Steam Fixes Password Recovery Bug That Allowed Anyone to Hijack Accounts

We didn’t want to report on this while it was happening because it was so, so easy to do, but a frankly embarrassing bug was found in Steam’s security this weekend.

But wasn’t fixed in time for a number of users to see their accounts hijacked, with some users denied access to their accounts because they were being accessed from alien PCs, often on the other side of the world. “The bug has now been fixed”.

The scary thing is the hack was actually ridiculously simple to do. Normally (though not always), account problems with Steam, as is the case with platforms like the Xbox, are a result of external security failures, usually related to phishing. If you’ve enabled Steam Guard (which you absolutely should do) or use two-factor authentication using the mobile app, chances are your account was safe.

That’s…a pretty awful loophole for a service with a reputation as strong as Valve‘s. In a statement to Kotaku, Valve says that they’ll be resetting the passwords on affected accounts, adding that no data was leaked from the hijacking hijinks.

“The bug has now been fixed”.

This meant that anyone could break into a Steam account and change the password without needing access to the recovery email address.

If you do not have Steam Guard installed and protecting your Steam account, you should probably go ahead and do that now.

Now it isn’t so much that these users had bad passwords, but rather due to what seemed like a security glitch in the system.

There is a five-day trade ban put onto every account that changes e-mail or password, to prevent this sort of issue costing users hundreds of e-bucks in lost items.

“We apologize for any inconvenience“.