Valve Corporation finally announced more details regarding the security breach that occurred during Christmas. Steam Database, an independent forum supporting the Steam community previously speculated that Valve pushed out a caching misconfiguration update to its production environment that resulted in a security incident, where account users were able to see confidential data of other users, including credit card data. We here at Bizety speculated it was probably caused by Valve’s home grown CDN, since Valve was silent on the issue for several days.
However, it appears that Valve’s internal CDN was not responsible, but a 3rd party Caching Partner. Apparently, Steam was under a DDos Attack, whereby traffic spiked 2ooo% of normal levels, so Valve and the Caching Partner pushed out the first caching rule into the production environment to counter the threat. Thereafter, they pushed out another caching rule into production, and this one caused the caching of authenticated user data. This is a live and learn experience for Valve and the Caching Partner, perhaps next time, they can conduct a lot more testing before pushing out a caching rule into the wild.