Support NeoGAF

[Lucifon]

Woke up this morning to find multiple password reset and then a Steam Guard request in my emails from Russia at around midnight (I'm in the UK, emails showed as unread). After regaining access to my account by doing a reset password it said my account was authorised from Russia at 00:13 and if it wasn't me to change my password (Which I'd just done) and reset all Steam Guard authorisations on my account.

Luckily nothing seems to have changed, my inventory, items and account wallet all 'look' the same to me.

So... this means someone got into my emails and Steam, both of which are passwords completely unique to those services. I then checked my email account activity and there were no login attempts from Russia, nor were any successful login attempts from anyone but me recently. My emails weren't hacked as far as I can see.

This means someone got access to my Steam account without getting into my emails. Therefore bypassing Steam Guard. What gives?

Update - Explanation from YianGaruga:

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

 

[A Link to the Past]

Honestly, it so often that accounts are hacked by people from Russia that it might just be safe to add extra authentication procedures if an account from the US gets accessed by someone from Russia.

 

[YianGaruga]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

I don't remember password > Email > enter conformation code from email (Leave blank!) > steam accepts the blank code and lets you reset your password

 

[Unknown Soldier]

The Steam app on your phone now supports Steam Mobile Authenticator.

This is better than Steam Guard by email because the Russian guy has to physically go to your house and take your phone out of your pocket to hack your Steam account.

Unless you live in Russia, then I dunno.

edit: I don't think the SMA would have protected people against this hack tho

 

[Dunkley]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

That's severe.

Gotta check my account later when I get home.

 

[Costia]

Apparently since at least Friday you could reset any user's password if you knew their steam login name. (http://gyazo.com/e67dd6a786ae0760b9dd736c3e3a332d)
It was so easy that its stupid. You just had to go to "I forgot my password" and it would just accept a blank e-mail verification code. Then you could change the password to whatever you wanted. The only thing you needed to know was the account name - to request a password reset.
This affected quite a lot of streamers today who were unable to login into their accounts and got kicked out of their games.
It was patched a few hours after it became widely known.

Edit: This is true even if you have steam guard or/and the mobile app. The password change didn't require any codes from either of them.
But if you have steam guard the email code would still be needed to actually login using the new password on a new computer.
Also "If you reset your password, you will be restricted from trading and the Community Market for seven days."
So the main effect of this exploit is locking people out of their accounts and imposing the trade restriction on their account.
The problem is with people who seldom log in to their account and have no steam guard - their accounts might get actually stolen.

 

[Komo]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

Wow, that's insane

 

[Lucifon]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

Great, thanks for this. That must be it then. I've changed my password anyway, but this explains it given they don't have access to my emails.

Everything looks fine on my account so that was my main worry. Surprised this wasn't a bigger deal.

 

[Coreda]

Apparently since at least Friday you could reset any user's password if you knew their steam login name.

It was so easy that its stupid. You just had to go to "I forgot my password" and it would just accept a blank e-mail verification code. Then you could just change the password to whatever you wanted.

Unbelievable. Glad I wasn't affected.

 

[Nokterian]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

Holy shit that was a huge fuck up from valve glad it is fixed now.

 

[JaseC]

There was a huge security issue with Steam a few hours ago but I think it's fixed now

https://www.reddit.com/r/Steam/comments/3elt4w/several_twitch_streamers_just_got_hijacked_and/

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

That's quite the oversight.

 

[Permanently A]

I don't understand, how could such a simple exploit not be caught for this long?

 

[Hamster Plugin]

This exploit did not affect the Steam Guard verification code form, so the abusers could change anyone's password but not get past Steam Guard.

All accounts with Steam Guard disabled were completely out in the open though.

 

[//ARCANUM]

They basically opened up access to everyone's account (that don't have steam guard on). That's NUTS. How are people not flaming STEAM for this!? This is a huge issue. Even though they've patched it, the fact that it happened is a big problem that needs to be addressed and Valve needs to find a way to ensure us all that something as stupidly simple as this won't happen again.

 

[jsnepo]

Did this happen probably a week or two ago? I got a couple of email messages saying that my password was being reset with a code (my email has 2 step verification so I doubt anyone was able to reset it).

I didn't do anything because well according to the email, if I did not reset it, just ignore it.

 

[Soulflarz]

*watches the video*
Valve...the hell

 

[terrible]

I've had someone try to reset my Steam password twice in the last couple weeks. I changed my passwords both times out of paranoia. I've had my account since 2004 [edit: 2003] and until now I've never had even a single attempt. I guess it's likely unrelated to this but it reminded me of that anyway.

 

[Mivey]

*watches the video*
Valve...the hell

What if Gaben knew about this ... all along!

 

[Costia]

I am quite surprised this isn't getting much attention.
It's a very simple exploit - a bug that should have been caught in QA and never released for the live version of the website.

 

[cyberheater]

How it worked

https://www.youtube.com/watch?v=QPl_BJoBaVA

It kind of makes me a bit angry that something that simple is even possible.

 

[Dunkley]

In case they aren't doing something against that already, you know considering they are banning trading and such for 5 days, Steam should implement an opt-in feature to disable purchases for a few days after a password reset too.

Might miss a Midweek Madness sale that way, but at least you aren't screwed if something like this happens and you got your payment info attached.

 

[Hamster Plugin]

How do I remove credit card details from Steam? I never buy games on Steam anyway, so I might as well be safe.

edit: Looks like the account page is quite confusing, seems like I already have no card info stored on Steam. So that's why there was no remove button next to "Credit Card".

 

[Uhyve]

Did this happen probably a week or two ago? I got a couple of email messages saying that my password was being reset with a code (my email has 2 step verification so I doubt anyone was able to reset it).

I didn't do anything because well according to the email, if I did not reset it, just ignore it.

Yeah, same here. Got the feeling I would've lost 1000+ games last week if I didn't have two step activated. Guess the hacker didn't bother annoying me with a password reset since without my email he wouldn't have been able to log in.

 

[Fray Bentos]

I am quite surprised this isn't getting much attention.
It's a very simple exploit - a bug that should have been caught in QA and never released for the live version of the website.

I bet if it was uplay or origin it would be all over the gaming sites.

 

[Skelter]

Well shit. I was logged in when a popup came up telling me I was logged in elsewhere. I changed my password and added the two factor authorization with my phone. I hope this gets fixed soon.

 

[chaobreaker]

Just checked my steam account after like a day of inactivity. Seems fine. I had steam guard so I guess I'm good?

 

[TatteredHat]

It's such a simple exploit, how embarassing.

 

[Mr Swine]

How in the world is it possible to have such a big security flaw when you have a software platform like Steam?

 

[OrlanisWorks]

Crazy simple and easy. How you miss that, Valve!?

 

[chaobreaker]

So apparently this exploit was already resolved and you're only fucked if you didn't have some 2-step authentication like steam guard or the mobile authenticator.

You're doubly fucked if your steam username is the same as your screen name as then all it would take is some asshole to pick out your account to try to attempt this exploit. You might become a high profile target if you have a public inventory with valuable stuff.

You're exponentially fucked if you're some internet famous streamer/pro-gamer who has his/her username show up on twitch.

 

[flipswitch]

I had steam guard through email ( 2 step authentication) but changed to it my mobile. Is this a better solution/ more safer?

 

[Fat4all]

Maybe this means someone else will play my backlog for me.

 

[chaobreaker]

I had steam guard through email ( 2 step authentication) but changed to it my mobile. Is this a better solution/ more safer?

I guess it is, as long as you don't lose your phone.

 

[flipswitch]

I guess it is, as long as you don't lose your phone.

Thanks. I'm going to change it back .

 

[Yasae]

I love the 21st century. Has Skynet risen yet?

