Forgot password
Enter the email address you used when you joined and we'll send you instructions to reset your password.
If you used Apple or Google to create your account, this process will create a password for your existing account.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Reset password instructions sent. If you have an account with us, you will receive an email within a few minutes.
Something went wrong. Try again or contact support if the problem persists.
Steam

Steam had a major security lapse over the weekend

This article is over 9 years old and may contain outdated information

Though it now appears to have been fixed, Valve’s Steam security was exposed as being rather on the flimsy side this weekend. Reports on Reddit of various Twitch streamers having their accounts hijacked were eventually traced back to a very straightforward account exploit.

Recommended Videos

As explained after the fact by videos like this one, all potential account hijackers needed to know was your Steam account name and how to make a ‘oh dear I’ve lost my password’ request.

By inputting a valid Steam account name, requesting a password reset, and simply leaving the verification code (sent to the account’s registered email account) box blank, people were able to reach the password reset page and effectively take over an account.

Worth noting here that the “leave the verification code box blank” trick did not work for the Steam Guard code request. This means any accounts with Steam Guard active may have had their passwords changed, but shouldn’t have actually been accessed. Those without Steam Guard active were left totally open.

It’s unclear precisely how long this exploit has been around, but it may have been introduced with the release of Valve’s Steam Guard Mobile Authenticator.

At the time of writing, Valve do not appear to have made any kind of official statement regarding the security hole, nor suggested any measures people should take. The exploit itself appears to have been fixed. Those directly affected should have received emails from Steam Support.

Update 27 July: Valve have now issued a statement. Here it is:

“To protect users, we are resetting passwords on accounts with suspicious password changes during that period [21-25 July] or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.

We apologise for any inconvenience.”

Signs of any attempted hijack will be in the email inbox associated with your Steam account. Check for any attempted password resets. If you have an unauthorised one, hope you had Steam Guard active and that it prevented someone getting any further.


PC Invasion is supported by our audience. When you purchase through links on our site, we may earn a small affiliate commission. Learn more about our Affiliate Policy
Author