-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Steam Account Hacked - Emails Not
- Thread starter Lucifon
- Start date
diggmcbadass
Member
This is an insane security breach. I had two password reset requests from russian IPs against my Steam account last week, but I don't think anything happened since I didn't get any Steam Guard notifications and my password appears to be unchanged.
Anthony Soprano
Banned
This is not as good as third party device authentication by phone or tablet, as outlined in the Manage Steam Guard page ( http://store.steampowered.com/twofactor/manage ).
The problem with method two (e-mail) is that if you get a backdoor or keylogger, you're owned - they'd have complete access to your e-mail to change your stuff. They have complete remote access to your e-mail (from your home computer) to bypass any restrictions logging into your e-mail from an unknown/unused IP address that your e-mail provider may have set in place.
With a phone or tablet, it's arguably less likely you'll get a remote access trojan installed since you don't have third party plug-ins like java and flash that are vulnerable to 0day drive-by attacks in browsers (but still vulnerable on Android to malware on play store or third party APK's).
Yeah, I'd definitely buy something like this, then.
It was a pop up on the client itself after I regained access to the account. I might have mistakenly read it in my haste and it may have said an unauthorised attempt but I swear it said authorized as it said if this wasn't me to reset my password and if would unauthorise all devices...
Edit - just checked for the popup on Google and this is the exact type of popup I received but just with a single access from Russia http://i.imgur.com/XQ4rKZb.png
Darth Karja
Member
They should add an option to not let your account be accessed outside of your own country.
Anthony Soprano
Banned
I think it already does this, that's what triggers Steam Guard to send a code (signing in from a different IP address than your typically used one).
The problem with this exploit is you didn't need the code at all.
edit: nevermind, I get what you guys are getting at - logging in from the client thereafter the password reset from an outside the country IP.
You understand what Google 2 step is right? I have a app on my tablet that spits out a number every 30 secs.
And that number is not required to access your email from your computer - which is what will happen if your pc is infected with malware/keylogger/etc.
In other words if your PC is compromised the attacker doesn't need the code since he can use your computer which is already authenticated/authorized.
An external device that isn't connected to the internet is the safest option, though less comfortable since you need to have another physical device.
Ah cheers, in which case you are right. Guess it must wait for a while to inform people or something. Ridiculous exploit
Seriously this.
2 factors is great, but limiting within a certain IP/MAC address and location would mean you will never need to worry about being hacked.
And the only way to change these options would require the account to send you a code to your phone.
But oh well, we will never get to this stage in our lifetime.
Even with all the recent hacks, corporations don't care since there is no federal law yet in protecting your costumer account and the fines are so little that it doesn't hurt the bottom-line.
Because 99% of the people have Steamguard on so it doesn't matter as much. Nobody actually STOLE any passwords or info either. They just reset it for some. It's not really a big hack or anything. Just a stupid oversight from Valve.
Steam Guard is device-based, not IP/location-based.
diggmcbadass
Member
That's more or less how it works today if you use Steam Guard. You need to provide a code if you log in from a machine that hasn't been used before and it will send you an email whenever a device is authenticated or a reset request has been sent.
As long as their system works as it is supposed to, it already does all the things you want. It just requires people to activate Steam Guard and Valve not to fuck anything up on their end. The design itself is sound.
Actually it is, you can choose to save your computer or require it every log in. If someone is going to do some nsa shit to access my account, I'm not really going to be able to stop that anyway.
so far my steam account has never been hacked but theres little there so its not worth the effort. watching the youtube video that seems like a massive oversight.
some Russian managed to get my origin account and when I contacted EA support I was shocked how little info they wanted to verify It was my account. felt like you could just ask customer support for someones account and theyd give it to you.
I wish services like steam and email had location based protection. allow a safe radius around your home location for log in and block every other attempt. for people that travel a lot let them set away dates to temporary disable the feature.
some Russian managed to get my origin account and when I contacted EA support I was shocked how little info they wanted to verify It was my account. felt like you could just ask customer support for someones account and theyd give it to you.
