back to article Cache-astrophic: Why Valve's Steam store spewed players' private profiles to strangers

PC gaming biz Valve has explained why its Steam software store blurted people's personal details to strangers on Christmas Day. As reported in these pages, some gamers logging into the website on December 25 were in fact greeted by profile pages belonging to others. Those pages included home addresses, email addresses, details …

  1. Leeroy Bronze badge

    Good idea.

    At least they had something in place to mitigate the attack that they knew would eventually happen given the past attacks on xbox live etc.

    Shame it backfired but as a learning experience I'm guessing others will be using the same cache style system to keep gamers playing so they can ignore the in laws, parents, kids etc

    Off topic but got a nice xbox for Christmas from the Mrs. Took an hour to install assassins creed and start playing. Something not right there when you could sick a cd in a ps1 and be playing in less than a minute :/

    1. SecretSonOfHG

      Re: Good idea.

      <<Something not right there when you could sick a cd in a ps1 and be playing in less than a minute>>

      You are right, console gaming is slowly converging to an experience where you no longer have any physical media, and even if you have a disc it is only a gateway for downloading the latest patches and updates. Which basically means it is no longer "plug and play" but instead "plug, wait and eventually, play"

      You may be comforted by knowing that in spite of how horrible it is becoming on consoles, the experience in PC gaming is deteriorating at the same relative pace. Consoles still have an edge over PCs in that at least you can expect the thing to work without you having to fiddle with anything versus the PC ordeal of OS, drivers, browser and their updates PLUS the same game updates as with the console title, if not even more.

      1. 45RPM Silver badge

        Re: Good idea.

        At the risk of being downvoted into a smoking hole in the ground, this problem seems to be particularly prevalent on Windows - and I'm at a loss to see why consoles (other than, perhaps, Xbox) are similarly affected.

        Taking one (admittedly small) example, when I installed Trine on my Mac I was able to start playing immediately. I installed Braid and the gameplay experience was the same. I did the same on Linux (with Trine and Braid) - install, and then play. No further messing.

        When attempting the same on my Windows 7 PC, I needed to update DirectX (and a load of other stuff - it was a while ago, and I can't remember the specifics) immediately after installing Trine before I could play. I installed Braid and, despite just having done a major update of shared components, I had to wait while more components (often the same ones) got updated again. Wtf!?

        Now I concede that Windows is the better system for gaming in terms of variety and performance, but in terms of user friendliness and immediacy Microsoft can learn a lot of from Linux and Mac OS.

        1. BasicChimpTheory

          Re: Good idea.

          Trine and Braid are small games that were largely complete at release. The issue discussed above is basically that game discs can pretty much be considered installation wizards these days, with the complete game required to be downloaded (usually in the form of nGB patches (let us not speak of DLC or microtransactions)).

        2. This post has been deleted by its author

        3. Blitterbug
          Happy

          Re: Now I concede that Windows is the better system for gaming

          This changed my reflexive DV into an UV! Balanced and makes sense. I loves me Windows 7, and I've long said the X-Windows bottleneck can be problematic on Linux & Unix (may be out of date here tbh) but I like the ease of getting up'n'running with Mac software and configuring printers & such, so...

          1. Roo

            Re: Now I concede that Windows is the better system for gaming

            "X-Windows bottleneck can be problematic on Linux & Unix (may be out of date here tbh)"

            That statement hasn't been true since 1992 when SGI released OpenGL. Just to put that in perspective that's 3 years before Win 95.

            1. LDS Silver badge

              Re: Now I concede that Windows is the better system for gaming

              Why Apple did drop OpenGL and introduced Metal?

        4. 9Rune5

          Re: Good idea.

          "When attempting the same on my Windows 7 PC, I needed to update DirectX (and a load of other stuff - it was a while ago, and I can't remember the specifics)"

          I have installed a handful games lately (on my Win7) and there was none of this. Downloading and installing from steam was accomplished within minutes (certainly less than 10).

