In a surprise, a bug has led to several Steam accounts being hacked and hijacked last week. What happened was that people could literally access other peoples accounts via the “Lost Password” function, where all they had to do was know the persons username, and they could send the passwords to themselves and thus access the account.
Valve has reportedly fixed the bug (that is what they told Kotaku), but it’s still unclear just how much damage was done. However, Valve is working hard to find those accounts who have been hijacked, and work on ensuring no permanent damage was done. Specifically looking at “resetting passwords on accounts with suspicious password changes during that period.”
They do relate however that: “Please note that while an account password was potentially modified during this period the password itself was not revealed,” the statement continues. “Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.”
Valve has been working hard on fighting phishing and spam on their platforms and are working hard on a special authentication system which would actually help stop things like this. This recent attack will likely galvanize them to ensure it doesn’t happen again.