Steam Security Issue (Winter Sale 2015)

Steam users around the world logged into the Steam client and websites today to be greeted by changed languages on the storefront and account details for other users in what appears to be a major security breach.

UPDATE 30th Dec 2015 (GMT): Valve have released a update to the issues that occurred on Christmas Day. The full article can be found here: http://store.steampowered.com/news/19852/

In short (TL;DR) Valve confirmed the issue was caused by a caching configuration change.

They have confirmed that the information displayed was read only and affected you only if you were logged into the store and accessing it at the time of the issue.

UPDATE 2:00AM GMT (26th Dec): Valve have release a statement regarding the breach:

Steam is back up and running without any known issues. As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.

This statement confirms the suspicions from SteamDB with the issue being with the content delivery systems configuration rather than a breach of security.

UPDATE 11:15PM GMT: Steam looks to be back up now and all looks correct now. No statement has been released by Valve at this stage as to the official cause of the issue.

UPDATE 10:06PM GMT: Steam look to have also taken down the steam client connections – The connection manager servers have been detected as offline around 10 minutes ago by https://steamstat.us

UPDATE 9:40PM GMT: Steam have shutdown the Steam Store presumably in response to this issue. This looks to have happened around 20 minutes ago by the the Steam status page.

Original Story: Today Steam have run into a major issue effecting the privacy of potentially thousands of Steam accounts around the world.

Users logged into Steam around an hour ago (8:30PM GMT on the 25 December 2015) were given access to other users account details when trying to browse the store. This revealed private account information such as billing details, purchase history, wallet balance and security settings on your account.

Steam Guard (Steams two factor authentication utility) does not appear to have protected your account in this instance as it appears the steam servers have got confused as to which connection should see what information.
This possibly could have been due to a caching issue on the Steam CDN (Content Distribution Network) as speculated by @SteamDB

It has been reported by a few users that purchases completed on the store have not been redeemed to their accounts and have presumably ended up in the account they were logged into at the time. This has not been confirmed by Valve at this stage.

As recommend by the SteamDB team do not log into your account until further notice even to try and check your account details or remove links to PayPal accounts. If you feel the need to make sure your account is secure please delink your PayPal account from Steam using the PayPal site. Instructions for this can be found here: http://www.wikihow.com/Cancel-a-Recurring-Payment-in-PayPal you can also contact your bank to cancel any credit / debit cards or put a temporary hold on the card.

 

If you have any information regarding this matter and wish to contact me flick me a message here, email me [email protected] or ping me on twitter @Arweth