          It was like that a few years ago, but once in... it sort of stays in... A one-time pain is not a big problem.

          That said, I did whince when downloading Splinter Cell from ubisoft. The pipe between me and uplay was rather thin and the download felt mighy slow. But I'd hardly blame the OS for that. Nor the distribution model: The trip to a game store (or postal office) to buy the physical media would still have been a slower/more expensive experience. But the experience left me more thankful to Valve's services.

    2. Steven Roper

      Re: Good idea.

      WE definitely seem to be going backwards in a lot of ways. First there's the cloud/rentism mentality that harks back to the master/slave dumb-terminal-to-mainframe systems of the 60s and 70s, then there's the loss of multitasking/windowing in favour of "fullscreen apps" like it was in the 8-bit era, now we have games that take an hour to get going.

      Brings back fond memories of playing tape games on the C64 in the early 80s before they invented fastloaders. Want a game of River Raid or Pitfall 2? Pop the tape in the datasette, type "LOAD", press play on tape, and go have dinner while it loads. Once you've eaten and done the dishes, it's ready to play.

      Of course River Raid and Pitfall 2 loaded in around 10 minutes or so - rather faster than the hour or so it takes some of today's games.

      I think IT technology peaked sometime around 2010-ish. We've been regressing ever since!

      1. allthecoolshortnamesweretaken Silver badge
        Pint

        Re: Good idea.

        @Steven Roper: as I can give you only one upvote, have a pint. (Where is the champagne, it's New Years Eve!) As the datasette was notoriously unreliable, the next thing I got was a floppy drive...

        One point, though: I don't think IT technology has peaked yet - it's the implementation that sucks. Big time. [Insert rant HERE] Is there a xkcd for that? You bet there is.

        1. Anonymous Coward
          Anonymous Coward

          Re: Good idea.

          I think I got my PS4 going quicker than 90 minutes but the point stands.

          These days a new game comes out and in reality it's just a placeholder until they release a series of patches over the next six months making it playable and in some cases even then they don't succeed.

          All games on my PS2/1 played straight away. Even my BBC micro only took 5 minutes to load from tape.

          Really we should be able to go after the game publishers under the sale of goods act......

          1. TRT Silver badge

            Re: Good idea.

            Pff! Vic-20 game cartridges. Plug & play instantly. Actually, there was a real element of excitement and wonder about them... the arrangement of chips and connections in a cartridge there in your hand made a spaceship and aliens and little people who fell down from the sky... Or is it just that I've got older?

        2. LDS Silver badge

          Re: Good idea.

          You're right. The problem with implementation is that everything now - games included - is a gateway to your data and your wallet (DLC & the like). They tell you it's to "improve the experience", but the result is the "experience sucks".

          Moreover the "hey, it compiles, ship it" means what gets on shelf is already outdated - but who cares, the important is to get to the shelf first - once you bought you'll have to endure the rest.

          I'm not against add-ons and expansions, but there should be really no need to sell your soul to buy them and install them...

      2. Bernard M. Orwell Silver badge

        Re: Good idea.

        Oh gods, I remember Lotus Notes and WordStar! So much better than MSOffice! And CP/M was so much better than DOS! How I miss DOS, with all these new-fangled apps and interweb nonsense getting in the way these days!

        Ah, if only I could have 5.25" floppy disks back instead of this stupid SAN Array.....

        Yep, we're definitely going backwards.

        {Sarcasm}

    3. Amorous Cowherder

      Re: Good idea.

      I'm glad it wasn't just me. I got a nice shiny XB1 off the Missus and it took me about 90 mins to download the patches and fixes for the 2 games I'd asked for! Since then I've had another game update which took something like 25 minutes to download and update, I'm on a VM 150Mb so I know it's not my end of the pipe that's slow.

      Harks back to the days of the old Speccy where you'd wait 20 mins to play a game!

      1. DropBear Silver badge
        WTF?

        Re: Good idea.

        "Harks back to the days of the old Speccy where you'd wait 20 mins to play a game!"

