On Christmas morning, around 34,000 Steam users had their personal information shared with other users. While full credit card numbers and passwords weren't shared, information like billing address, the last four digits of user Steam Guard phone numbers, purchase histories, the last two digits of credit card numbers, and/or email address were shared.
Valve has released a statement in regards to the event, stating that they are working with they "web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified."
The incident only allowed users to view information through instead of allowing unauthorized action, no action from users is required.
"We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service."
According to Valve, the incident is largely due to Steam being overwhelmed by users on Christmas morning. Traffic to the Steam store "increased 2000% over the average traffic," because of a DoS attack. The first wave of the DOS attack was mitigated by Steam's web caching partner. The web caching partner used the same tactic on the second attack, but a configuration error resulted in users seeing the account page of other users.
Once the error was identified, the Steam Store was shut down and a new web caching configuration was used.
