dhobo Curator Backer Posts: 1908 Registered: 1/5/2015
# 1 - Posted on 12/25/2015 21:30:42

Might want to keep an eye on your accounts folks, some script kiddies got bored and had a little fun overwhelming valve's servers. As a consequence, people were logging in to their accounts to find other random people's account info loading instead.

Not sure how widespread the actual info leakage is, but be wary for the next little while just in case!

moho_00 Curator Backer Posts: 5936 Registered: 6/10/2011
# 2 - Posted on 12/26/2015 13:05:43

Yikes, maybe it's time for me to do the 2-factor authentication thing...

boffo97 Posts: 767 Registered: 1/25/2015
# 3 - Posted on 12/26/2015 18:07:37

The issue was fixed late afternoon yesterday, but 2 factor authentication isn't a bad idea. Especially if Steam has your credit card info.

EDIT: Now it seems there's another issue. Multiple reports of not being able to access inventory or other profile screens. (Including my report of such)

RE-EDIT: Never mind. That problem was solved quickly.

Post Edited on 12/26/2015 18:38:43
Marcus Curator Backer Posts: 311 Registered: 10/16/2014
# 4 - Posted on 12/28/2015 1:58:12

As far as Valve officially shared, the issue was due to caching errors rather than the result of a targeted attack. So, it was totally the fault of their own internal technology/external caching servers they used. Huge mistake if so.

No matter the cause, it was still an event that scared me a fair bit. I mean, sure, credit card numbers were not completely revealed (just last four digits) but user's real names, partial phone numbers, and addresses were still accessible. I for one would definitely agree that 2 factor authentication is a good idea.

Post Edited on 12/28/2015 2:05:35
Marcus Curator Backer Posts: 311 Registered: 10/16/2014
# 5 - Posted on 1/3/2016 17:48:27

I wanted to update on this as it turns out dhobo's description was finally revealed by Valve to have played a part in the whole mess!

Valve finally explained what happened, and it was that people were performing a DDOS targeted at Steam, and as such, their servers triggered their DDOS-mitigating cache settings. Unfortunately, someone at Valve improperly set these up so that it was providing cached account pages (aka: Steam account pages that were NOT the user's) to them. Had the settings been properly configured, a DDOS should have not done harm beyond potentially taking the store down/making it super slow for the day.