        Does that include 3 failed "tape loading error" attempts because you're using a crappy tape player, or is this some yet undiscovered relativistic time dilation effect? I remember having 60 minute tapes with at least 8-10 games if not more, so I really don't know what you'd be loading for 20 minutes...

      2. deshepherd

        Re: Good idea.

        "I'm glad it wasn't just me. I got a nice shiny XB1 off the Missus and it took me about 90 mins to download the patches and fixes for the 2 games I'd asked for! "

        Worsefor me ... my son's Xbox came with FIFA16 via download + XB1 upgrades + Battlefront upgrade and to cap it all we couldn't get wired network to work so had to revert to the marginal Wifi connection (which is why I switched it to powerline for the games console some time ago). Result was son + friends got bored of waiting and connected PS3 up again! Discovered later that a cheap ethernet switch that was on the part of our LAN that connects to the powerline part of the network had chosed Christmas day to die .... fortunately I had a spare available plus an excuse to upgrade that bit to gigabit!

    4. D@v3

      Re: Leeroy

      An hour? Lucky you.

      Between 1pm and 4pm on boxing day, I was downloading an 18gb update to let me play Halo 5. And then another few minutes to update the sodding controller !! (still not entirely sure if it was worth it)

    5. Keith 12

      Re: Good idea.

      As someone who has always liked to see the 3.5" Floppies / CD / DVD etc on the shelf should I need to reinstall a game it took me awhile to get used to the idea of never actually "owning" the media as such - I would even accept that this choice included additionally installing various updates / patches and resetiing Video / Sound / Mouse / KB settings again. Some years ago I started to purchase stuff from Steam online, and, frankly its frigging wonderful (though you do of course need a decent connection speed). Install Steam front-end, login, choose titles from games library, have dinner while it downloads, installs updates, configures all my game settings - finish dinner and here we go... It maxes out my TalkTalk 80Mb to 84Mb on each and every occasion.

      I understand that Windows 10 offers a similar experience - ahh well, back to the manual installs and updates for the O/S then.. and it won't be Windows 10

  2. Mark 85 Silver badge

    With all the DDoS'ing going on lately, I'm surprised that anyone can get to any web page/server.

    1. Your alien overlord - fear me

      As long as they leave the porn sites alone you know it'll be ISIS backed players (so says Boris) !!!!

  3. Comfy Chairs

    Refreshingly honest

    I have to respect the folks at Steam. They fucked up, albeit for a short window of opportunity, and certainly not on the same scale as information breaches at many other recent high-profile targets. It seems more like a breach caused by unforeseen circumstances rather than an inevitable open vuln disaster waiting to happen (*cough* talktalk).

    Their official statement breaks down succinctly into 1) here's what went wrong, 2) here's why it went wrong and 3) here's what we've done to mitigate the damage.

    1. Peter Prof Fox

      Re: Refreshingly honest

      [Not a game player of any sort] I get the warm feeling that Steam (Whoever they be) will share their learning experience with their COMPETITORS. Cooperation is often a MUCH more profitable path than sour competitiveness. (Sorry Trump-jocks, I'm British. I'm all for good-eggs')

      1. TechnicalBen Silver badge

        Re: Refreshingly honest

        In an out of character defence, they did start on the right footing. The caching system only caches non-critical customer details. Those are always put through the proper channels.

        However, some pages can be cached as they don't supply full/private details. This was the grey area that got hit with the wrong switch by a third party on one day of the year.

        So a mistake and a fumble, but a good catch after it all. (I hope, for the sake of the customers)

  4. Ken Moorhouse Silver badge

    Speed vs Security

    Cacheing/caching is historically one method by which people's need for speed and accessibility is satisfied. Anyone in the game of advocating reliability and integrity over speed faces an uphill job of getting their viewpoint across - which is to outlaw cacheing/caching, using other methods of tuning performance. "Our competitors are faster than us, we must adopt the same tactics". It is the tortoise and hare race all over again. This incident is bad enough from a security viewpoint. It could have been worse: flushing the cached information back into the database where it came from, on the basis that the information had been updated, and you have a data corruption issue to contend with too. Mark my words: it's gonna happen.

