Valve has broken its silence on the massive hack suffered by its game distribution platform Steam on Christmas Day.
Through a caching error, up to 34,000 customers could have had their personal information inadvertently shown to other users.
The fault, which lasted for about an hour and a half and started at 7.50pm on 25 December, has now been repaired.
Among the information displayed was customers’ email and registered billing addresses, purchasing histories, and the last two digits of their credit card numbers.
According to an official Valve blog post, this is the result of a DDoS attack that saw traffic to Steam’s servers increase by over 2,000 per cent more than the expected average.
As part of its process for dealing with cyberattacks – of which the company says it receives 77,000 a month – Valve and “a Steam web caching partner” used caching rules to route the genuine traffic.
However, during the second attack wave, an error in the caching configuration caused Steam’s servers to begin mixing up requests.
This resulted in the servers showing some users the page results that other customers had asked for.
This included store pages for other countries as well as the purchase histories and account pages of other users.
The store was shut down while new caching configurations were deployed and tested, with Valve bringing them back online once the errant caches had been purged from servers.
Anyone that did not use Steam to access a page containing their personal information can rest assured that their information is safe, the company has said.
The revealed information also “did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user”.
“We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward”, Valve stated.
“We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
