Valve's PC gaming platform Steam recently encountered security issues concerning a password reset mechanic that led to numerous accounts becoming vulnerable.
The security issue involving the password reset mechanic was reportedly serious enough that anyone's account was basically open to being hacked. The security problem apparently sprang up from unauthorized users being able to request a password being reset from a specific account. From there, the unauthorized user could change the password to make it his/her own, and all of this could be done without so much as having actual access to the email address used to create the now compromised Steam account.
According to Extreme Tech, the reason that malicious users were able to execute the password breaches was that Steam did not actually bother to check whether the reset codes being used were valid. Unauthorized users could simply get around the issue of not having the reset codes by not inputting any information during the process of authentication. Even without the code, Steam would allow anyone to continue with resetting the password.
The password breach was easy enough to pull off that even some of the more well known accounts on Steam were still broken into, according to Polygon.
Fortunately, there were still some safeguards in place that prevented the password breaches from being as damaging as they truly could have been. Thanks to the multi-layered authentication system known as Steam Guard, even those who managed to change the passwords still could not get access to the account with the email address.
Steam also blocks accounts from trading any items within a five day period right after a password is changed, meaning no accounts were truly robbed during the breach.
Despite the damage being not as bad as initially thought, Steam has still ramped up their security measures. Steam is now forcing password resets on accounts they deem to have showcased suspicious activity, in an effort to prevent any other breaches from taking place.
