Valve closes Steam password reset security hole

— 7:23 AM on July 27, 2015

Some Steam accounts were stolen during the period from July 21 to July 25 due to a security flaw in the service's password reset procedure, Kotaku reports. The hole, which Valve learned of on July 25, allowed an attacker to reset a Steam account's password without a security code using only the account's name. Valve claims it has since closed the security hole. 

This YouTube video shows how the attack worked. This user then Tweeted that because of his video, his own account got hijacked. Whoops.

In a statement to Kotaku, a Valve spokesperson says that the company has reset passwords on affected accounts and contacted affected users. "Relevant users will receive an email with a new password," the statement reads. "Once that email is received, it is recommended that users login to their account via the Steam client and set a new password."

Valve also says users with Steam Guard enabled did not have their accounts hijacked. Steam Guard requires owners of protected accounts to enter a security code to log in from a new browser or PC. That service apparently worked as intended.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.