If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

Holy Holes, Gaben! Steam Account Hijack Exploit Fixed

Exploiting account recovery

Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I'd dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what's going on. Say, if for five days a security hole had let ne'er-do-wells easily take over people's accounts. Nope.

Valve have closed the hole, but Steam's website - including the Store - is down now and I have no idea whether that's connected, because they aren't announcing anything about this. Speak up, son.

The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they'd forgotten the password, they could select the option to send a recovery code to the account's registered e-mail address - but then skip that step by entering nothing where the code should go. They'd then have access to the account, and could change the password to something new. If you knew an account's name, you could take over it without access to the owner's e-mail or anything. It was a pretty gaping security hole.

Here's someone demonstrating how simple the exploit was:

Valve being Valve, they've fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:

"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

"Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

"We apologize for any inconvenience."

There's still no official announcement on Steam, the Steam Twitter account, Steam Support's Twitter, the Steam Facebook page, and so on. I don't know what's going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.

Tagged With

About the Author

Alice O'Connor avatar

Alice O'Connor

News Editor

When not writing news, Alice may be found in the sea.

Support Rock Paper Shotgun

Subscribe and get access to supporter-only articles, an ad-free reading experience, free gifts, and game discounts. Your support helps us create more great writing about PC games.

See more information

More News

Latest Articles

Rock Paper Shotgun logo

We've been talking, and we think that you should wear clothes

Total coincidence, but we sell some clothes

Rock Paper Shotgun Merch