Valve’s Steam is the biggest platform in the PC gaming market, with Valve themselves being one of the most prominent companies in the gaming industry as a whole. Steam has millions of accounts all over the world, and in some cases people have invested literally thousands of dollars into their own accounts. Which is why a security breach like the one that just occurred a few days ago is something to take very seriously.
Reports are still blurry and information keeps coming out – Valve themselves are yet to make an official statement on the issue – but according to a demonstration that was posted on YouTube, a hacker could abuse the “forgotten password” feature in Steam’s log-in service, completely bypassing the stage where they have to enter a security code, and being granted access to reset the password of the account.
All an attacker needs to carry out this exploit is the account name of a Steam user. It’s not yet clear if Steam Guard offers sufficient protection from the exploit, as there have been some reports from users claiming that their accounts have been compromised even with Steam Guard enabled.
Valve have closed the loophole already, but not before significant amounts of damage were done to many users. Among the affected are various prominent Twitch streamers, who’ve had their accounts hijacked and locked down. Valve have apparently started to impose a 5-day “ban” on accounts that have been compromised in the incident, but it’s not clear if there will be any additional consequences for those who have been affected.
Some users have been worried about the possibility of “VAC bans” – Valve’s anti-cheat system is quite notorious for its permanent bans, and even in cases where users have had their accounts hijacked, Valve typically never revert these bans.
On the other hand, users who actively trade on the Steam Market have been worried that they might lose some of their hard-earned items, which is a real danger now that their accounts have been compromised. This could be one of the reasons for the 5-day lockdown, as it would allow Valve to carefully sort out the mess without people trading and getting in their way.
Some have pointed out that Valve’s silence on the matter has been worrying. It’s been nearly 24 hours since the issue started spreading publicly, and considering the large number of potentially compromised accounts, the responsible thing would be to notify users as soon as possible so they can take steps to secure their own accounts.
However, Valve haven’t commented on the situation yet and it’s not clear when they are going to speak up. Various social media sites have been discussing the issue very actively, such as reddit, where it’s already popped up in many popular sections and has been getting a lot of attention.
Users are advised to keep an eye on their e-mail accounts. If an e-mail related to password recovery is received, the user should definitely not ignore it, and proceed to verify that their account is still accessible.
It’s important to note that the information contained in the e-mail itself is not necessary to carry out the attack. Receiving this e-mail is simply a sign that the user is being targeted with the attack. However, some have reported that even changing their password has been ineffective, as the hackers are able to simply keep resetting it over and over again, and there was no good way to stop them.
Activating Steam Guard is a must nowadays, not just in the context of issues like this but in general. With Steam being as popular as it is, it’s reasonable to assume that it’s going to be regularly targeted by security attacks and incidents like this are going to become even more prominent in the future.
Hopefully Valve were able to resolve everything on the backend before the issue spread out of control, but it would appear that a lot of damage has already been done. Users are strongly displeased with the situation, and a quick glance at popular gaming forums is enough to confirm that.
The main issue that people seem to have is not so much with the fact that the hack happened though – after all, we’ve learned to accept that nobody is safe from security exploits – it’s in the way Valve have been communicating with their users about the issue.
They are known to be relatively silent and secretive in general, but in an incident like this, sending out a mass e-mail to warn users to keep their accounts in check should be one of the first actions they take. The situation is still developing, so affected users should follow the news and social media for information over the next few days.
For more news and reviews, keep checking back Gaming Central.