A serious bug in Valve’s Steam engine has allowed cybercriminals to steal user credentials over the past week, according to reports.
Kotaku reports that although the fallout makes it sound like a complex issue, the bug appears to be pretty basic - a video in the Kotaku post shows that from the “lost password” section of Steam support all an attacker needed was your account name, and from there they could reset your password, choose a new one and get access to your account, with no verification or email address needed.
Valve fixed the issue after it was brought to light, but many users have complained that their accounts had been hacked in the interim.
Valve issued a statement, according to TrustedReviews, saying: “To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified. We apologise for any inconvenience.”
Steam is regularly targeted by hackers due to its considerable popularity. As Welivesecurity.com reported recently, attackers have resorted to hiding malware on fake game pages to compromise gamers.