This week, a glaring security flaw in arguably the most popular PC digital distribution system was found, allowing just about anybody to wrest complete control of other people’s steam accounts. Valve’s security is usually top-notch, but this weekend, that changed. For whatever reason, the usually air-tight security in place on Steam collapsed, making it laughably easy to hijack accounts.
You know how when you reset a Steam password, you usually get an email with a code that you need to input to verify yourself? This weekend, all a potential hijacker needed to put in was nothing – allowing said hijacker to change the password and gain control of the account.
Thankfully Valve has some smart safeguards in place to prevent those curiously expensive Steam items from being sold off or traded following a password change, so the damage has been minimal. If you’ve enabled Steam Guard (which you absolutely should do) or use two-factor authentication using the mobile app, chances are your account was safe.
Valve has killed the loophole, which they say was a bug in the system. In a statement to Kotaku, Valve says that they’ll be resetting the passwords on affected accounts, adding that no data was leaked from the hijacking hijinks.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.”
Last Updated: July 27, 2015
Admiral Chief in Skellige
July 27, 2015 at 08:03
Yikes
Guild
July 27, 2015 at 08:12
Damn
Bagel
July 27, 2015 at 08:13
The only thing saving peoples ingame items was the 5 day trade ban when resetting passwords.
Russia > Volvo
Umar
July 27, 2015 at 08:14
WTF…..That’s….that’s not something small. I’m glad no one (besides the users) are calling it hacking, because it’s not, and that is a serious bug they introduced. Luckily it’s fixed but that must’ve done them some major damage. Aren’t services that store Credit Card information supposed to PCI compliant? That’s a MAJOR breach. Damn.
WitWolfy
July 27, 2015 at 08:20
Most online gaming store sites’ be like…
http://hill-kleerup.org/blog/wp/wp-content/uploads/2011/03/homer-credit-card.jpg
Hammersteyn
July 27, 2015 at 08:36
LOL!
Brandon van Reenen
July 27, 2015 at 08:20
That header god dammit! XD
Geoffrey Tim
July 27, 2015 at 08:20
I laughed. Best worst security ever.
Admiral Chief in Skellige
July 27, 2015 at 08:31
THIS IS A MAMBA PUMP ACTION SHOTGUN!
crushcrush
July 27, 2015 at 16:01
What about people who have payment info stored. Hijackers could’ve gifted games to their own accounts with your payment information. I’m sure Steam will be willing to refund any purchases in that window, right?