I wish services like steam and email had location based protection. allow a safe radius around your home location for log in and block every other attempt. for people that travel a lot let them set away dates to temporary disable the feature.
ThaiGrocer
Member
I was confused to how my account was taken over yesterday in the middle of the day. It started when I noticed an email with a recovery code.
So it wasn't because somebody had access to my e-mail with two-factor authentication.
It wasn't because somebody had access to my phone or computer that I scanned for any malware or viruses thinking somebody has started keylogging...
What a huge oversight by Valve.
If Gmail isn't reporting any kind of new access locations then they can't have accessed your emails, which suggests a flaw in the Steam Guard email setup.
Wow. So all they would need is your email address?
Terrible oversight from Valve. Unforgivable.
A keylogger with a backdoor isn't "some nsa shit" it's what normal hackers and even script kiddies do.
Edit: "NSA shit" would be hacking your account even though you have an external encryption device that was never conected to the internet - which is what Snowden said that the NSA actually did by cooperating with 3rd party encryption vendors.
That how people treat it because it's valve. If EA/Ubi/MS/Sony had such an "oversight" people would be rioting even if they were assured by EA/Ubi/MS/Sony that no personal information was stolen.
In most hacks only the hash of "password + random data added for security reasons" is stolen. I would say that's even less severe than allowing to reset the password to whatever you like since in both cases the hacker can't see the actual password, except here the hacker can set the password, while in "normal" hacks they can't and have to rely on the hash they got.
Or in other words in this case, even if you reset the password yourself, the hacker could still reset it again and gain access. While if they stole the hash from the server, resetting the password would make their stolen data absolutely useless.
It's not just an "oversight", It's a security bug, and a very stupid one - which only makes it look worse. Think of it this way: if something so easy was hiding in plain sight, for probably around a week or 2, how much confidence do you have in valve that they don't have more complex bugs that can lead to security problems? If valve didn't notice such a stupid bug/oversight, how many non-stupid, average difficulty oversights/bugs slipped passed them?
I don't know about you, but i wouldn't be so calm if I found out that google allowed anyone to reset my email password whenever they felt like it even though i have 2 factor auth.
Shao Kahn Brewing a Stew
Banned
Thread title needs to be renamed to let others know what's up. This is quite insane and a big oversight.
Is Steam fessing up to it? Will they?
Yes precisely. When I said they must have accessed my email, I meant to say that a Steam dialogue told me that my email was compromised.
Luckily my account hasn't been hacked (yet?), but this is fucking stupid. How do they even overlook something this crucial?
More importantly, Valve's management of exploit discovery and fixing is terrible. Most companies offer money as a reward to those that find exploits and send them to the company in question to fix. Meanwhile Valve does nothing. When people challenged them in the past they got banned until outrage from other resulted in a reversal. Now they offer a trivial virtual item to someone that finds an issue. None of this is preventative of making sure exploits are not sold
I think some people in this thread are confused. The hacker was able to change the password and login but then Steam Guard would have stopped them. It was the password change field that was bugged, not Steam Guard. Isn't that the consensus of what happened? Login was successful, but the account wasn't actually able to be accessed. That's why the emails weren't showing up as read.
Reminds me of when several streamers got their GTAV keys stolen on launch lol
Anyway, that's a huge oversight by Valve. Can't believe they missed that and I hope everybody who was affected will get their account back or fixed.
Coreda
Member
They're both bad scenarios
We also have no idea how Valve stores our passwords, it may be a plain hash which could be easily looked up in a rainbow table (knowing the strength of most common passwords).TouchMyBox
Member
Shouldn't be a severe issue so long as the person isn't silly and disabled steam guard, but that's pretty annoying for sure.
Shao Kahn Brewing a Stew
Banned
It's a user's choice to use steam guard or not. This is not even close to being the user's silly fault for not using steam guard. I'm curious as to how many accounts got reset. Will Steam release this figure?
