Valve is apologizing for a recent Steam data breach, and providing more information.
On Christmas Day, a configuration error caused Steam, one of the largest online gaming platforms, to expose private user information. From what was reported, it sounded like users who tried to logon on Christmas Day discovered that they were seeing the Account information of other users. This means that users were able to access other people’s game libraries, and were able to see sensitive information including names, home addresses, email addresses, purchase history, Paypal account information, and even partial credit card numbers.
We’re now learning that the configuration error caused store page requests of around 34,000 users were returned and were viewable by other users. It turns out that the information that was compromised varied from person to person.
The good news? If you did not visit the Steam Store page that day, you definitely were not compromised. Only people who went into the store pages could have been affected.
Valve has not been able to identify all of the affected users yet, but when they do they will be contacting them all individually. Luckily, nothing was changeable in the compromised accounts, only viewable, according to Valve.
Valve says that Steam was the target of a Denial of Service attack that caused the traffic at the store to increase by 2000% in a short time. The caching rules of the Steam web caching partner were deployed and were able to minimize the impact of the attack. However, a second attack was launched, and the caching rules incorrectly attempted to compensate due to the configuration error.
The Steam store was shut down as soon as the error was identified, and the the error was corrected.
Steam was recently in the headlines when they announced that they would be cracking down on theft in Steam Trading. Account hijacking can be incredibly lucrative, with some attackers pulling in thousands of cash dollars trading away other people’s goods. Steam Trading is used to trade in-game items, games and virtual cards. Steam did not want to take the items away from the innocent users that had purchased them from thieves, so they duplicated stolen items and gave them to the aggrieved parties. The problem is that this devalues the items, since there are now more of them to be had. Steam is still trying to work out the kinks in this system.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.