Home Valve fixes gaping Steam security flaw

Valve fixes gaping Steam security flaw

1 min read
10

Sleeping

This week, a glaring security flaw in arguably the most popular PC digital distribution system was found, allowing just about anybody to wrest complete control of other people’s steam accounts. Valve’s security is usually top-notch, but this weekend, that changed. For whatever reason, the usually air-tight security in place on Steam collapsed, making it laughably easy to hijack accounts.

You know how when you reset a Steam password, you usually get an email with a code that you need to input to verify yourself? This weekend, all a potential hijacker needed to put in was nothing – allowing said hijacker to change the password and gain control of the account.

Thankfully Valve has some smart safeguards in place to prevent those curiously expensive Steam items from being sold off or traded following a password change, so the damage has been minimal. If you’ve enabled Steam Guard (which you absolutely should do) or use two-factor authentication using the mobile app, chances are your account was safe.

Valve has killed the loophole, which they say was a bug in the system. In a statement to Kotaku, Valve says that they’ll be resetting the passwords on affected accounts, adding that no data was leaked from the hijacking hijinks.

“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.

We apologise for any inconvenience.”

Last Updated: July 27, 2015

10 Comments

  1. Admiral Chief in Skellige

    July 27, 2015 at 08:03

    Yikes

    Reply

  2. Guild

    July 27, 2015 at 08:12

    Damn

    Reply

  3. Bagel

    July 27, 2015 at 08:13

    The only thing saving peoples ingame items was the 5 day trade ban when resetting passwords.

    Russia > Volvo

    Reply

  4. Umar

    July 27, 2015 at 08:14

    WTF…..That’s….that’s not something small. I’m glad no one (besides the users) are calling it hacking, because it’s not, and that is a serious bug they introduced. Luckily it’s fixed but that must’ve done them some major damage. Aren’t services that store Credit Card information supposed to PCI compliant? That’s a MAJOR breach. Damn.

    Reply

  5. Brandon van Reenen

    July 27, 2015 at 08:20

    That header god dammit! XD

    Reply

    • Geoffrey Tim

      July 27, 2015 at 08:20

      I laughed. Best worst security ever.

      Reply

    • Admiral Chief in Skellige

      July 27, 2015 at 08:31

      THIS IS A MAMBA PUMP ACTION SHOTGUN!

      Reply

  6. crushcrush

    July 27, 2015 at 16:01

    What about people who have payment info stored. Hijackers could’ve gifted games to their own accounts with your payment information. I’m sure Steam will be willing to refund any purchases in that window, right?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Tormented Souls Back on for PS4 and Xbox One

Well, it would seem that fans are being listened to, after all. Who would’ve thunk? Back i…