It wasn’t a hack, but it was just as bad.
Video-game streaming service Steam has been vulnerable to a serious password exploitation technique since at least July 21, and if not for five-day bans on password changes, plenty of Steam users could have been in big trouble.
The method for gaining unauthorized access to Steam accounts barely qualified as a hack. Password reset requests generate an email to the address of the Steam user in question. That email includes a code that must be entered for the reset process to proceed. But the password reset bug skipped the code phase and allowed a reset without any verification.
In other words, if someone knew your Steam account name—say, if you streamed your games on Twitch and your login window was visible—they could access your account, change your password, and effectively lock you out.
YouTuber Elm Hoe demonstrated the process in a video uploaded on Saturday. He also reported in the comments that, after releasing the video, “around 2000” people attempted to use the method to access his account.
Elm Hoe also reported that the Steam account vulnerability was patched ten minutes after he posted the video.
Steam automatically applies a five-day ban on trading items following a password reset and a seven-day ban on trading items when a Steam account is accessed from a new IP address. These measures should have protected anyone whose account was compromised using this bug.
Based on reports from users who were locked out of their accounts due to the bug, Valve apparently did not alert Steam users to the problem immediately after discovering it.
In fact, in a statement issued to Kotaku, Valve said that it only discovered the password reset bug on July 25 and that the problem could have affected accounts from July 21 through July 25.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or [that] may have otherwise been affected,” Valve said in the statement. “Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”
Valve also said that while hackers could have changed account passwords by exploiting the bug, no hacker would have been been able to see an account’s original password, and that if Steam’s two-factor authentication, Steam Guard, were activated, any account accessed through the bug would still have been protected from unauthorized logins.
Illustration by Jason Reed