Steam hack: A silent Christmas gaming disaster

4 Jan 2016

During the festive period, many gamers are wary of some form of DDOS attack ruining their holiday fun. In the Christmas just past, it was Steam users who felt the burn.

Christmas Day 2014 saw Lizard Squad wreck the heads of Xbox and Playstation users, by throwing wave after wave of requests to the backend on which gamers rely.

Starting in early December of 2014, the group of youngsters took down the two primary online console gaming services, disappearing into the cloud before returning on the holiest of gaming holidays.

January 2015 and it’s all solved, arrests made and gamers everywhere breathing a huge sigh of relief: ‘This won’t happen again, now that we know, surely’, they must have thought. Well…

On Christmas Day 2015, gamers awake to find a nightmare brought upon them, only this time, it’s Steam. And it’s silent. Oh so silent.

For 25 December saw a compromised, and subsequently pulled-down, Steam service confusing thousands of users. Worse still, nobody knew why for five days.

From Russia, with love

Some gamers that tried logging into their Steam account via the desktop app were greeted with a mess of a scene, all in Russian. Random user profiles appeared, despite some people reportedly even using Steam Guard authenticator.

Then it went down, and Valve, which owns the Steam service, went quiet.

What transpired was a five-day wait for the company to detail what was going on, why, and whether or not users should be worried about a massive leak of personal, and financial, information.

But, we’ve been told not to worry, for, despite Steam receiving traffic the equivalent of 2000pc above its Steam Sale highs, nothing too damaging occurred.

Random pages that appeared for users over the course of 90 minutes didn’t include full credit card numbers, user passwords or enough data to allow logging in, or completing a transaction, as another user.

However in somewhat concerning news, “some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address”.

Understandable, to an extent

Now, first up, for a company to receive such traffic that it eclipses its notoriously busy Steam Sale averages 20 times over, it’s no surprise that the service was compromised.

However, Valve’s explanation of its defence mechanism is quite concerning. In a detailed blog post, it says:

“In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimise the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users.

“This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect store responses varied from users seeing the front page of the store displayed in the wrong language, to seeing the account page of another user.”

This error was spotted, the entire store shut down and “a new caching configuration was deployed”. But by then it was a bit late as, in all actuality, by caching it the old way Steam was essentially storing information in places it shouldn’t.

The company maintains that users’ financial information is safe and sound as “no unauthorised actions were allowed on accounts beyond the viewing of cached page information” – therefore, no additional action is required by users.

“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologise to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”

Main image of a window with steam via Shutterstock

Gordon Hunt was a journalist with Silicon Republic