In an official blog post released on the Steam platform, Valve confirmed that Steam’s Christmas security mishap was caused by DDoS attacks. On the 25th of December, an unexplained server shutdown left a couple of people wondering about what happened, even if Valve stated then that their security flaw was caused by a personal data caching issue, not by a hacker attack.
The problem consisted of about 34.000 user personal information to be released to other random users. When someone would have gone to their Steam account page, instead of their own data, information from another person would have been displayed. Even though the data in question was not enough to complete a purchase or other similar activities, it still showed the last two digits of their credit card, their email address and their billing address as well.
A Distributed Denial of Service attack is a relatively common attack used by hackers or other malicious groups in order to affect the general function of a website. In laymen’s terms, it is as if a line is formed at a cash register by people who just want to ask about the time, without actually ordering anything. During Christmas day, Steam’s traffic was boosted by 2000%, in comparison to their usual Steam Sale numbers, effectively leading to a server shutdown.
After the servers were turned on, the Steam’s user data cache was distributed to different account users. Valve has attributed this mistake to a third-party company that handles their caching. Fortunately, the problem did not take too long to fix, Steam returning to normal behavior after just a couple of hours. Nonetheless, personal information was still distributed across the platform.
This information could be used in the future for phishing scams or other similar scamming methods. Currently, Valve is in the process of contacting each and every user that got affected by the data leak, with the plan of enforcing their caching configuration in the near future in order to stop similar attacks from happening.
DDoS attacks are a common sight during the holiday season. Valve is not the only target for these attacks, with PSN and Xbox Live suffering from them as well. Various hacker groups have already claimed responsibility for the attack towards Steam.
The main complaint aimed at Valve was not that the DDoS attack happened. The fact that once the data leak was found the first place, servers should have been completely shut down, is what the public is currently saying. Why Valve decided to postpone this for several hours, it is currently unclear. But it made apparent to the general public that even if Steam is gigantic, it is not completely protected from DDoS attacks in any way.
Although Valve confirmed that Steam’s Christmas security mishap was caused by DDoS attacks, this does not absolve the company from allowing the data leak to happen in the first place. This even places DDoS and hacker group attacks into the spotlight once again. The main reason why these groups target Steam, PSN and Xbox Live, is to show the public that their confidential information is extremely unsafe in these companies’ hands.