This week, a glaring security flaw in arguably the most popular PC digital distribution system was found, allowing just about anybody to wrest complete control of other people’s steam accounts. Valve’s security is usually top-notch, but this weekend, that changed. For whatever reason, the usually air-tight security in place on Steam collapsed, making it laughably easy to hijack accounts.
You know how when you reset a Steam password, you usually get an email with a code that you need to input to verify yourself? This weekend, all a potential hijacker needed to put in was nothing – allowing said hijacker to change the password and gain control of the account.
Thankfully Valve has some smart safeguards in place to prevent those curiously expensive Steam items from being sold off or traded following a password change, so the damage has been minimal. If you’ve enabled Steam Guard (which you absolutely should do) or use two-factor authentication using the mobile app, chances are your account was safe.
Valve has killed the loophole, which they say was a bug in the system. In a statement to Kotaku, Valve says that they’ll be resetting the passwords on affected accounts, adding that no data was leaked from the hijacking hijinks.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.”
Last Updated: July 27, 2015