Steam users were highjacking each other’s accounts all weekend, but Valve has put a stop to it.
We didn’t want to report on this while it was happening because it was so, so easy to do, but a frankly embarrassing bug was found in Steam’s security this weekend.
You know how Steam sends codes to your registered email address to make sure that you’re really you when you try to change your password? Well, it turns out that system had a pretty glaring hole in it: if you entered no code and hit continue, you could proceed as if you’d entered the correct code.
As you’ll see in the video below, it was ridiculously easy to do, allowing the unscrupulous to lock people out of their own accounts.
Now, Valve actually has some really great system in place to prevent highjackers getting any actual use out of situations like this; things like trading are automatically restricted after a password change, and Steam Guard will prevent users accessing the account from their own machines, if you’ve opted into that, which you should (hopefully Steam Guard codes weren’t affected by the same problem).
Still, it was pretty bad – but thankfully it’s all over now. In a statement supplied to Kotaku, Valve said the problem was caused by a bug, which has now been definitely squashed. Affected users will have to ensure another password reset, but that should be the only fallout.
“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified,” Valve added.