Steam’s account-stealing password reset bug fixed

Popular gaming platform Steam recently experienced a breach which reportedly allowed attackers to hijack a small number of accounts.

With only the victim’s username, an attacker could exploit what creator Valve described as a “bug” in its forgotten password feature.

As the gamers among you will know, a forgotten Steam password will require you to enter your username, email address or phone number in order to receive an email containing instructions and a code required to reset the password.

But, as UK gamer Elm Hoe shows in the following video, a password could be reset even if the code field was left blank. This could have allowed attackers to take over an account even if they only knew their target’s Steam ID, something that is hardly a secret on the platform.

(As the company is now aware of the exploit, trying to reproduce it could lead to a permanent VAC (Valve Anti-Cheat System) ban for the offender – so don’t try this at home!)

Softpedia reports that Valve confirmed the bug had been fixed via an email sent to affected users which stated that the issue was present from 21-25 July.

The company informed those who had been targeted that it was enforcing password changes for all accounts that had used the account recovery wizard during that time period.

Valve said that, while some passwords were modified, none were actually revealed, but I would suggest changing them to something new anyway. If you need help picking a new, strong password, the following video might help.

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.

Valve also used the email it sent as an opportunity to remind its users about its own form of two factor authentication – Steam Guard – which requires anyone attempting to access an account from an unrecognised device to input a code sent to the registered user’s email address.

Valve – which is believed to have over 125 million active users – has locked down all affected accounts for five days as a precaution.

If your account has been affected or you are otherwise having trouble logging in, you can contact Steam support for additional help.

Steam logo by Flickr user BagoGames (CC BY 2.0)