Over the weekend a major flaw in Steam’s account login process was discovered that allowed users to reset any account knowing only the target’s email address.
Exploiting the security hole was as easy as requesting a password reset code, then visiting the special reset page and pushing OK.
That reset page usually asks for a code that’s sent to your email address to verify your identity, but it would also accept an empty code as valid.
This meant that anyone could break into a Steam account and change the password without needing access to the recovery email address. The bug is now fixed, but that’s one hell of a hole for such a valuable software platform.
Steam told Kotaku that the bug affected only a small amount of accounts between July 21 – 25. Still, that’s a long time to leave users wide open to such a major attack vector.
The company is resetting passwords on any affected accounts.
The best way to protect yourself against this kind of attack would be enabling Steam’s two-factor authentication, which would block an attacker from logging in even with your password.