 

[SJRB]

Holy shit, how was this never noticed before?

 

[The_Player]

Honestly, it so often that accounts are hacked by people from Russia that it might just be safe to add extra authentication procedures if an account from the US gets accessed by someone from Russia.

Yeah, and also we eat babies. Who in their sane mind gonna hack stuff not proxying himself through several VPNs first? Quality gaf poster strikes again.

 

[PHOENIXZERO]

Glad I don't play games online with my Steam account. Gonna guess that with Russians involved CS:GO players were the largest group targeted.

 

[gai_shain]

I guess it is, as long as you don't lose your phone.

Well you get a code that you use if you lose your phone when setting it up

 

[RhyDin]

Holy shit, how was this never noticed before?

It could have been a recent change (may not have always been exploitable).

I wonder how many accounts have been compromised using this method and for how long it existed. What a pity, I'm incredibly disappointed right now.

What methods does Steam offer for multi-factor authentication, anyone know? Would be good to update the OP with this information.

 

[Lucifon]

So apparently this exploit was already resolved and you're only fucked if you didn't have some 2-step authentication like steam guard or the mobile authenticator.

You're doubly fucked if your steam username is the same as your screen name as then all it would take is some asshole to pick out your account to try to attempt this exploit. You might become a high profile target if you have a public inventory with valuable stuff.

You're exponentially fucked if you're some internet famous streamer/pro-gamer who has his/her username show up on twitch.

I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?

 

[fedexpeon]

Wow...I guess Steam changed the field to accept T=" " for entering code during their updated.
Geezus, I wonder how many people were screwed by this.

 

[RhyDin]

Wow...I guess Steam changed the field to accept T=" " for entering code during their updated.
Geezus, I wonder how many people were screwed by this.

I would assume this kind of stuff is logged and easily traceable.

A full compromise of the account wouldn't be likely, as they'd need to hijack your e-mail (e-mail not visible in this exploit, password to e-mail would be unknown). Anyone affected by this should be able to do a password reset - to change the e-mail associated with a Steam account, I believe it takes a certain amount of time (?) or you need to click a verification link in the original e-mail.

 

[Falk]

How are people not flaming STEAM for this!?

Is this like when people claim global warming isn't happening?

 

[Suikoguy]

They need to review their change management for security coding.
This could have easily have been far worse.

 

[cyberheater]

Why wouldn't folks have steam guard?

 

[RhyDin]

Valve needs to provide an authenticator like Blizzard does.
Pay 10€, be safe.
It would be very easy to implement and much secure compared to phone auth, because you take your phone all around where you travel, while you can leave an authenticator in your home using it only when needed, just like bank auths.

Or you can just use full device encryption on your phone (android phones have this now) and set a good passcode, enable factory resetting on it after failed attempts, remotely wipe the device, etc.

 

[Nzyme32]

I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?

This is the bit I don't get. How does one get around Steam Guard?

 

[RhyDin]

This is the bit I don't get. How does one get around Steam Guard?

I believe this bypassed the need for the Steam Guard code (the actual code shown in the video where you leave the field blank is the randomized Steam Guard code either sent to your phone app or e-mail).

A dedicated device would be easier to use for several reasons, first one is you can hardly lost access to it.

Yeah, maybe. I don't want to use the mobile app version because if I restore my device or change phones, it will probably be a headache to log into Steam again. Seems like too much hassle. A dedicated device would be nice, just as long as there was no monthly fee.

 

[Nzyme32]

I had Steam Guard that's the crazy thing. My emails have no record of being hacked but after logging in to Steam it told me there was an authorized login from Russia at 00:13. Surely the streamers who were being targetted last night also had it on?

Actually are you sure you are reading that right? I've only seen Steam email me about attempts to access the account via a different location than the norm, but not actually someone gaining access after that.

Each time this has happened, it has been me in a different country, and I receive no emails upon actually access