Valve has quickly addressed a major security vulnerability with Steam's password reset utility after it was discovered that the Steam accounts for a number of prominent game streamers were compromised.
The vulnerability allowed an attacker to reset the password of any Steam account by simply not entering a recovery code during the password reset process. This "bug", as Valve called it, made gaining access to an account very easy by failing to check a recovery code, usually sent to the account holder's email address, had been correctly entered.
The video above demonstrates just how easily the vulnerability could be exploited.
Valve discovered the issue on July 25 and immediately fixed it, noting that some accounts may have been impacted between July 21 and July 25. The company is resetting the passwords of accounts with "suspicious password changes" made during that period to prevent malicious users from gaining further access.
Anyone who has enabled Steam Guard, Valve's two-factor authentication system, on their account would not have been affected by the vulnerability with Steam's password reset utility. Although an attacker could still have reset a user's password, they wouldn't have been able to login to the account itself without also having access to the user's email account.
While Valve did manage to address the issue shortly after it was discovered, such a glaring vulnerability should never have existed in the first place, and it's just lucky that not many accounts were compromised. It should also serve as a reminder to Steam users to enable Steam Guard to prevent unwanted account access even if their login credentials are stolen or modified.
