Valve fixed a Steam exploit that allowed anyone to take over accounts
Steam is a popular gaming platform that you use to buy and play games, use community features or a plethora of other features such as a virtual item marketplace or a workshop to which third-party creators can upload items to.
Steam users sign in to the Steam client or website using a username and password combination, and if they have enabled Steam Guard, with a security code in the second step of authentication.
Information about an exploit that allowed anyone to take over Steam accounts were published in the last couple of days to various popular Internet forums such as Reddit.
A demonstration of the hack was recorded and published to YouTube as well which you can watch below.
What happened basically was that Steam's reset password functionality accepted blank confirmation codes.
When you initiate a password reset on Steam, for instance because you have forgotten your password, you are asked to enter your username, linked email address or phone number to receive an email with instructions on how to reset it.
This email contains a link and code that you need to enter in the second step of the process to verify your identity.
Since blank codes were accepted, attackers needed accessed to the username of the Steam user only to take over accounts. The username is displayed in the top right corner on Steam by default. Unless Steam users have taken care to hide it in the interface, it is revealed whenever screenshots are taken and published or when Steam is shown in video streams.
Some users claimed that Steam Guard, the two-factor authentication feature of Steam, did not protect the account from being taken over but that has not been confirmed yet either officially.
Valve has fixed the bug in the meantime but not before accounts of prominent Steam users, Twitch streamers for instance, were taken over by attackers.
The company has improved Steam's defenses against account hacks in the past years, for instance by limiting accounts so that digital items cannot be sold or traded away for several days after certain activities on Steam.
Affected accounts seem to be in a lockdown-state currently which means that activities such as trading are not permitted by those accounts currently.
So what should you do if you have been affected or want to know if that is the case? First thing you may want to do is try and log in to your Steam account to see if you can still do so. If that works, all is well and you should not need to do anything else.
If you cannot sign in, it is probably because you are affected by the hack. Try to reset the password on your end and contact Steam support to notify them about it.
Now may be a good time to enable Steam Guard on the other hand if you have not already to enable two-factor authentication for the account.
Ha I have two factor authentication on all my accounts, my email addresses, steam, and blizzard. But that sucks that it was that easy to gain access to stuff.