Steam at Christmas : What Happened, and Why?

Merry Christmas…I guess?

Ah Christmas! The most wonderful time of the year, and for many of us that means one thing : Steam Sale. The last Christmas Steam Sale (2015) was a unique one to say the least, as the bastion of PC gaming content appeared to be compromised. This got a significant amount of attention during the incident where users who were logged into steam at the time of the reported incident could see other users personal information and not their own. To say that this was a significant problem would be an understatement. The potential leak and misplacement of personal information could have been catastrophic in terms of users data.

Indeed, we here at The Noobist debated the significance of this outage, as the PC gamers amongst us were up in arms about the affair. (You can click here to listen to more of our thoughts!) My tone in the podcast could be considered to be on the side of apathy, after all, it wasn’t a serious breach, you couldn’t do anything with the information that you received back from the failing cache to begin with (well, that we know of). It was, at least in my mind, comparatively tame to what console gamers have enduring since 2011. The Playstation Network being taken down for over 3 weeks in 2011. Even in more recent memory both Playstation Network and Xbox Live being taken down on Christmas day of 2014. So why all the fuss? Is it the realization from the PC Master Class that they are not as impervious to hacking and breakages as the rest of the gaming community?

1d3b821c57a5b57d58919d02e2ff073041dabda3

(Pic from Greenhorn forums)

What really happened?

Before I incur the wrath of every PC Gamer out there, as well as my colleagues, we should start with what actually happened during the incident. Where better to get that information then from Valve itself!

 
– Valve
30 Dec, 2015
 

We’d like to follow up with more information regarding Steam’s troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

The tl;dr version of this is : there was a DDOS attack that meant the caching of pages were effected. It was shut down immediately so there wasn’t any lasting/significant damage.
This is good news for all parties concerned, a collateral damage of 34,000 accounts isn’t a hugely significant amount! It could have been a lot worse taking into consideration that steam has 125 million users.
tn9mujemabrwse9qfitm

How did it happen (in English please)?

What you have to understand in order to understand what cache issues happened, and why they happened is to understand about how Web Sites & servers work together. The best way of explaining this, is for me not to do the explaining! So I shall link the very wonderful Tom Scott to do the explaining on Seeing Other People’s Steam Accounts: The Christmas Caching Catastrophe“. Tom has a wonderful way of explaining things that seem complex and intimidating into manageable concepts which is a true gift! So fear not anyone who isn’t a server admin, watching the above video will only enhance your previous knowledge!

Why all the fuss?

 All of my teasing aside about the fuss that PC gamers are making about the caching issues aside, why is this such a big deal? Why should we keep talking about it? I think its important that we do talk about it, and keep talking about it for a very simple reason : Our data is important and companies need to keep that as a priority in their minds. It would be a fair assumption to make that Steam makes a decent profit from these sale events. Mainly because they keep happening, if they weren’t profitable, they wouldn’t do them.

We are paying them for their services, and when things like this happens, it puts into question the safety and validity of that service. Be it Valve, Playstation, Xbox, whoever. These incidents of malicious attacks on servers, or just the ever increasing knowledge that there are no true bastions of safety on the internet brings up many debates. Why do we by into eco-systems that have flaws? Do we really “own” any of the products that we buy? Could there ever be a stage where the content we have bought becomes inaccessible due to a potential outage, and would that change how we see that eco-system as a result?

There are no real answers to these particular questions, but its all part of an unfortunate reality of our industry. The reality being that nothing is every truly secure. I believe we need to keep talking and challenging some of these perceptions that we have about where we put our money. I’ll admit, I’m not one to talk, given there are only 3 real players in the console market and only really one major player in the PC market (sorry Origin) where else are we to go? What else are we to do?
We’re only going to be able to think about, and engage with other options if there is true and meaningful dialogue about where we are in our present generation of Games and our culture as a whole. Solutions to problems like this can only be overcome with the sharing of ideals and being able to successfully draft up to solutions to what is a very closed, but very changing market. The sooner we manage to work out where the real problem steams from, is where we will be able to make progress!