Sometimes people simply don't check. It's why a lot web servers can be "hacked" because things like this aren't what normal people are going to check (though checking for "null" should be a check).
TouchMyBox
Member
There was probably a flaw in the page's logic when it was first written, but it was functionally sound until maybe they changed something in their DB and then suddenly that flaw became a problem with nobody noticing.
It's not your Steam Id, it's your Steam Account Name. Two different things.
Exactly. There's too many variables at play in a "production" server environment for people to check 100% of things. It's a stupid oversight that shouldn't have happened, but I don't blame anyone at Valve (or anywhere else) for this happening. I do "WTF Valve" at it being there, sure. But I can't blame them for something that no one would think of if they thought it was "fixed"/issue wasn't a problem normally.
I mean how many people are going to click "continue" on a blank code field?
legacyzero
Banned
I'm safe. Phew.
I'm not sure... Steam said it had an authorized login from Russia and if this wasn't me to change my password which would deauthorise all devices. Is that a wording mistake or did they actually manage to get past Steam Guard? My email has no signs of being accessed so I don't see how it's possible.
Valve should have tests for this so I'm not sure how you could possibly miss something so basic.
No, it doesn't bypass Steam Guard. It does bypass the regular Steam recovery email code, but they can't do shit if you have Steam Guard enabled.
If you had Steam Guard enabled, this exploit would have only allowed someone to change your password. They wouldn't have been able to log in.
If you didn't have Steam Guard enabled, this probably would have allowed anyone to get access to your account provided they had your account name.
Well we need to figure this out because software and it's use is becoming more prolific, the lack of security is probably one thing that is holding things back. And when deep learning algorithms start to be used for hacking(if they havent already) then the web is going to be destroyed(literally).
Its completely ridiculous and excusing ineptitude to say that there's too many variables or it's too hard. They should not be making software if that is the case. I do blame Valve, I can think of several ways how they could have avoided this and I barely know anything about computers.
I'm surprised some company hasn't come out with software that can check for exploits by now.
This seems like the best explanation of the situation and should probably be added to the OP, since people are confused.
VibratingDonkey
Member
Sooo...has Valve fixed this yet or? Made an official statement? "looks like it's fixed" from some Reddit person isn't too ensuring of a confirmation. How did this happen and how will they prevent dumb amateur hour shit like this in the future? Like, this is quite a massive security failure.
If I understand this right, if you get an unknown password reset request, someone's probably changed your password, making you unable to access your Steam account until you reset your password. Anyone can do this to any account, all you need is a username. If you're targeted and don't have Steam Guard enabled, they have access to your account.
If I understand this right, if you get an unknown password reset request, someone's probably changed your password, making you unable to access your Steam account until you reset your password. Anyone can do this to any account, all you need is a username. If you're targeted and don't have Steam Guard enabled, they have access to your account.
TheLostBigBoss
Banned
There are tons of companies and organizations that do this on commercial products
Dusk Golem
A 21st Century Rockefeller
If they change password resets back from a few days ago and undo a few things, it should be fine, but what an oversight.
I'll be completely honest, I'm surprised no one tried to get to my account. I stream often, have something like 600 Steam friends (including people I don't really know), have a Youtube channel with closer to 30,000 subs, and have almost 3,000 games on my account, plus I have a Steam developer account. But then maybe people did try but the display name I've had for ages on my account isn't the same as my login name. I have Steam Guard enabled anyway and 2-step verification on my email, so whatever though.
I'll be completely honest, I'm surprised no one tried to get to my account. I stream often, have something like 600 Steam friends (including people I don't really know), have a Youtube channel with closer to 30,000 subs, and have almost 3,000 games on my account, plus I have a Steam developer account. But then maybe people did try but the display name I've had for ages on my account isn't the same as my login name. I have Steam Guard enabled anyway and 2-step verification on my email, so whatever though.