Save over 40% when you secure your tickets today to TNW Conference 💥 Prices will increase on November 22 →

This article was published on July 27, 2015

Massive Steam security flaw left accounts wide open


Massive Steam security flaw left accounts wide open

Over the weekend a major flaw in Steam’s account login process was discovered that allowed users to reset any account knowing only the target’s email address.

Exploiting the security hole was as easy as requesting a password reset code, then visiting the special reset page and pushing OK.

That reset page usually asks for a code that’s sent to your email address to verify your identity, but it would also accept an empty code as valid.

This meant that anyone could break into a Steam account and change the password without needing access to the recovery email address. The bug is now fixed, but that’s one hell of a hole for such a valuable software platform.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Steam told Kotaku that the bug affected only a small amount of accounts between July 21 – 25. Still, that’s a long time to leave users wide open to such a major attack vector.

The company is resetting passwords on any affected accounts.

The best way to protect yourself against this kind of attack would be enabling Steam’s two-factor authentication, which would block an attacker from logging in even with your password.

Get the TNW newsletter

Get the most important tech news in your inbox each week.