    1. moiety

      Re: Speed vs Security

      I don't know why they would be cacheing user account pages in the first place...bad security and a bit redundant; the only reason you'd want to see your account page again is if you'd changed something, surely?

  5. Turtle

    Thanks For The Candor.

    "Valve said 34,000 gamers' profiles were leaked this way. If you didn't log in that day, your information is safe because your profile didn't end up in the dodgy caches."

    So, uh, if I correctly understand what they're saying, the best way to secure my Steam account is by not logging in to it. Makes sense, I guess.

    Thanks for the candor.

    1. ecofeco Silver badge

      Re: Thanks For The Candor.

      My Steam account is strictly manual. When I want access, only THEN do I launch the gateway program. The rest of the time is is not even so much as a TSR.

      When done, I make sure it and any associated lurking TSRs are shut down.

      There is too much goddamn shit talking to their motherships as it is.

  6. Anonymous Coward
    Anonymous Coward

    There have been many mistakes caused by caching...

    ...and there will be many more. Sensitive billing information should be delivered from a secure source down a secure pipe into the recipient's browser; it should never be cached by a third party that may not be able to tell the difference between private and public content. If the steam backend is too slow, then they can fix it, or buy more hardware. Indiscriminate caching is not the answer, in time every cache will serve up something unwanted.

    1. Mike Bell

      Re: There have been many mistakes caused by caching...

      I sympathise, but sometimes it's beyond your control. For example I've had to deal with web app errors generated by traffic that happened to be routed through certain corporate caching proxies before hitting our servers. Query string parameters would end up coming through double-url-encoded, which messed up URL parsing. In the end I had to put in a defence against such proxies. Mentioning no names, but they're a big outfit with a name beginning B. Why they see fit to tamper with HTML content and mess it up is beyond me.

    2. Anonymous Coward
      Anonymous Coward

      Re: There have been many mistakes caused by caching...

      > Sensitive billing information should be delivered from a secure source down a secure pipe into the recipient's browser

      Nice thought, but CloudFlare is doing really funky stuff - essentially MITM - to cache requests for what *appears* to be a direct SSL connection to a site (unless you view the cert). Presumably other cache/CDN services like Akamai and Amazon are doing the same. All in the name of convenience and "ENCRYPT ALL THE THINGS!!!!!"

      I think the web's days are numbered. HTTP is just a glorified anonymous-FTP protocol, designed to transfer static files without the overhead of logging in and holding a TCP session open. Dynamic content, scaling, decentralization, encryption, authorization, authentication, privacy, and security in general, were all afterthoughts. It's only going to get worse until these crappy old protocols bite the dust.

  7. Will 28

    Do we have any comment from the ICO?

    Normally when someone spews customer data out to unintended sources we're told the ICO will investigate. Do they apply to Valve? I would have expected so, but cannot find them on the list of companies under the jurisdiction of the ICO.

    Were The Register able to get a comment? I couldn't even see where to email to ask them.

    1. Swarthy Silver badge

      Re: Do we have any comment from the ICO?

      Probably not, being as Steam is a US Corp (and therefore a person, but that's a rant for a different day) and the ICO is a UK Office. I don't think the ICO will have any more effect on this than the FCC has on UK Cell phone frequencies.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do we have any comment from the ICO?

      we're told the ICO will investigate

      Unfortunately the ICO remains a small time, under-resourced outfit, based around legislation drafted back in the days when "data protection" was simply about stopping junk mail and spam calling. They don't appear to do any proactive investigations, relying instead on private complaints via their webform, or on self-reporting by companies. But the law around this is a woolly (eg, is a games website as "telecoms service provider"?), the ICO themselves aren't interested in minor breaches, and the penalty for not self-reporting is a civil penalty up to £1k.

