A Steam exploit allowed access to accounts with just a username

Valve had a bit of a panic moment last week as users discovered an exploit that allowed Steam accounts to be accessed using a username. For some reason, something over on Valve's end made it so that users could avoid the authentication process when changing an account password.

Users could go to the change password page and simply hit continue, rather than entering the email verification code. Some accounts were indeed affected, though Valve was quick to respond by fixing the problem and reversing the damage.

  [yframe url='http://www.youtube.com/watch?v=QPl_BJoBaVA']

The above video demonstrates how the exploit worked. Once the issue came to light, Kotaku got in touch with Valve about it and the company responded: “To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.”

“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.”

So no passwords were revealed to account intruders, which is good news, though a few prominent Twitch streamers and Dota 2 players had their accounts messed with a bit. Given Valve's strong reputation, we would hope that something like this won't happen again.

Discuss on our Facebook page, HERE.

KitGuru Says: That was quite a dangerous issue to come across, especially for a service like Steam, where a lot of people keep their entire digital game libraries. Fortunately Valve was quick enough to fix it and reverse the damage. Hopefully something like this doesn't happen again. Were any of you affected by this exploit last week at all? 

Become a Patron!