If you click on a link and make a purchase we may receive a small commission. Read our editorial policy.

Holy Holes, Gaben! Steam Account Hijack Exploit Fixed

Exploiting account recovery

Valve are a taciturn company, which is fair enough. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I'd dedicate my life to obliterating the written word. At times, though, they really should break the silence. They should shout and yell and scream and let everyone know what's going on. Say, if for five days a security hole had let ne'er-do-wells easily take over people's accounts. Nope.

Valve have closed the hole, but Steam's website - including the Store - is down now and I have no idea whether that's connected, because they aren't announcing anything about this. Speak up, son.

The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. By saying they'd forgotten the password, they could select the option to send a recovery code to the account's registered e-mail address - but then skip that step by entering nothing where the code should go. They'd then have access to the account, and could change the password to something new. If you knew an account's name, you could take over it without access to the owner's e-mail or anything. It was a pretty gaping security hole.

Here's someone demonstrating how simple the exploit was:

Valve being Valve, they've fixed this but not announced anything about it. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Valve said:

"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

"Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

"We apologize for any inconvenience."

There's still no official announcement on Steam, the Steam Twitter account, Steam Support's Twitter, the Steam Facebook page, and so on. I don't know what's going on with the Steam Store either, which is annoying because I really want to buy and play Cradle.

Tagged With

About the Author

Alice O'Connor avatar

Alice O'Connor

Associate Editor

Alice is likely in the sea.

Black Friday Sale: save 25% off a yearly membership!

You want more great writing from the RPS team, and we want to make that happen. Your support helps keep RPS silly and strange, and the most unique place to read and discover exciting new PC games since 1873.

See more information


More News

Latest Articles

Supporters Only

Rock Paper Shotgun logo

We've been talking, and we think that you should wear clothes

Total coincidence, but we sell some clothes

Buy RPS stuff here
Rock Paper Shotgun Merch