      Until UK law and penalties are dramatically updated, and the scope and scale of the ICO is similarly enhanced, then the ICO will remain nothing more than a statutory nuisance for the incompetent and for the intentional law breakers. Don't hold your breath.

  8. Securitymoose

    Problems perhaps deeper than we have been told

    For a week or so before, every time I tried to use Steam, it would say it was updating the software. I tried restarting a few times and got the same messages - appearing to succeed in the update and then wanting to update again. Steam Support are denying anything wrong, but I suspect they were trying to either get round this impending problem, or making cack-handed changes themselves in the name of 'upgrades'. It all went wrong eventually, Steam guys, so perhaps send your 12 year old developers back to kindergarten and replace them with someone who knows what they are doing?

  9. Anonymous Coward
    Anonymous Coward

    Gaming's not much fun any more

    Let's see, I have a spare hour and feel like entertainment. I could fire up Steam, start, say, Lord of the Rings Online...and then wait while it downloads a few gig of stuff *even though I played it only last week*. Maybe I'll get five minutes of bashing orcs at the end. Or I can pick up my phone, start an app and have 59 minutes of fun.

    There's something seriously wrong with how games are delivered over the cloud. When I start Steam, I want to play now, not later. Shouldn't we have evolved to background downloads or something by now?

    1. Anonymous Coward
      Anonymous Coward

      Re: Gaming's not much fun any more

      I haven't used Steam enough to notice that you can't play a game while it's downloading updates. WTF, really?

      At least some of us are still making offline single-player games... and not releasing them half-finished...

    2. Bernard M. Orwell Silver badge

      Re: Gaming's not much fun any more

      "and then wait while it downloads a few gig of stuff *even though I played it only last week*. "

      That's called an update. MMOs are prone to many updates, it's one of the side-effects of an expanding game.

      " I can pick up my phone, start an app and have 59 minutes of fun"

      Fruit Ninja vs LotRO? Yeah, those aren't really comparable gaming experiences you know. MMOs are well known as time sinks, requiring a lot of dedication to really get a good experience out of.

  10. Been there, done that, it never ends

    Why mention Akamai?

    Interesting to read the explanation. What is the reason for pointing out the CDN? I would expect that Steam is responsible for setting their caching profiles. If they get it wrong it's not the fault of the downstream content delivery system. In a previous position, I was always leery when the applications team wanted to control caching. They never seemed to understand the possible drawbacks and only looked at advantages.

  11. Cal

    Hm.

    Gotta remember here that yeah, it might take 90 minutes to download an install, but lots of people seem to be forgetting that the disc doesn't just magically appear in your hand. There is a time and money cost somewhere, be it you going to the shops, your missus going to the shops, the online retailer dispatching a delivery van for your one disc, the postman dropping yet another rubber band on your pavement as he slots it through your door.

    Whatever it may be, there was always a cost involved in getting a game.

    I would say that this is the far easier method.

    I don't need to worry about physical media degradation, losing game keys, getting home to find it doesn't work, etc.

    It's a pain, but a one off pain and then (hopefully) your game is good for whenever you want it.

    We take it for granted, but it's an amazing leap forward and takes us one step closer to many science fiction realities we all enjoyed but shook our heads at as being 'crazy' and 'impossible'.

    Embrace it, I say.

    1. Ken Moorhouse Silver badge

      RE: good for whenever you want it.

      unless there is a cloud outage, or the update is not compatible with the system it is being run on, and the service doesn't become obsolete.

    2. A. Coatsworth

      Re: It's a pain, but a one off pain

      That's very, VERY far from the "user experience" I've got from Blizzard games.

      StarCraft 2 needed a hefty 25gb "patch" download that rendered it unusable for the first weekend I got it, and since then have run several (I can't remember the number) ~5gb patches.

      My favorite patch so far was one for Hearthstone, that ran at the beginning of December and ground it for over an hour. It installed Christmas themes and decorations, themes that weren't activated in-game until 2 weeks later and that I of course didn't wanted NOR needed...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019