Steam’s store has been pulled offline after a major security error exposed thousands of users’ personal information.
Anyone logging in to Steam this evening, Christmas Day, was greeted with account details for other users’ accounts instead of their own.
Usernames and PayPal email addresses were visible, along with purchase histories and other private information.
Thankfully, no new purchases could be made – despite users being able to see the amount of funds in another users’ Steam wallet, as well as censored information on linked credit cards such as the last few digits. Account details could not be changed, either.
But the information linked to accounts could still be used to compromise other services.
Eurogamer readers have provided evidence of being able to view dozens of other users, with accounts served up at random as they refreshed the store pages.
We’ve also seen account details of people who were using the service’s Steam Guard and Mobile Authenticator methods of protection – which did not stop the information being shown.
At present it appears to been a caching error on Valve’s part, which ended up serving the wrong pages to the wrong people.
Valve has yet to comment on the matter. Steam’s help desk is also offline.