Steam Accounts Compromised After Major Password Flaw is Found

Valve has begun resetting numerous Steam passwords after some users found they could easily hijack another person's account.

It appears that the security flaw was discovered at some stage in July, and became more prominently known as users passed around the knowledge. Valve has said it has now fixed the issue, and that it is "resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected."

The ease in which users can hijack others' Steam accounts had come as a surprise for some users. In the video below, one streamer shows that the process begins by clicking on the "forgot my login details" on the Steam client. After this, a "hacker" would need to enter their target's Steam account name, after which the client responds with a message saying that a randomly generated code has been sent to the email address associated with the target's account.

Normally the user would need to copy the random code sent via email and paste it into the Steam client. However, if players type in no code at all and click continue, they will still be allowed to proceed. Then they can create a new password for their account.

Numerous users, including a professional Dota 2 player, reported last week that their account had been hacked.

Valve has apologised for the oversight, and in a statement sent to Kotaku, has assured that those affected will be looked after. It also has said the loophole has been closed.

"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected," the company said.

"Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

"Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified."