• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
  • The Politics forum has been nuked. Please do not bring political discussion to the rest of the site, or you will be removed. Thanks.

Steam Account Hacked - Emails Not

Lucifon

Junior Member
Jun 29, 2012
5,605
2
0
UK
www.twitch.tv
Woke up this morning to find multiple password reset and then a Steam Guard request in my emails from Russia at around midnight (I'm in the UK, emails showed as unread). After regaining access to my account by doing a reset password it said my account was authorised from Russia at 00:13 and if it wasn't me to change my password (Which I'd just done) and reset all Steam Guard authorisations on my account.

Luckily nothing seems to have changed, my inventory, items and account wallet all 'look' the same to me.

So... this means someone got into my emails and Steam, both of which are passwords completely unique to those services. I then checked my email account activity and there were no login attempts from Russia, nor were any successful login attempts from anyone but me recently. My emails weren't hacked as far as I can see.

This means someone got access to my Steam account without getting into my emails. Therefore bypassing Steam Guard. What gives?

Update - Explanation from YianGaruga:
 
Nov 10, 2005
32,142
25
0
Honestly, it so often that accounts are hacked by people from Russia that it might just be safe to add extra authentication procedures if an account from the US gets accessed by someone from Russia.
 
Dec 14, 2008
33,949
2,544
1,360
The Steam app on your phone now supports Steam Mobile Authenticator.

This is better than Steam Guard by email because the Russian guy has to physically go to your house and take your phone out of your pocket to hack your Steam account.

Unless you live in Russia, then I dunno.

edit: I don't think the SMA would have protected people against this hack tho
 

Costia

Member
Mar 8, 2013
1,915
0
0
steamcommunity.com
Apparently since at least Friday you could reset any user's password if you knew their steam login name. (http://gyazo.com/e67dd6a786ae0760b9dd736c3e3a332d)
It was so easy that its stupid. You just had to go to "I forgot my password" and it would just accept a blank e-mail verification code. Then you could change the password to whatever you wanted. The only thing you needed to know was the account name - to request a password reset.
This affected quite a lot of streamers today who were unable to login into their accounts and got kicked out of their games.
It was patched a few hours after it became widely known.

Edit: This is true even if you have steam guard or/and the mobile app. The password change didn't require any codes from either of them.
But if you have steam guard the email code would still be needed to actually login using the new password on a new computer.
Also "If you reset your password, you will be restricted from trading and the Community Market for seven days."
So the main effect of this exploit is locking people out of their accounts and imposing the trade restriction on their account.
The problem is with people who seldom log in to their account and have no steam guard - their accounts might get actually stolen.
 

Lucifon

Junior Member
Jun 29, 2012
5,605
2
0
UK
www.twitch.tv
There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

Great, thanks for this. That must be it then. I've changed my password anyway, but this explains it given they don't have access to my emails.

Everything looks fine on my account so that was my main worry. Surprised this wasn't a bigger deal.
 

Coreda

Member
May 27, 2013
7,732
5
0
Apparently since at least Friday you could reset any user's password if you knew their steam login name.

It was so easy that its stupid. You just had to go to "I forgot my password" and it would just accept a blank e-mail verification code. Then you could just change the password to whatever you wanted.

Unbelievable. Glad I wasn't affected.
 
Nov 23, 2011
4,223
54
445
This exploit did not affect the Steam Guard verification code form, so the abusers could change anyone's password but not get past Steam Guard.

All accounts with Steam Guard disabled were completely out in the open though.
 

//ARCANUM

Member
Jan 31, 2014
4,526
0
450
They basically opened up access to everyone's account (that don't have steam guard on). That's NUTS. How are people not flaming STEAM for this!? This is a huge issue. Even though they've patched it, the fact that it happened is a big problem that needs to be addressed and Valve needs to find a way to ensure us all that something as stupidly simple as this won't happen again.
 

jsnepo

Member
Dec 5, 2008
3,947
0
725
Did this happen probably a week or two ago? I got a couple of email messages saying that my password was being reset with a code (my email has 2 step verification so I doubt anyone was able to reset it).

I didn't do anything because well according to the email, if I did not reset it, just ignore it.
 

terrible

Banned
Oct 21, 2012
4,919
8
580
Toronto, CA
I've had someone try to reset my Steam password twice in the last couple weeks. I changed my passwords both times out of paranoia. I've had my account since 2004 [edit: 2003] and until now I've never had even a single attempt. I guess it's likely unrelated to this but it reminded me of that anyway.
 

Costia

Member
Mar 8, 2013
1,915
0
0
steamcommunity.com
I am quite surprised this isn't getting much attention.
It's a very simple exploit - a bug that should have been caught in QA and never released for the live version of the website.
 

Dunkley

Member
Jun 17, 2014
5,335
0
0
In case they aren't doing something against that already, you know considering they are banning trading and such for 5 days, Steam should implement an opt-in feature to disable purchases for a few days after a password reset too.

Might miss a Midweek Madness sale that way, but at least you aren't screwed if something like this happens and you got your payment info attached.
 
Nov 23, 2011
4,223
54
445
How do I remove credit card details from Steam? I never buy games on Steam anyway, so I might as well be safe.

edit: Looks like the account page is quite confusing, seems like I already have no card info stored on Steam. So that's why there was no remove button next to "Credit Card".
 

Uhyve

Member
Feb 15, 2013
1,239
0
0
Did this happen probably a week or two ago? I got a couple of email messages saying that my password was being reset with a code (my email has 2 step verification so I doubt anyone was able to reset it).

I didn't do anything because well according to the email, if I did not reset it, just ignore it.
Yeah, same here. Got the feeling I would've lost 1000+ games last week if I didn't have two step activated. Guess the hacker didn't bother annoying me with a password reset since without my email he wouldn't have been able to log in.
 

comedykev

Neo Member
Mar 13, 2012
19
2
550
I am quite surprised this isn't getting much attention.
It's a very simple exploit - a bug that should have been caught in QA and never released for the live version of the website.

I bet if it was uplay or origin it would be all over the gaming sites.
 

Skelter

Banned
Apr 3, 2013
4,899
19
615
New York
Well shit. I was logged in when a popup came up telling me I was logged in elsewhere. I changed my password and added the two factor authorization with my phone. I hope this gets fixed soon.
 

chaobreaker

Member
Nov 18, 2013
9,623
4
0
Canada
So apparently this exploit was already resolved and you're only fucked if you didn't have some 2-step authentication like steam guard or the mobile authenticator.

You're doubly fucked if your steam username is the same as your screen name as then all it would take is some asshole to pick out your account to try to attempt this exploit. You might become a high profile target if you have a public inventory with valuable stuff.

You're exponentially fucked if you're some internet famous streamer/pro-gamer who has his/her username show up on twitch.
 

flipswitch

Member
Jul 12, 2005
7,030
2
1,310
I had steam guard through email ( 2 step authentication) but changed to it my mobile. Is this a better solution/ more safer?
 

The_Player

Member
Jun 9, 2010
2,829
0
775
Honestly, it so often that accounts are hacked by people from Russia that it might just be safe to add extra authentication procedures if an account from the US gets accessed by someone from Russia.

Yeah, and also we eat babies. Who in their sane mind gonna hack stuff not proxying himself through several VPNs first? Quality gaf poster strikes again.
 

PHOENIXZERO

Member
Jan 7, 2007
14,183
0
1,150
Glad I don't play games online with my Steam account. Gonna guess that with Russians involved CS:GO players were the largest group targeted.
 

RhyDin

Member
Apr 6, 2013
644
1
570
Holy shit, how was this never noticed before?

It could have been a recent change (may not have always been exploitable).

I wonder how many accounts have been compromised using this method and for how long it existed. What a pity, I'm incredibly disappointed right now.

What methods does Steam offer for multi-factor authentication, anyone know? Would be good to update the OP with this information.
 

Lucifon

Junior Member
Jun 29, 2012
5,605
2
0
UK
www.twitch.tv
So apparently this exploit was already resolved and you're only fucked if you didn't have some 2-step authentication like steam guard or the mobile authenticator.

You're doubly fucked if your steam username is the same as your screen name as then all it would take is some asshole to pick out your account to try to attempt this exploit. You might become a high profile target if you have a public inventory with valuable stuff.

You're exponentially fucked if you're some internet famous streamer/pro-gamer who has his/her username show up on twitch.

I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?
 

fedexpeon

Banned
Nov 23, 2013
5,140
0
0
Wow...I guess Steam changed the field to accept T=" " for entering code during their updated.
Geezus, I wonder how many people were screwed by this.
 

RhyDin

Member
Apr 6, 2013
644
1
570
Wow...I guess Steam changed the field to accept T=" " for entering code during their updated.
Geezus, I wonder how many people were screwed by this.

I would assume this kind of stuff is logged and easily traceable.

A full compromise of the account wouldn't be likely, as they'd need to hijack your e-mail (e-mail not visible in this exploit, password to e-mail would be unknown). Anyone affected by this should be able to do a password reset - to change the e-mail associated with a Steam account, I believe it takes a certain amount of time (?) or you need to click a verification link in the original e-mail.
 

Suikoguy

I whinny my fervor lowly, for his length is not as great as those of the Hylian war stallions
Jun 6, 2004
20,904
1
0
They need to review their change management for security coding.
This could have easily have been far worse.
 

cyberheater

PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 PS4 Xbone PS4 PS4
Mar 10, 2005
19,448
542
1,815
Why wouldn't folks have steam guard?
 

RhyDin

Member
Apr 6, 2013
644
1
570
Valve needs to provide an authenticator like Blizzard does.
Pay 10€, be safe.
It would be very easy to implement and much secure compared to phone auth, because you take your phone all around where you travel, while you can leave an authenticator in your home using it only when needed, just like bank auths.

Or you can just use full device encryption on your phone (android phones have this now) and set a good passcode, enable factory resetting on it after failed attempts, remotely wipe the device, etc.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?

This is the bit I don't get. How does one get around Steam Guard?
 

RhyDin

Member
Apr 6, 2013
644
1
570
This is the bit I don't get. How does one get around Steam Guard?

I believe this bypassed the need for the Steam Guard code (the actual code shown in the video where you leave the field blank is the randomized Steam Guard code either sent to your phone app or e-mail).

A dedicated device would be easier to use for several reasons, first one is you can hardly lost access to it.

Yeah, maybe. I don't want to use the mobile app version because if I restore my device or change phones, it will probably be a headache to log into Steam again. Seems like too much hassle. A dedicated device would be nice, just as long as there was no monthly fee.
 

Nzyme32

Member
May 23, 2013
18,286
1
0
I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?

Actually are you sure you are reading that right? I've only seen Steam email me about attempts to access the account via a different location than the norm, but not actually someone gaining access after that.

Each time this has happened, it has been me in a different country, and I receive no emails upon actually access