The Steam Guard fell asleep at its post
You know Steam Guard? The thing that’s supposed to give your Steam account more protection by using two-step verification? Turns out that was part of a major security bug, which allowed hackers to take peoples accounts and change the passwords
Fortunately it’s been patched now, but for roughly the past week people have simply been able to skip the Steam Guard verification by not even entering a code. Just clicking continue when asked for it would allow the process to continue.
The video below shows exactly how the bug worked, and it’s pretty scary stuff. You don’t need access to the victim’s email, you just needed to know their log-in username (which, to be safe, shouldn’t be shared and shouldn’t be the same as your Steam profile name.)
Valve supplied Kotaku with a statement on the bug, and confirmed it has now been totally fixed:
To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.
That bug is the equivalent to not having a key to a door, and instead just walking straight on through anyway like some weird game-stealing ghost.