Valve closes Steam password reset security hole

Some Steam accounts were stolen during the period from July 21 to July 25 due to a security flaw in the service's password reset procedure, Kotaku reports. The hole, which Valve learned of on July 25, allowed an attacker to reset a Steam account's password without a security code using only the account's name. Valve claims it has since closed the security hole. 

This YouTube video shows how the attack worked. This user then Tweeted that because of his video, his own account got hijacked. Whoops.

In a statement to Kotaku, a Valve spokesperson says that the company has reset passwords on affected accounts and contacted affected users. "Relevant users will receive an email with a new password," the statement reads. "Once that email is received, it is recommended that users login to their account via the Steam client and set a new password."

Valve also says users with Steam Guard enabled did not have their accounts hijacked. Steam Guard requires owners of protected accounts to enter a security code to log in from a new browser or PC. That service apparently worked as intended.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.