Valve has closed up a Steam security hole that allowed for the hijacking of
user accounts with minimal effort, which caused temporary account loss for some prominent
streamers and
DOTA 2 pros, reports
Kotaku Australia (thanks
VG247). As
this video
demonstrates, this involved simply entering a blank in place of a required
security response code, making it a trivial matter to hijack any account only by
knowing a user's name. Valve says this resulted from a bug which was active
between July 21-25 which has now been fixed. Here's Valve's statement on the
matter:
To protect users, we are resetting passwords on accounts with
suspicious password changes during that period or may have otherwise been
affected. Relevant users will receive an email with a new password. Once that
email is received, it is recommended that users login to their account via the
Steam client and set a new password.
Please note that while an account password was potentially modified during this
period the password itself was not revealed. Also, if Steam Guard was enabled,
the account was protected from unauthorised logins even if the password was
modified.
We apologise for any inconvenience.