Article Lead Image

Massive bug at Steam store on Christmas day exposes users’ private data

'Folks who were logged in started to see account details belonging to other users.'

 

Dell Cameron

Tech

Posted on Dec 25, 2015   Updated on May 27, 2021, 11:00 am CDT

Steam, the popular online gaming platform developed by Valve Corporation, was hit with a major bug on Christmas afternoon, apparently giving some players access to each other’s private account information. 

The bug, attributed to a caching issue, surfaced as users tried to access their accounts at Steam’s online store. The site began “behaving erratically,” on Friday afternoon, according to HD Moore, chief research officer at Rapid7, a Boston-based security firm. “The language would constantly change between English, Russian, Spanish, and others.”

“Folks who were logged in started to see account details belonging to other users.”

“Folks who were logged in started to see account details belonging to other users,” said Moore, who was logged into Steam on a Windows client. “I noticed that my logged-in account in the client did not match the account information in the Web view.” 

Many other Steam users who ran into the same problem began spreading the word online, urging players to remove their credit card and PayPal information from their accounts. Other users responded that logging into the site was more likely to put them at risk.

Moore confirmed that he was shown the account details of at least three other players, even as it appeared Valve was attempting to mitigate the issue. Purchasing was disabled at Steam’s online store at around 4pm ET. The bug persisted, however, and many players still reported more than an hour later that they were still accessing the wallets of players, in addition to contact details, product keys, and purchase histories. 

According to Steam Database, a site which is not owned by Valve, the source of Steam’s problem was a caching issue.

An email from Moore included several screenshots which showed the problem. “Note how the account in the title of the window does not match the account name inside of the client’s web view,” he wrote. (Usernames have been partially obscured to protect the users’ privacy.)

HD Moore

HD Moore

HD Moore

Update 1:17pm CT, Dec. 26: Steam is running “without any known issues,” according to a statement from Valve. 

“As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour,” the company said. “This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”

Illustration via Valve

Share this article
*First Published: Dec 25, 2015, 7:33 pm CST