[UPDATE:] At 11AM EST Valve officially released a statement entitled “Update on Christmas Issues.” In the update they provide details including a number of users who were affected (34k, approximately) and the hours this occurred between (11:50PST and 13:20PST). At the moment, “Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.” The post also details what happened. The error apparently occurred due to a DoS attack that triggered secondary caching configurations. Those secondary configurations failed to work properly, and instead showed incorrectly cached pages to users. The last paragraph states “We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.”
I’m not even going to lie… this is pretty much exactly the sort of statement I was looking for. It elucidates what happened, where their process broke down, how many people were affected, how those users would be notified, and they at least end it with an apology. That’s a lot more than I was expecting, honestly, and this is the sort of thing that should have been posted/sent out via e-mail two days ago. I understand then they didn’t have the amount of information they have now, however something along the lines of “We are aware of the issue, we are investigating more, hang tight, we’re sorry this happened and we will release more information via public channels soon” or something a little more apologetic than that paragraph they sent out to select news sources the other day. As I mention in the article below, Valve had a chance to get ahead of the issue, but instead they chose to remain silent and let the consumers worry and jump to their own conclusions. The Steam_Support Twitter account finally posted a link to the Valve blog, so they are at least sort of utilizing their social media. Either way, it looks like more information is to come.
[Original Story:]It’s been 5 days now and still we have heard only about a paragraph from Valve regarding the Steam internal error that temporarily logged users into other accounts and allowed users to find others’ personal information including full names, telephone numbers, billing addresses, and the last 4 digits of a person’s credit card (credit goes to /u/maullove for sharing the redacted screenshots). Also accessible was the e-mail address of users’ PayPal accounts if they were linked to Steam as well as the e-mail address linked directly to Steam.
The extent to which this information can be used to damage another user or steal their identity is still debatable (probably pretty low in all honesty), but the fact that this information was available at all when it should have been private is concerning. Yes, it was a caching bug and not a hack, and yes the issue was resolved within an hour, however we have not heard anything else from Valve on the issue since the statement on the 26th that just explained what the issue was and simply adding “We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information.” This was a message sent only to gaming media sites who had PR contacts with Valve (*cough*not us*cough*). This means there are potentially thousands of users who may not have actually heard of this breach and may not know the extent to which their information was leaked.
Let me be clear about something: Valve has a duty to its user base to not only fix the issue (which, to their credit they did in under an hour during a holiday), but also to inform ALL users of what happened. This means sending a direct e-mail to all users about the bug, the scope of the bug, etc. This absolutely should be done in a timely fashion. Valve’s reliance on news sources to get that statement out is flawed as not every user reads gaming news media, and not everyone is keeping up with updates. Valve should also have taken advantage of social media like Facebook or Twitter to get the word out and answer users’ questions on the Steam internal error. Instead, they have pretty much gone dark and not revealed any new information since the brief, initial statement.
This silence and apparent contempt for users is yet another instance of Valve putting customer service on the back burner. By not immediately approaching customers about the problem, Valve puts out the implicit message that it will not admit fault and any concerns a customer might have are the problem of the customer and not of Valve. When the company is already known for terrible customer service, getting ahead of mistakes and bugs like the Steam internal error on Christmas would do a lot in helping rebuild trust for its user base. Instead what we end up with is yet another reason to distrust Valve. Owning up to their mistakes and informing users of potentially sensitive data being shared with random users is one of the most basic actions you would expect a company to take.
What we need from Valve is a firm statement about what happened and how they will work to make sure this won’t happen again. We need Valve to reach out to users via e-mail to explain the issue in no uncertain terms. Valve needs to uphold its promise made earlier this year and focus on better customer service, and that includes not only owning up to mistakes like the Steam internal error, but also to helping users with any of their other issues in a timely manner instead of the months it can currently take. Without these actions, Valve is opening itself up to not only stiffer competition, but to potentially losing its client base as new services arise (like GoG Galaxy, EA Origin, etc.). Valve, please, just talk to us.
Have you had issues with Valve’s customer support in the past? Let us know in the comments!