Update: It seems, for me at least, that Valve have run screaming around the building, pulling out every plug they can find, as all the servers now appear to be down.
Update 2: After an astonishing four hours of silence, Valve finally bothered to say something publicly about the massive screw-up. They told Kotaku, “As a result of a configuration change earlier today, a caching issue allowed some users to randomly see pages generated for other users for a period of less than an hour. This issue has since been resolved. We believe no unauthorized actions were allowed on accounts beyond the viewing of cached page information and no additional action is required by users.”
Original story: There we were, feeling smug in our PC slippers that Sony were having trouble authenticating new PlayStation accounts this Christmas Day, and Steam goes nutso-crazy. And in a really serious way. As Kotaku reports on this merry eve, people are logging into Steam to discover they have access to someone else’s account. Full access, letting them see email addresses, personal details, and most of all, see Steam Wallet money.
Clearly most people at Valve will be at home, filling their face with roast Vortigaunt, so a response to the crisis seems slow. At the time of writing, I’m still able to log into my Steam account through the app, but the website version seems to either be crashing under the weight of people observing the news, or brought down at their end in a “QUICK, PULL THE RED LEVER!” sort of way. Kotaku’s Jason Schreier, as well as having too many Es in his name, has found looking at purchase histories “will bounce around other random accounts too.”
Obviously there’s no word yet if this is a hack, some giant internal screw-up, or perhaps an elaborate ARG informing us of the imminent release of Half-Life 3. Again, according to Kotaku, Steam Guard (which fires off an email to you if someone tries to log into your account from an unrecognised computer) isn’t preventing people’s accounts from being accessed.
Edit: People in our comments are reporting it’s a caching issue, the store serving you someone else’s cached page, so if you didn’t log in, you’re fine. So glad I logged in in order to write this story. With the whole thing pulled offline, it seems people should be safe right now. I imagine they’ll insist everyone change their passwords come tomorrow. Edit: Valve are saying otherwise, but changing your password on occasion is good practice.
Keep an eye on your accounts, clearly. All the best to Valve’s engineers, whose Christmas has just been shat on from far above.