December 31st, 2015, 07:08 AM
Valve apologizes for Christmas breach, citing denial-of-service attack
This Christmas, Steam users got an unexpected surprise Now, Valve is giving new details on how that data leak happened and exactly how much information was revealed. According to an announcement today, the problem stemmed from a denial-of-service attack executed on Christmas morning, increasing traffic to 21 times normal volume. One of Valve's web partners responded by deploying new caching rules, intended to separate the attacker traffic from legitimate user traffic. Unfortunately, those rules ended up jumbling up users, serving up account pages that had been generated for another user. "We apologize to everyone whose personal information was exposed by this error," the announcement reads, "and for interruption of Steam Store service."
Valve estimates that roughly 34,000 users saw data exposed by the breach, which was active between 11:20AM and 2:20PM PST. Crucially, Valve claims the data was limited to billing addresses, purchase histories ,and email addresses, along with the final four digits of phone numbers and the final two digits of credit cards. It wasn't possible to complete transactions through the miscached pages, and full credit cards and passwords were never revealed. The subject of that data was effectively random, making it difficult to use the breach for swatting or identity theft.
Valve's case is just the latest in a long line of denial-of-service attacks targeting gaming companies. Last Christmas, a group calling itself Lizard Squad used a similar tactic to take down the XBox and PlayStation networks on Christmas Day. Although no demands have been publicized, similar attacks are often accompanied by ransom or extortion requests. For the gaming industry, Christmas is a particularly damaging time to be attacked, given the expected surge in the number of players online.