A Password-Reset Exploit on Steam Now Resolved
A bug was discovered on Steam where some users temporarily lost control of their accounts, but was quickly resolved by the Steam security team.
How the Exploit Worked
It may seem like a difficult series of actions to hijack a Steam account, but the exploit was discovered to run through the "lost password" section within Steam support. From there all that was required to gain access was the person's username, then reset the password, and lastly set a new one to gain access to the account. During this process a verification email wasn't required.
Valve has divulged information regarding the exploit, and that they discovered it on July 25th, but accounts may have been affected from July 21st - July 25th. Valve has released a statement on this security flaw.
"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
We apologize for any inconvenience". - Valve
Speaking as someone who has hundred's of dollars worth of video games on their Steam account, this is a very scary incident that has taken place. I would be devastated if I lost access to my account, and immediately seek out Valve for aid.
Were you affected by this password exploit on Steam? Has an incident like this happened on a different program? Share your stories below.