I've been following this waiting for some news source I could properly cite before posting it, but there was a Steam exploit that messed with a lot of people, slowly trickling the last week, but coming to a head yesterday. Using a fake password recovery page, nefarious folks could get into your account and change your password, without ever sending you an email. If you had Steam Guard or Steam Mobile Authentication enabled, it would send you the email like it should, and the malicious users wouldn't get access to your account, but they WOULD lock you out of trading on your account for five days. In fact, I have no indication in my email about anyone trying to sign into my account, but I have a 5 day trade ban due to suspicious activity, so it seems I got bit myself.

It seems the biggest target was famous streamers on Twitch, but others got compromised or locked out as well.

Valve has fixed the exploit so it no longer works. It seems it was caused by some dev code being left in when moved to production.

This is a reminder that no security is perfect, humans are always the weak point, and you should always take any available security measures to protect your accounts. If you don't have Steam Guard enabled, or two-factor auth on your GMail account, etc, you're playing with fire. But even those aren't perfect. If some of the dev code in this case was related to what happens post-steam-guard, for instance, it's possible that they could have accessed accounts that use Steam Guard too. Thankfully, that didn't happen this time!

jdodson   Admin wrote on 07/26/2015 at 05:43pm

So they fished people with a fake password page OR there was the fake password recovery page injected into Steam itself?

Travis   Admin   Post Author wrote on 07/26/2015 at 05:59pm

Neither. All they needed was the account's username and they could do everything on their end. No user intervention required. Like knowing your steam username, I could generate the fake page on my own computer and get into your account.

Travis   Admin   Post Author wrote on 07/26/2015 at 06:04pm

That's the scary thing about it. No clicking on the wrong link, no injections, just someone using code on valve's servers to get into (or trade lock if you had steam guard) your account without you having to fall prey to any typical kind of attack.

But yeah Valve has removed that code.

Travis   Admin   Post Author wrote on 07/26/2015 at 06:07pm

I said "fake page" but that really isn't accurate. It was a real page on Valve's servers doing it. Just not one that can generally be publicly accessed.

jdodson   Admin wrote on 07/26/2015 at 07:53pm

Wow. That's a really unfortunate error. Hope your account isn't permanently harmed!

Kind of scary as we all have quite a bit of money invested in all our Steam accounts.

Travis   Admin   Post Author wrote on 07/26/2015 at 08:21pm

Nah it won't be, but I didn't do any trading anyway so the 5-day ban won't really matter to me. If it was permanently blocked I'd have issues, for sure.

If you want to join this conversation you need to sign in.
Sign Up / Log In