame were involved in the weirdness. The explanatory news post is rounded off with an apology for the exposure of any personal information and the interruption of the Steam service during Christmas.