As you must know by now, something went seriously wrong with Steam on Christmas Day.
Users were in some instances able to see the personal details of others, up to and including names, addresses and the last four digits of credit card numbers.
There was much confusion at the time surrounding what was going on; the prevailing theories were that what was happening was either the result of a DDoS attack, a caching error, or a caching error caused by a DDoS attack. Thankfully, the most paletable of these scenarios, that is, a caching problem at Valve’s end, has since turned out to be the real cuprit. While it’s comforting, in a way, that what transpired was not fallout from a deliberate attempt to steal data, questions remain about how this happened, and what – if anything – the consequences might be. It also underscores some of the major risks of digital-only distribution.
Steam, Battle.net, Origin, Uplay – you have no choice but to deal with one or some of these as a PC gamer in 2015/16. In so doing, your data is put at risk. It’s that simple – no system is infallible. You can certainly take steps to reduce the chances of cybercrimals getting anything useful in the event of a breach, but there’s no way of being 100% safe. In the case of what happened on the 25th, what can or can’t be done with the data that could have been leaked is for open debate.
Since getting back into PC gaming, I’ve become more and more ill at ease with digital distribution. The Steam Subscriber agreement makes clear that you’re paying for a license to use a particular product, nothing more. Although it’s pretty inconceivable at this point that Steam would simply cease to exist one day, what does concern me is the potential for individual items to be unceremoniously removed from my library at Valve or another publisher’s behest, or indeed, my personal info finding its way into nafarious hands.
Of course, if you check the EULAs for disc-based title from 15-20 years ago, you’ll see that, in fact, ownership of the games we play has always be a myth, and all we’ve ever paid for is licenses. The only difference is that the EULAs on (relatively) DRM-free console releases are unenforceable, thereby conferring at least de facto ownership; that is, the ability to lend, trade and sell at your own sole decretion. This is why I would always urge buying physical console games.
But PC gamers don’t really have this option, since the enormous majority of boxed games feature the same DRM as their digital counterparts. Because of this, we’ve now reached a point whereby (legal) PC gaming is in of itself a calculated risk, since there’s no way to meaningfully participate without signing up for some type of externally held account, thereby putting your personal data in harm’s way.
I never have and never will put my card information into PlayStation Network following their infamous data breach in 2011. My faith in Steam has been shaken to the point where I may resort to buying pre-paid credit elsewhere with which to make purchases and changing my ‘address’ to string of nonsense.
I won’t stop using Steam, though. After all, as a freshly off the wagon PC gamer, I don’t really have a choice, do I?
UPDATE: Valve has confirmed that what happened was actually the result of a DDoS attack after all, albiet as an unintended consequence of their own security countermeasures rather than the attack itself. They downplay the importance of the data exposed, but the fact that what transpired came about through malicious intent is worrying indeed. Scary times.