Valve has finally issued a statement on the problems that plagued Steam on Christmas day. On December 25, the company says, "a configuration error resulted in some users seeing Steam store pages generated for other users."

The issues were caused by a denial-of-service attack that increased traffic to the Steam store by 2000% more than average during Steam sales. Valve enabled caching rules "managed by a Steam web caching partner" to decrease the impact of the attack and "route legitimate user traffic." In the second wave of the attack, "a second caching configuration was deployed that incorrectly cached web traffic for authenticated users."


As we reported earlier, that's why some users saw the Steam store in the wrong language, or opened up to another user's private information. The time frame was small, Valve says—from 11:50 PST to 13:20 PST, store page requests for 34,000 users were shown to others. None of the information exposed revealed full credit card numbers, any user passwords, or "enough data to allow logging in as or completing a transaction as another user."

If you did not access the Steam store page with your personal information (like your account page or checkout page) during that timeframe, your information could not have been shown to anyone else. Though if you did, your billing address, purchase history, or email address could have been exposed. The same goes for the last two digits of your credit card or the last four numbers of your Steam Guard phone number.

The company assures the community that it's working to identify users whose information has been compromised, and that it's improving the way it sets caching rules in the future.