I think I can safely say not to expect an apology from them... looks like they're keeping silent, as if pretending nothing happened. Hopefully a lawsuit comes their way and they're forced to speak up, as this time its not a bunch of hackers doing this, they simply brought this upon the world themselves.

They haven’t even acknowledged a problem existed on their official channels like e-mail, Twitter, or their own website. Rather than tell the userbase, they released a vague statement to Kotaku and Gamespot. Just imagine an online service like Netflix made a technical blunder and accidentally displayed your account details to unknown persons and then instead of telling you, they told a bunch of movie critics. That is the bizarre situation we're in.

As far as most of the 100+ million Steam users know, nothing happened.

I really think this is up there with the worst thing Valve has ever done (yes, worse than circumventing EU law by forcing users to wave their right to a refund) and in some places like the UK it's borderline illegal.

It's not as easy just because they have million of subscribers. Them apologizing mean that they officially take the blame upon themselves. In a court of law, that declaration would stand up as evidence and it will act against them. As user and Steam supporter, i feel bad for their lack of communication, but i understand why is it this way. It's a delicate thing for them. It's a serious thing what happened, that can lead to very bad situations, but it can also lead to plain nothing, just the time will tell.

Not Netflix, not Microsoft or EA would jump too fast into throwing excuses. That's not how big business work. They need to be very careful due to legal implications, they need to investigate to know for sure what caused that issue.

TotalBiscuit gives some good explanations and worst-case-scenarios that can happen due to something like this.
https://www.youtube.com/watch?v=esmKdMDvSGI

Ahem.

Was just about to post this. So it started with a DDoS, which they (one of Valve's server partners) responded to by making caching config change that was bad and served up the wrong pages. I'd like to fault Valve for all of this, but it seems like they and their partners did everything they were supposed to, then simple human error got in the way. I'd hate to be the guy who was covering server support on Christmas day right now.

34 000 people got affected. Surprisingly low number.

Just spotted it too. Hopefully the consumers who had their details shown to unknown persons will be told soon.

I would credit that to the community response. It was very quickly realized that this was a caching error and word spread through Reddit and other community sites like wildfire. Almost immediately people were being warned on all major gaming sites to not log in to Steam until the problem was fixed. Those 34000 were the few who didn't see the news or found out too late. Frankly, it sounds like the information accessed is not likely to be harmful on Steam or lead to full-on identity theft, but it may be enough for some "social engineering" type hacking on other sites and services those Steam members may use.

77000 accounts getting hacked, 34000 people got affected by a server caching issue at a time where many a user were using Suckeam and... just where do they get these numbers from? Do they make them up on the spot? I'd like to assume another possibility, but it seems that I have a feeling that they made up this number just so that they take a small bump rather than a headshot from the backlash.

It reminds me of Bendgate. Many an iPhone 6 Plus from dedicated Apple and iPhone fans were bent, the response to this from Apple themselves? That only nine phones were bent, and then whatever there were of easy-to-sway Apple fans immediately believed that. I feel that Valve's number is... to say, to achieve that purpose. To soften the backlash by throwing an official statement with a small number and then letting their fans do the cover-up for themselves.

Just think of it. So they came out and admitted it. Do they also add more insult to the injury by admitting that the number of affected people were so huge, that they could enter a beyond goner territory?


But hey, this is all speculation of course. Don't take my word for it seriously.

Right....
You'd expect from them to be able to check / verify / restore hacked accounts, but failing on ... counting?
The caching problem involves finding the problem, fixing it, then cross-checking with what the system should have been delivering and how many requests this server has handled. Looks like standard server maintenance to me.

Regarding potential damage control: I can't and won't dismiss it entirely, but if that's the intend they would have pointed with fingers on DoS attacks from the get-go.

This is Valve. They never count beyond 3. /s

Anyways, no, my question is where they got the 34000 number from. How do they check if an account had been compromised in this way? Is my question. They could identify the problem and fix it, but how do they determine how many checked incorrect accounts versus the true checks?

They probably didn't point their fingers on DoS attacks just to claim that they are secure and whatever crap we all love to hear. However, now that they admitted that they had a problem that day, they simply made up an astonishingly small number to make their fans believe it and immediately cover up their corporate issues.

Or could it be that the online users are simply low enough compared to how many registered?

Log files. IP X requested page Y, got page Y displayed. IP Z requested page A, got page B displayed.

I'd certainly be more skeptical of that as I'd argue probably just as many people rushed to check it out as those who thought to stay away. The most common response to those 'alert' threads was people going "ow yeah I get it too!"

You're banking on common sense from people, and while that may be more likely to happen with the slightly more paranoid core GOG userbase here, it's not that prevalent in the rest of the gaming community.

I disagree. I'm not banking on common sense at all, I'm banking on fear. Those "yeah I get it too" posts started to scare a lot of people very quickly, even the less than paranoid people. I wasn't long before the word spread far beyond forums and Reddit to major news sites, in and out of the gaming world, where almost across the board the warning was "DO NOT LOG IN TO STEAM!!!" Obviously didn't work for everyone, but how else would you explain the low numbers of affected accounts on what is arguably one of Steam's most active days? It certainly wasn't Valve's "rapid" response, it was well over an hour of this happening before they even reacted to it. The one obvious lie in their apology, that it happened for "about an hour", bullshit, the first reports were almost two hours before they shut down the store. The only other conclusion is that Valve is completely lying about the actual number of affected accounts and what possible purpose would that serve? The damage is already done, lying about how many were affected doesn't change that.

So they did get DDoS'ed. All that fanboys says that it ain't now can shut their trap for good.