Steam slip-up at Christmas, Xbox and PlayStation fine

Next story


The Holiday period brings cheer and good times to many but since last year keen gamers have been living in fear of Xbox Live and PSN outages.

Perhaps living in fear is an overstatement but no one wanted to see a repeat of last year’s DDoS attack on both Microsoft and Sony’s online gaming services.

Attacks were threatened by a hacker group called “Phantom Squad”. They set their sights on Xbox Live and PSN as well as a few other online games.

Either Microsoft and Sony learned their lessons last year or Phantom Squad’s threats were hollow as, excluding a few reports most likely due to a large number of new signups, Xbox Live and PSN stayed up.

However, Steam, the largest games store and distributor for PC slipped up and started leaking user’s private information to other users.


Not letting off Steam


Mark James, ESET IT Security Specialist, explains that users who logged into Steam could end up seeing someone else’s personal information.

“Steam are leaking people’s private details to random strangers, when viewing account details of your logged in steam account you are presented with random information from strangers.

“These details include email addresses, usernames, full friends list, last 4 digits of phone number and last 2 digits of the credit card, you can also view random people’s full purchase history, what they purchased, how much they paid and when they bought it.

“Whilst all of this info is not enough to actually steal financial information it could give you enough info for future targeted phishing attempts to succeed.

If you read this blog regularly this story should be slightly familiar: something very similar happened to M&S just a few weeks ago.


What happened?


Valve, the company which owns Steam, revealed in a blog post that the mix up was due to a caching error which occurred due to a DDoS attack on their servers.

To mitigate the DDoS attack Valve used caching rules to route the genuine traffic, however an error in those rules resulted in the wrong cached information being shown to users.

Up to 34,000 Steam users who logged in during a three hour period starting from 7.50pm GMT on Christmas Day were affected. If you didn’t log in during that time then you should be home free.

Valve confirms that the personal information revealed “did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user”.

Did you log into Steam during that time?

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.