We reported earlier that a weird glitch took over Steam on Christmas morning, as several users reported seeing other users’ account information instead of their own. The issue was sorted out in a few hours, and later Valve confirmed that it was due to a caching issue.
While that may have been the direct cause of the glitch, it was caused due to another problem altogether. Turns out, Steam was the target of a DoS (denial of service) attack, which prevented serving of store pages to users. It caused the traffic to the store to soar by 2000% over average traffic.
In response to the attack, one of Steam’s web caching partners deployed caching configuration to minimize the impact on Steam Store servers and continue to route legitimate traffic. A second caching configuration was deployed during the second wave of the attack, which incorrectly cached web traffic for authenticated users. This is what caused some users to see other users’ pages.
According to Valve, this would have allowed users to see the billing address, last four digits of their Steam Guard phone number, their purchase history, last two digits of their credit card number, and their email address. That’s still a fair bit of information, especially since Valve initially said that no real information was seen by other users.
The issue has since then been resolved but it shows rather poor communication from the company, especially since it concerned user data.