Steam’s Self Inflicted Security Breach. Might Be Time To Ditch CDN Experiment


Recently, Valve Software, a global powerhouse in video game development and distribution experienced a weird security incident on its Steam platform over the holidays. Valve initially developed Steam back into 2002, and now it’s one of the largest platforms of its kind in the world with 125M active users (which also provides services like DRM, game installation, automatic updating, and so on).

Steam Database, an independent forum that supports the Steam user community attributed the security incident to a caching misconfiguration via the “Valve caching layer“.  The misconfiuguration caused a major problem, whereby user data spilled over into other accounts and credit card data was visible to others. Steam Database stated “by the way, this is not a security breach. This is page caching gone rogue. Most likely not respecting Cache-Control headers.

Of course, we beg to differ. If the issue was caused by a caching misconfiguration, not only is this a security breach, its a self inflicted security breach if there ever was one. A few years back, Valve was using multiple CDNs including a home grown one, which was quite extensive. If caching misconfiguration was caused by it own home grown CDN, then it might be time to throw in the towel on its internal CDN efforts and outsource to 3rd party CDNs, completely.

Scroll to Top