Valve Still Hasn't Told Steam Users About The Christmas Fiasco

Illustration for article titled Valve Still Hasn't Told Steam Users About The Christmas Fiasco

Four days after Steam’s Christmas fiasco, we still don’t know exactly what happened. We don’t know how many people were affected, how much personal information leaked, or if some friendly Team Fortress players saw our addresses and plan to stop by our homes for an impromptu New Year’s celebration.


We don’t know any of this because Valve, carrying on a grand tradition of opacity, has refused to go into specifics about the fiasco last week, when Steam users across the country logged into the digital store to find that they’d somehow accessed other people’s accounts. It was a creepy, unsettling event for many PC gamers, and although there have been few reports of unauthorized purchases, Steam did expose enough personal information to fuel all sorts of social engineering. For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.

Yet other than a short statement sent to Kotaku and other press outlets last week—“This issue has since been resolved”—Valve hasn’t said a thing. They haven’t commented on how many people were affected. They haven’t contacted the Steam users whose information was exposed. Most alarmingly, they haven’t informed their 125+ million users—some of whom, sadly, do not read Kotaku—that this happened at all.

This is standard practice for Valve, of course. Their customer support has been horrendous for a long time, and their modus operandi has always been to say as little as possible, no matter how much faith they lose. And oh, they’ve lost faith. On the front page of r/steam right now, for example: “We shouldn’t be okay with the fact that Valve still haven’t apologized for the cache server fiasco.”

For the past few days, several people have contacted Kotaku about what happened to Steam. Some were worried that they’d been exposed and didn’t know about it; others suspected that the false charges on their PayPal accounts were a result of this disaster. There’s been no evidence linking the Steam Winter Fail to unauthorized payments, but even if there was, would anyone know about it?

One Steam user, who asked not to be identified in this story, found out on Christmas that other people had accessed his account. People had seen his name, his address, his phone number, his buying history. And when he contacted Steam support, they didn’t have a single useful thing to say.

Read the full ticket:

Illustration for article titled Valve Still Hasn't Told Steam Users About The Christmas Fiasco

It’s infuriating, frankly. Infuriating that some Steam users won’t know this happened; infuriating that others might never know whether or not they were exposed; infuriating that Valve’s customer service is still so useless and uninformative.

Most of all, it’s infuriating that Valve thinks this is okay, that they can just fire off a press statement and let the crisis blow over without even telling customers that the last four digits of their credit cards may have been inadvertently shown to the world. How can such a smart company, one that’s made such stellar, polished games and dominated the PC gaming landscape for nearly a decade now, be so damn stupid?


You can reach the author of this post at or on Twitter at @jasonschreier.


Remy Porter

I know why they won’t tell you how many people accessed other people’s accounts: they don’t know. Do you really think they’re putting any audit logging in the caching layer? Nobody does that. Why on Earth would you?

They might audit account accesses- but that’d be on the backend layer. The cache is supposed to hold legitimately accessed pages, and serve them back up on request. The cache, for at least some pages, should be linked to the user’s session, which obviously wasn’t happening here.

The reality is that if you fetched your account details from Steam during the outage, it’s safe to assume that somebody else did too.