Popular gaming platform Steam has suffered a recent security breach that allowed attackers to take over user accounts, due to a vulnerability in Steam’s password reset functionality.
Knowing only the victim’s username, attackers could abuse Steam’s “forgot password” feature and avoid having to input the security code by leaving it blank, thus gaining complete access to a user’s account.
With Steam’s reported more than 125 million active users worldwide, the vulnerability could have affected a great deal of customers. Many affected accounts were reported not to have had enabled Steam Guard enabled – an additional security layer that requires a second authorization code for login – thus resulting in a potential account breach.
The vulnerability seems to have been fixed, according to professional DotA 2 player Matthew Bailey, and Valve recently sent an email to customers acknowledging the incident and saying that it has been plugged.
“On July 25th we learned of a Steam bug that could have impacted the password reset process on your Steam account during the period July 21-July 25. The bug has now been fixed,” reads the email. “To protect users, we are resetting passwords on accounts that changed passwords during that period using the account recovery wizard. You will receive an email with your new password. Once that email is received, it is recommended that you login to your account via the Steam client and set a new password.”
We strongly encourage users to check their inbox for emails related to password resets for their Steam accounts and immediately change their passwords as they might have been modified.
Although Valve’s email says no passwords have been revealed, they also believe that a wise course of action would be for users to both enable Steam Guard and change their current Steam account password.
“Please note that while your password was potentially modified during this period the password itself was not revealed. Also, if you had Steam Guard enabled, your account was protected from unauthorized logins even if your password was modified.”
If you’re having trouble coming up with a strong password, here are a couple of tips and tricks that will help you out.