Though it now appears to have been fixed, Valve’s Steam security was exposed as being rather on the flimsy side this weekend. Reports on Reddit of various Twitch streamers having their accounts hijacked were eventually traced back to a very straightforward account exploit.
As explained after the fact by videos like this one, all potential account hijackers needed to know was your Steam account name and how to make a ‘oh dear I’ve lost my password’ request.
By inputting a valid Steam account name, requesting a password reset, and simply leaving the verification code (sent to the account’s registered email account) box blank, people were able to reach the password reset page and effectively take over an account.
Worth noting here that the “leave the verification code box blank” trick did not work for the Steam Guard code request. This means any accounts with Steam Guard active may have had their passwords changed, but shouldn’t have actually been accessed. Those without Steam Guard active were left totally open.
It’s unclear precisely how long this exploit has been around, but it may have been introduced with the release of Valve’s Steam Guard Mobile Authenticator.
At the time of writing, Valve do not appear to have made any kind of official statement regarding the security hole, nor suggested any measures people should take. The exploit itself appears to have been fixed. Those directly affected should have received emails from Steam Support.
Update 27 July: Valve have now issued a statement. Here it is:
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period [21-25 July] or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.”
Signs of any attempted hijack will be in the email inbox associated with your Steam account. Check for any attempted password resets. If you have an unauthorised one, hope you had Steam Guard active and that it prevented someone getting any further.