Over the past week, a number of Steam accounts—including those of some prominent streamers and DOTA 2 pros—were temporarily stolen courtesy of a pretty glaring hole in Valve’s security.
The loophole—which Valve says was a “bug”—was fixed once the issue was brought to light, but not before many users complained of temporarily losing their accounts to people accessing them from other PCs, sometimes from the other side of the planet.
While the idea of accounts being hijacked makes it seem like it was a complex affair, it really wasn’t: the video below shows that from the “lost password” section of Steam support all a “hacker” needed was your account name, and from there they could reset your password, choose a new one and get access to your account, with no verification or email address needed.
That’s...a pretty terrible loophole for a service with a reputation as strong as Valve’s. Normally (though not always), account problems with Steam, as is the case with platforms like the Xbox, are a result of external security failures, usually related to phishing.
A Valve spokesperson tells Kotaku the company learned of a “bug” on July 25 “that could have impacted the password reset process on a subset of Steam accounts during the period July 21-July 25. The bug has now been fixed.”
To those affected, Valve says:
To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
We apologize for any inconvenience.