Valve explains "Steam's troubled Christmas"

[HEXUS]

Sensitive user info spill was caused by flawed caching configuration used during DoS attack.

Read more.

[Corky34]

I can't understand the mentality behind DDoS attacks, the people, and i use that term loosely, often claim it's to highlight vulnerabilities but I'm not sure what the claimed vulnerability is, if it's that their vulnerable to DDoS what exactly do they expect companies to do about that?

[ik9000]

so did this stop people playing their games over Christmas?

[pastymuncher]

I think it only affected the store side of steam which has been buggy as hell all through the sale anyway.

[GotKevlaar]

so did this stop people playing their games over Christmas?

No.I played over the holiday. It was only the store that was affected.

[Heimanyip]

I think it's good that they are going to individually address to each victim, but taking so long to communicate with the community (it's the lack of communication which caused the ****storm on Reddit and Twitter more than the **** up) really damaged valves reputation

[hesham1516]

If any of this is incoherent or rambles on, I apologise, very tired here

More excuses, and still no apologies.

If you want to know to which extent the breach of privacy was, attempt to purchase something from steam, and proceed to the checkout page. The information on my account include the last 2 numbers of my visa, the last 4 of which are viewable on a different page, my full name, full address, home phone number and even my steam account name.

I know for sure you could see up to this amount of personal information as I was attempting to purchase a game during the error and managed to get that far. Clicking on purchase did nothing, but the information was still visible.

Valve also appears to be blaming one of their caching partners, but change controls in these environments are usually frozen over Christmas, so no changes would have taken place unless it was performed by Valve remotely or the third party was requested to do so by Valve as a matter of urgency. Changes need to go through certain boards to determine the possible risks and to provide instructions in the event of such a change failing, which is usually to reverse all changes which is why changes over Christmas are not common.

Valve just seems to be repeating 'DDOS' in the hopes that they can shift blame to "hackers" rather than themselves, but all the DDOS did was to increase traffic making valve systems use of more caching servers to balance the load - the underlying issue had to have already been there and was overlooked so their security practices are certainly in question now.

[outwar6010]

Didn't total biscuit say there wasn't a ddos but a dodgy update to the client and messed up the caching.....

[hesham1516]

Didn't total biscuit say there wasn't a ddos but a dodgy update to the client and messed up the caching.....

Apparently they deployed configurations as a response to the dos attacks, but they still made the error themselves. I'm not sure exactly what TB said, but he is technically correct in saying that this was not caused by a dos attack, as this was in response to the attacks by the sound of it.

" During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. "

[pastymuncher]

It's about time that the authorities came down extremely hard on data breaches. It's not just Valve, there have been many high profile data breaches over the past couple of years and these companies either get off scot free or get a small fine. They need to be hit and hit hard with big fines so that they get it into their heads that this is unacceptable and cannot go on. These companies have so much information about us and it's about time they locked everything down tight so that no matter what goes wrong, whether it's a hack attack, software/hardware fault or even human error that nobodys information is revealed, accessed or downloaded by anybody. If it cost's them money then tough, that's the way they have decided to do business so they need to protect our information and if they don't then they need to be hit in the pocket where it hurts.

[ik9000]

and if they don't then they need to be hit in the pocket where it hurts.

I agree. however it is worth pointing out that the cost will simply be passed on to end users. At which point people then belly ache about the increased costs. Quality, cost, time/efficiency. choose two, but you can't have all three.