PC gamers were dismayed on Christmas Day to find that Valve’s popular (and arguably essential) Steam store had gone haywire before becoming entirely inaccessible. Logged-in users were seeing account data that didn’t belong to them, with partial credit card numbers, phone numbers, e-mail addresses, billing addresses, and purchase histories all visible. This happened for a period of about an hour and a half, from 14:50 to 16:20 EST on Christmas Day, after which the service went down entirely.

Valve has published an explanation of what happened and why. Steam routinely suffers from denial of service attacks. On Christmas Day, this traffic exploded. The Steam Store was already busy, due to the Winter Sale, and the denial of service attacks pushed the load to 20 times the normal load.

To handle the load of the attack, Valve’s Web caching partner rolled out an updated configuration that resulted in personal, authenticated pages being cached and subsequently served to users they didn’t belong to. After about 90 minutes the error was spotted. The Steam Store was taken offline entirely, the cache configuration was repaired, and the erroneously cached data was purged. Normal operation resumed thereafter.