He's right, and I have to wonder whether Valve's eventual response, issued on December 30, 2015 not long after this video was uploaded, was in reaction to his rant (and possibly other rants on YouTube and elsewhere).
Valve's Dec. 30 explanation is here
http://store.steampowered.com/news/19852/Not only does Valve explain about the DDoS (Distributed Denial of Service), but they apologize for the incident, which is something else Total Biscuit mentioned in his video rant.
Apparently Valve placed a high priority on the Steam site staying up over Christmas, and didn't test the "second configuration change" that caused the problem before going online with it. Normally incorrect configuration changes are caught during testing.
In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users.