Steam, the popular online gaming platform developed by Valve Corporation, was hit with a major bug on Christmas afternoon, apparently giving some players access to each other’s private account information.
The bug, attributed to a caching issue, surfaced as users tried to access their accounts at Steam’s online store. The site began “behaving erratically,” on Friday afternoon, according to HD Moore, chief research officer at Rapid7, a Boston-based security firm. “The language would constantly change between English, Russian, Spanish, and others.”
“Folks who were logged in started to see account details belonging to other users.”
“Folks who were logged in started to see account details belonging to other users,” said Moore, who was logged into Steam on a Windows client. “I noticed that my logged-in account in the client did not match the account information in the Web view.”
Many other Steam users who ran into the same problem began spreading the word online, urging players to remove their credit card and PayPal information from their accounts. Other users responded that logging into the site was more likely to put them at risk.
Valve is having caching issues allowing users to view things such as account information of other users. Don't use Store for now.— Steam Database (@SteamDB) December 25, 2015
Do NOT attempt to unlink PayPal, remove your credit card details or anything else. Doing so will put you at risk instead.— Steam Database (@SteamDB) December 25, 2015
Do *NOT* click on links that tell you they'll fix or secure your Steam account. Do *NOT* follow steps that include direct links to Steam.— Rami Ismail (@tha_rami) December 25, 2015
Moore confirmed that he was shown the account details of at least three other players, even as it appeared Valve was attempting to mitigate the issue. Purchasing was disabled at Steam’s online store at around 4pm ET. The bug persisted, however, and many players still reported more than an hour later that they were still accessing the wallets of players, in addition to contact details, product keys, and purchase histories.
According to Steam Database, a site which is not owned by Valve, the source of Steam’s problem was a caching issue.
An email from Moore included several screenshots which showed the problem. “Note how the account in the title of the window does not match the account name inside of the client’s web view,” he wrote. (Usernames have been partially obscured to protect the users’ privacy.)
Update 1:17pm CT, Dec. 26: Steam is running “without any known issues,” according to a statement from Valve.
“As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour,” the company said. “This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”
Illustration via Valve