This weekend, a number of Steam accounts were compromised by what Steam says is a bug. Several people lost access to their accounts after others exploited a loophole in the password recovery system. Some prominent streamers were among those who had their accounts stolen.
Kotaku initially reported on the security loophole. A video showing what happened makes it clear that this wasn’t elite hackers doing the hijacking—just about anyone could have bypassed the security, as long as they had an account name they were ready to exploit. The problem bit is when the user tries to recover their password; you’re meant to receive an account recovery code (you can have it sent to an email address or your phone) to confirm that it’s your account. Only, it didn’t matter if you actually ever received that code, because the process accepted a blank recovery code field.
This is—obviously—not good. It’s especially surprising for Steam, which has a notoriously difficult system to breach. In fact, it’s sometimes frustrating to even get your own password back. (I swear Steam’s account recovery guidelines are more complicated than my bank’s. I’m not sure how I feel about that, to be honest.)
Valve acknowledged the bug and fixed it as of Saturday. They responded to those affected:
To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
We apologize for any inconvenience.
Evidently there wasn’t a huge number of users affected by the breach, and it was only a risk from July 21 to July 25.