Valve’s Steam is the biggest platform in the PC gaming market, with Valve themselves being one of the most prominent companies in the gaming industry as a whole. Steam has millions of accounts all over the world, and in some cases people have invested literally thousands of dollars into their own accounts. Which is why a security breach like the one that just occurred a few days ago is something to take very seriously.
Reports are still blurry and information keeps coming out – Valve themselves are yet to make an official statement on the issue – but according to a demonstration that was posted on YouTube, a hacker could abuse the “forgotten password” feature in Steam’s log-in service, completely bypassing the stage where they have to enter a security code, and being granted access to reset the password of the account.
All an attacker needs to carry out this exploit is the account name of a Steam user. It’s not yet clear if Steam Guard offers sufficient protection from the exploit, as there have been some reports from users claiming that their accounts have been compromised even with Steam Guard enabled.
Valve have closed the loophole already, but not before significant amounts of damage were done to many users. Among the affected are various prominent Twitch streamers, who’ve had their accounts hijacked and locked down. Valve have apparently started to impose a 5-day “ban” on accounts that have been compromised in the incident, but it’s not clear if there will be any additional consequences for those who have been affected.
Some users have been worried about the possibility of “VAC bans” – Valve’s anti-cheat system is quite notorious for its permanent bans, and even in cases where users have had their accounts hijacked, Valve typically never revert these bans.
On the other hand, users who actively trade on the Steam Market have been worried that they might lose some of their hard-earned items, which is a real danger now that their accounts have been compromised. This could be one of the reasons for the 5-day lockdown, as it would allow Valve to carefully sort out the mess without people trading and getting in their way.
Some have pointed out that Valve’s silence on the matter has been worrying. It’s been nearly 24 hours since the issue started spreading publicly, and considering the large number of potentially compromised accounts, the responsible thing would be to notify users as soon as possible so they can take steps to secure their own accounts.
However, Valve haven’t commented on the situation yet and it’s not clear when they are going to speak up. Various social media sites have been discussing the issue very actively, such as reddit, where it’s already popped up in many popular sections and has been getting a lot of attention.
Users are advised to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.
It’s important to note that the information contained in the e-mail itself is not necessary to carry out the attack. Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them.
It’s worth noting that there is, and always has been, a 7 day hold on any trading or gifting from any account once it has been accessed from a computer not previously associated with that account.
No one will have their precious diamondback-rusted-fade CS:GO knife skin stolen.
Valve’s hack notification system is bullshit. When i was notified the hacker already took everything : steam password and steam e-mail. This happened on on August, the 23th.Following Steam procedures i discovered that my Steam email was reset to another one so i couldn’t get into Steam by changing my password. This might happen online, i haven’t blamed anyone (even if, probably, the overall security system is low, given Valve’s online business). However, the worst thing was realizing how little Valve care about hacked accounts. My ticket is well formed and still pending on their support tool. Not even an acknowledgement until today. Not even an answer. I am totally invisible to them. What do i think ? They have REALLY serious and MASSIVE troubles with hackers lately. I’m considering to leave Steam and of course, given my experience, i won’t recommend it to anyone, until they PUBLICLY prove they have less vulnerable security systems.I had about 30 (paid) game titles in Steam. They should just stop talking and start investing in a support organization that really works, or they will simply lose their paying customers.
Hi @moonrainbow, did you ever get your account back? I had mine hacked on 28/08/2015 and they still haven’t replied to the ticket I created on 29/08/2015. It is disgraceful.
Bob it can take 6 weeks for you to get a response from Steam Support.
By that time your account is empty and depending on the mood of the CSR you may not get your items back.
Beyond this you can steal another persons account by sweet talking Steam Support and claiming the person who is logging in isn’t the actual owner.