A gaping hole in Steam's password reset system allowed hackers to hijack other people's accounts using nothing more than their username. The online games store has rushed to patch the flaw, which reportedly affected some of the world's top gaming professionals.
A YouTube video (embedded below) shows the ease with which accounts could be stolen. Attackers simply needed to open the Steam client, go to the password recovery page and enter an account name. At this point the user is prompted to enter a verification code which has been sent to their registered email address, but the flaw allowed any code to be entered - the box could even be left blank. The next screen prompts the user to select a new password, handing hackers access to other users' accounts.
Steam's owner, Valve, was made aware of the bug over the weekend and quickly rushed out a patch, but not before some prominent gaming professionals had their accounts hijacked, according to a report on Kotaku .
In a statement, Valve admitted the bug had been present since the beginning of last week, and was "resetting passwords on accounts with suspicious password changes during that period".
"Relevant users will receive an email with a new password," the company added. "Once that email is received, it is recommended that users login to their account via the Steam client and set a new password. Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified."
Steam Guard is an additional security measure, which sends a verification email to account holders when someone attempts to log in from a new device.