Video game company Valve Corporation has fixed a major password bug that led to a number of compromised accounts...
for its Steam digital distribution platform.
According to various media reports, an undetermined number of Steam accounts, including those of prominent professional gamers, were hijacked by hackers last week through a flaw in the platform's password reset system. Specifically, Steam's account name recovery and password reset system require a "recovery code," which is sent to the user's email address, to be entered in order to reset a password.
But the flaw, which was discovered and exploited sometime earlier this month, allowed attackers to bypass the recovery code step by simply clicking "Continue" with a blank field for the code. Therefore, attackers were able reset passwords and take over Steam accounts without having to access the account owners email or obtain the recovery code (one gamer demonstrated the hack in a YouTube video posted on Saturday).
Several high-profile professional gamers and streamers had their Steam accounts hijacked last week; since the hack only required knowledge of a user's Steam account name, it's possible these individuals were targeted simply because their Steam names were widely known or publicly displayed in live competitions and YouTube videos.
Valve released a statement to gaming news site Kotaku saying that it learned of the password bug on Saturday and that the password recovery system has been fixed. The company also said itreset passwords for accounts that exhibited suspicious activity last week. Users with Steam Guard enabled, which requires additional layers of authentication for login attempts from unrecognized devices, were not affected by the password bug, Valve said.
It's unclear how many compromised accounts resulted from the password bug. Steam has more than 125 million active users, and the platform offers a variety of services, including digital purchases and downloads of games, online multiplayer, social networking, and cloud synchronization.
This is the second major security incident for Steam in recent years. Valve disclosed a major data breach in 2011 during which hackers gained access to a company database and obtained Steam usernames, encrypted passwords and credit card information.
Find out how to improve authentication vulnerability scans in five easy steps