Seen any suspicious activity on your Steam account lately? You?re not the only one.
Over the weekend, a major security loophole was discovered in Steam Guard, part of Steam?s two-step verification process for logging into an account. Hackers could gain access to anyone?s Steam account simply by knowing the account?s username and exploiting the password recovery system?no actual passwords or email verification required.
Valve, creator of the Steam platform, has since fixed the bug, and to protect users have reset passwords on any accounts that had suspicious changes over the last week. Since the loophole involved bypassing the password system entirely, no passwords were leaked in the process.
Though no additional accounts can be exploited, the fallout from ones already hacked continues. Many people with prominent profiles, such as Twitch streamers, were the first to be affected, and had their accounts frozen in a five-day ban by Valve to prevent more damage from being done. The ban also affects Steam Market traders, who can have significant amounts of money invested in their accounts. Freezing things for a few days should allow Valve to sort out the mess of hacked vs. legitimate trades. Other users whose passwords were changed can expect to receive an email from Valve with a new password.
In a statement to Kotaku, Valve encourages users to activate Steam Guard to help increase security. Steam Guard protected users from unauthorized logins even if their accounts were compromised.