Steam password exploit discovered, but it's now fixed


Steam is a pretty tight ship when it comes to security, but one glaring exploit was recently discovered – and it was scarily simple. As the video above demonstrates (courtesy of YouTuber Elm Hoe), until recently it was possible to access someone's account with only a username.

Basically, the authentification process needed to change an account password could be bypassed by... simply ignoring it. Clicking "continue" without entering the password change verification code offered express access to the user's account. That means if someone had your username (and were aware of the exploit) they could have accessed your account in a few clicks.

Kotaku got in touch with Valve about the issue – which was discovered and fixed last week – and this is how they responded:

To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

We apologize for any inconvenience.

If you've received an email from Steam at the weekend requesting a password change – that's why.

Shaun Prescott

Shaun Prescott is the Australian editor of PC Gamer. With over ten years experience covering the games industry, his work has appeared on GamesRadar+, TechRadar, The Guardian, PLAY Magazine, the Sydney Morning Herald, and more. Specific interests include indie games, obscure Metroidvanias, speedrunning, experimental games and FPSs. He thinks Lulu by Metallica and Lou Reed is an all-time classic that will receive its due critical reappraisal one day.