Digital game distribution platform Steam had a massive security hole that allowed hackers to steal any user blind and the thief only needed a username to do it. That hole is now filled in, according to parent company Valve Corporation.

The hijack exploit took advantage of the lost password function. As with most websites, this feature sends an e-mail to the account holder to assist in resetting the password. In this case the e-mail contains a code that must be entered into Steam to reset the password. However, with the bug in place, an attacker needed not enter the code: so leaving the “enter the code” field blank would still trigger the password reset.

Over the past week a few Steam users were reportedly affected by this hijack–including some well-known streamers and a DOTA 2 pro.

Steam is a digital video game distribution platform that millions of people use, in fact the service had approximately 75 million registered users in January 2014 and hit 8.3 million concurrent users at the very tail end of 2014. That’s a lot of people potentially affected by this security hole.

In a statement made to Kotaku, a Valve representative said that the company learned of the security failure on July 25 and “that could have impacted the password reset process on a subset of Steam accounts during the period July 21-July 25. The bug has now been fixed.”

To those affected, Valve’s statement is as follows:

To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.

We apologise for any inconvenience.

This isn’t exactly the sort of security failure that reflects well on a company’s ability to keep their clients safe from potential hacking.

Those affected could have had their entire Steam inventories sold–as is common when multiplayer game accounts get hacked. It would also have exposed sensitive information stored in that account to 3rd parties.

Passwords are not enough

In previous coverage by SiliconANGLE about why security matters to gamers, security industry insider and contributor John Casaretto pointed out that passwords are not enough protection, “Passwords are not dead, but they are not enough.”

In that article, two-factor authentication was addressed and this is actually a feature that Steam has been testing since April. Not all users use two-factor authentications and not all services provide it; but with two-factor authentication in play (assuming that the security hole opened by Steam would not have bypassed that as well) would make even resetting the password via hijack difficult for an attacker.

This is not the first time Steam took a hit. In February of 2012, we learned that Steam had been hacked in November 2011 and the attackers stole a backup database. And also in 2012, October, ReVuln discovered a vulnerability in the Steam client (since fixed.)

Photo credit: Photo by Skley