Steam Blog - Valve
We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened


On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened


Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
Steam Blog - Valve
We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened


On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened


Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.
Dec 9, 2015
Steam Blog - Valve
Recently we've seen the community have a good discussion about the pros and cons of trade holds. We thought we'd walk through how we decided to implement them, in the hopes that it helps you understand why they're absolutely necessary.









Compromised accounts and item theft


Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users. Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers.

Once an account was compromised, the items would be quickly cleaned out. They'd then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn't too hard to figure out what happened, but undoing it was harder because we don't want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.



The number of hijacked accounts continues to grow


This was an unacceptable status quo and we needed to address it. In revisiting our strategy to stop it, we found two things of note.

First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.

The "I got hacked" story is told so frequently it's become commonplace. And that makes it easy to forget its significance; compromised security of email accounts and PCs, Steam account violation, and theft. We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically na ve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or na ve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.



How we can stop it


We've worked to improve account security features, closed loopholes, improved how and when we message users that their account is at risk, added self-locking, and created the Steam Guard Mobile Authenticator (two-factor authentication).

Two-factor authorization is the use of a separate device to confirm your identity. The security of this system is based on moving that step from your PC to a device a hacker can't access, such as your smartphone. PCs can be easily compromised, therefore a PC-based authenticator would not provide better security than a password or email authentication.

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.



Here's the tradeoff


At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.

So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.

One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:

  • Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.

  • If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.

  • Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.


This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.



A difficult balance


Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.

Hopefully this post has given you some insight into the problem, and why we've taken this approach. As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts.
Steam Blog - Valve
We've seen a lot of Steam users lose access to their Steam accounts. Most often it’s because an attacker has compromised a user's email account. That email account can then be used to change the password and email address on that user's Steam account, blocking access to their games and items.

There are several methods attackers use that are hard to combat: malware in the guise of other programs like a ‘TeamSpeak update or missing audio codec’ or a ‘CS:GO weapon upgrader!’, malware disguised as images and screenshots, identifying users who reuse passwords on their Steam and email accounts, or via an exploit in their web browser or operating system.

It's a complicated situation and even very sophisticated Steam users can fall victim. Any Steam user who has made a purchase or earned a trading card has value in their account and should use these new features to protect it and all the time invested.

Account recovery with a phone number


Add a phone number to my account
Read the FAQ

By associating a phone number with your Steam Account you can easily regain access if:
  • You forget your password
  • You lose access to your email account
  • You get a new smartphone or lose your mobile authenticator
  • Your account is compromised
Steam can send you a text message to get you back into your account.


Steam Mobile Authenticator through the Steam Mobile app


Get the Steam Mobile app
Read the FAQ

Using the Steam Mobile app on iOS or Android, you can:
  • Confirm log ins to your Steam account
  • Confirm trades
  • Confirm Community Market listings

Using a second device (aka 2 factor authorization) makes it very difficult for an attacker to access your account, even if they obtain your password, without physical access to your mobile device.


You can manage your Account Security and phone number anytime from your Account Details page.
Steam Blog - Valve
We've seen a lot of Steam users lose access to their Steam accounts. Most often it’s because an attacker has compromised a user's email account. That email account can then be used to change the password and email address on that user's Steam account, blocking access to their games and items.

There are several methods attackers use that are hard to combat: malware in the guise of other programs like a ‘TeamSpeak update or missing audio codec’ or a ‘CS:GO weapon upgrader!’, malware disguised as images and screenshots, identifying users who reuse passwords on their Steam and email accounts, or via an exploit in their web browser or operating system.

It's a complicated situation and even very sophisticated Steam users can fall victim. Any Steam user who has made a purchase or earned a trading card has value in their account and should use these new features to protect it and all the time invested.

Account recovery with a phone number


Add a phone number to my account
Read the FAQ

By associating a phone number with your Steam Account you can easily regain access if:
  • You forget your password
  • You lose access to your email account
  • You get a new smartphone or lose your mobile authenticator
  • Your account is compromised
Steam can send you a text message to get you back into your account.


