Valve has patched a bug in its Steam system that could easily allow an attacker to take over any account using nothing but the account’s username.
The hijacking exploit exploited a hole in Steam’s password recovery feature, which sends a recovery code to the registered email address associated with the account. That email code must be entered into a form via the Steam website, but an attacker could simply skip that code entry step, leave the recovery code area blank, and have full access to the password change dialog, as demonstrated in this video .
In a statement to Kotaku, Valve said it quickly fixed the bug when notified on Saturday, July 25, but that “a subset of Steam accounts” could have been affected since July 21. It is difficult to know exactly how often the attack occurred. used at the time, but several prominent ones Counterattack: GO streamers and others with known Steam usernames appear to be affected.
Valve says accounts that have seen “suspicious password changes” will be contacted individually via email to straighten out their accounts. The Steam store was also down for a few hours this morning, though it’s not clear if that was directly related to this bug or the fix.
This is the largest public vulnerability for Steam since 2011, when Valve confirmed that hackers had compromised a database of Steam usernames and encrypted passwords and credit card information.