Over the past week, a number of Steam accounts — including those of some prominent streamers and DOTA 2 pros — were temporarily stolen courtesy of a pretty glaring hole in Valve’s security.
The loophole — which Valve says was a “bug” — was fixed once the issue was brought to light, but not before many users complained of temporarily losing their accounts to people accessing them from other PCs, sometimes from the other side of the planet.
While the idea of accounts being hijacked makes it seem like it was a complex affair, it really wasn’t: the video below shows that from the “lost password” section of Steam support all a “hacker” needed was your account name, and from there they could reset your password, choose a new one and get access to your account, with no verification or email address needed.
That’s…a pretty terrible loophole for a service with a reputation as strong as Valve’s. Normally (though not always), account problems with Steam, as is the case with platforms like the Xbox, are a result of external security failures, usually related to phishing.
A Valve spokesperson tells Kotaku the company learned of a “bug” on July 25 “that could have impacted the password reset process on a subset of Steam accounts during the period July 21-July 25. The bug has now been fixed.”
To those affected, Valve says:
To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.
Comments
11 responses to “Steam Accounts Hijacked Following Security Lapse”
My account didn’t get hacked so i must be one of the lucky ones although its sad hackers had to do it.
My friend got hacked, lost all his arcanas and many immortals…
Next time Valve or anyone else for that matter is quick to blame user where any problem is concerned feel free to point this one out to them 🙂
This happened to me…they changed the email and I still cant get access to the account
So are they rolling back any email addresses that changed during this time? Pretty sure one of the 1st things a hacker would do after accessing the account is change the email. Which would make having an email sent out pretty useless.
A good example for why you should learn to deal with the minor inconvenience of Steam Guard.
This right here… and once your setup with the Steam app steamguard isnt even a minor inconvenience.
tis why we need 2 factor auth
We have it, its called SteamGuard.
Steam hasn’t fix my account yet….have not been able to log in since Tuesday, no response from support ticket
DRM wins again.
steam will not care if you lost anything ever cause they don’t have to its part of their backed us corporate model. use someone else to force your crap to destroy the internet.