Steam Mobile Authenticator through the Steam Mobile app


Get the Steam Mobile app
Read the FAQ

Using the Steam Mobile app on iOS or Android, you can:
  • Confirm log ins to your Steam account
  • Confirm trades
  • Confirm Community Market listings

Using a second device (aka 2 factor authorization) makes it very difficult for an attacker to access your account, even if they obtain your password, without physical access to your mobile device.


You can manage your Account Security and phone number anytime from your Account Details page.
Jun 2, 2015
Steam Blog - Valve
We're releasing a major update to how we handle requests for refunds for purchases on Steam. You can read through all the details about refunds on Steam here, or visit http://help.steampowered.com if you ™re having trouble with a purchase. We hope this will give you more confidence in trying out titles that you're less certain about.

Let us know what you think.
Steam Blog - Valve
With today's Steamworks SDK update, we've released The Steam Inventory Service beta, a new feature available to developers with games or software on Steam. The Steam Inventory Service is a set of new Steamworks APIs and tools that allow a game to enable persistent items that have been purchase or unlocked by individual users without having to run special servers to keep track of these user's inventory.



With this service, a game can easily drop items to customers based on playtime or can grant items based on specific situations or actions within the game. These items can be marked as tradable through Steam or sellable via the Steam Marketplace. Developers can also configure recipes for crafting different combinations of items that result in more rare, unique, or valuable items.

This new service adds to the list of APIs available for free to Steamworks developers, including achievements, cloud saves, authentication services, error reporting, leaderboards, matchmaking, Steam Workshop, peer-to-peer networking, in-game overlay, downloadable content, and much more.
Chivalry: Medieval Warfare - Valve
When we launched the Workshop late in 2011, we expected that it would grow, but not that it would grow this much, this quickly. So far, the total payments made to individuals for the creation of in-game items sold in Team Fortress 2, Dota 2, and Counter-Strike: Global Offensive have passed $57 million. This money was earned by over 1,500 contributors spread out across 75 countries.

New Curated Workshops

The limitation of paid, revenue-generating Workshops to Valve content has been an unfortunate consequence of the sheer number of challenges required in order to scale to a global audience of creators and players. Today we're happy to announce that after a ton of work, the first curated Workshops for non-Valve games have opened: Dungeon Defenders: Eternity and Chivalry: Medieval Warfare.



This is really exciting news and means that more high quality content will be available for the game you love playing. Plus, purchases of this great new content directly enables those community members to continue practicing their craft and making more awesome content.

We expect more curated Workshops to become available for creators and players in various games over the coming weeks and months.

Introducing Revenue Tools For Workshop Authors

The Workshop has continued to grow and a larger number of contributors are now earning revenue from more pieces of content in a wider variety of games. To help answer questions about where revenue is coming from, we're also launching a set of new tools that enable contributors to view real-time sales data for their items as well as view detailed per-item revenue breakdowns and historical statements.



Once you have content accepted into a paid, curated Workshop, you'll see a link to "View Your Revenue" from your "My Workshop Files" page. If you don't have any content accepted yet, now's a great time to get involved!
Steam Blog - Valve
With the launch of the Steam Tags beta back in February, we gave Steam customers the ability to "tag" any game or software with genres, themes, attributes, or any other term or phrase that would help customers find similar products. In the time since the feature launched, customers have applied tags more than 4 million times and across almost every product in the Steam catalog.

Our goal for Steam is to keep getting better at helping each customer find the next games that they want to play. Tags are a critical component in helping the Steam store better understand which products are related, which in turns contributes to better recommendations of games for customers. While there are a number of important components in making confident recommendations for customers, this blog post will focus primarily on tags.

So, how do we measure the effectiveness of tags? Let's start by looking at a couple areas where the store is currently generating recommendations and have been affected by the existence of tags.

If you visit a product page for a game on Steam, you'll notice a section just above the reviews called "More like this". With the addition of tags, we can better figure out which games are most closely related thematically and stylistically. As a result, the amount of traffic through the 'More like this" section of the product page has tripled, which indicates to us that customers are finding those suggestions much more relevant.




Tags are also really useful for making specific recommendations for users based on the games they have been playing recently. Before we had the tag data, visitors to the "Recommended for you" page were just presented with items on their wishlist or DLC for games they had bought. We had genres on Steam, but we found that their usage was far too broad to be useful in making recommendations for similar games (for an example of this, look at the breadth of variety in the Action genre).

With the data we have from tagging, the "Recommended for you" page can actually suggest titles related to what you've been playing, and as a result, we've seen a significant increase in the percentage of clicks on the titles being recommended.




While we were looking at the impact of tags, we discovered that a couple of early decisions we had made were holding tags back from working even better. One of those decisions was to have a separate pool of tags for each available language.

We had assumed that some languages might have cultural differences in the kind of tags or the use of tags that would generate different data that is more relevant for users in those languages. That may still be true, but the downside of having separate pools of tags outweighs any positives that may be possible. Most languages, which have fewer Steam users than English, ended up with many fewer tags applied and a higher percentage of bad data from the tags (inappropriate tags, jokes, etc.).



As a result of this finding, we are merging tags from across all the Steam languages to create one list of tags which is translated by our community translators. This means that the same tags will show up on a game for every customer, though customers may see a language-specific translation of a term if it is appropriate for their language.


Another change we are making is in how similar tags get merged together and the threshold at which new tags become part of the system.

The degree to which a tag is useful for making recommendations depends on two elements: How many people agree that it should be applied to a specific game and how accurately it associates the games it is applied to. For example, highly useful tags tend to be objective descriptions of content or theme such as "Fantasy" or "Zombies".

Unhelpful tags are ones where users don't agree on usage, or they are too general to help the recommendation system actually find related games. An example of this is the tag "Fun". Since everyone has a slightly different definition of what is fun for them, this tag tends to get applied to a huge variety of games and dilutes our ability to identify which products are actually similar.

When we dig in deeper and look at the individual tags being applied, it becomes clear that there is another category of tags where there is a commonly agreed upon concept, but with many similar spellings or phrases to communicate that concept. For example, we found 4 different variations of a term for a game that supports user modifications: "Modding", "Mod-friendly", "Moddable", "mod supported". Since it is more useful to have a single tag for a term than it is to have a bunch of really similar tags, we have merged together a number of tags. In some cases when you enter a specific tag, you will see it appear as the variation that we have merged it into. For example, if you enter the tag "Mod-friendly" on a title, you will actually see the tag "Moddable" appear.


With this set of changes, we are removing the 'beta' tag on the Steam Tags feature. This is mostly a cosmetic change, since we will continue to make improvements to the feature as we learn new things about how customers are using tags and how we can better utilize the relationships being defined between products.

If you have any feedback or encounter any issues, please continue to post in the Steam Tagging discussions here: http://steamcommunity.com/groups/SteamClientBeta/discussions/2/
Dec 12, 2013
Steam Blog - Valve


This week we shipped an update to the Steam Mobile app for iOS (v1.3) which adds new features and updates the visual style to make the mobile experience feel more at home alongside the desktop and Big Picture interfaces. We also revamped the mobile web experience for all users, which includes user profiles, groups, the storefront, and many other pages.

Offline Chat
With the new iOS app, you can send messages to users who are offline as well as view any messages you have received while offline. This includes the ability to see your chat history with other users.

Friends & Groups
We’ve added support to the iOS Friends view for nicknames, Facebook suggested friends, and what platform (mobile, big picture, desktop) a friend is currently active on. The UI for responding to friend & group invites has been streamlined.

Notifications
The notification badge on the iOS application icon will tell you at a glance how many pending notifications you have. This includes offline messages, pending friend invites, and pending group invites. The in-app menu will also break these down by type. Mobile users can control which types of notifications they receive by visiting the Steam Preferences page in their app settings menu. There are also iOS and Android system-wide settings which control how applications receive and display push messages, so users should make sure those settings are enabled if they wish to see Steam notifications.

Catalog
The new mobile app and web storefront features an updated carousel and grid design, with the ability to easily filter titles by platform and DLC.

Feedback
Your feedback is important to us as we continue to prioritize improvements to the Steam Mobile experience. If you have input, please visit the Steam Mobile Discussions and let us know!
...

Search news
Archive
2018
Nov   Oct   Sep   Aug   Jul   Jun  
May   Apr   Mar   Feb   Jan  
Archives By Year
2018   2017   2016   2015   2014  
2013   2012   2011   2010   2009  
2008   2007   2006   2005   2004  
2003   2002