Steam "Bug" Made Stealing Passwords Stupid Easy

It’s a fairly well-known fact that Gabe Newell, founder of Valve and god of Steam, started his career in computers working for Microsoft. Later, he used that experience and talent to found Steam, the worlds biggest digital distributor for games, and chronically disappoint gamers who are waiting for him to count to three. You’d think that a man with that kind of background would be over qualified to deal with something as mundane as security, and yet, it was recently discovered that there was a “bug” in Steam that allowed “hackers” to steal people’s account information insanely easily.

Whenever someone wants to change the password on their online accounts for any reason, there’s a pretty standard step of universal barriers we generally have to get through before that can happen. Normally—and Steam was among the services who did this—you put in your account information, and then an email is sent to you with a code you input into your account, which then allows you to change your password.

Steam had the unique problem where that whole “verification” part was entirely optional. They sent you a code, sure, but if you just hit “accept” without putting it in, you’d get to change the password anyway. Which meant anyone, using only your username, could change your password and access private information.

Whoops.

To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.

Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.

We apologize for any inconvenience.

It was discovered on the 25th, so if you haven’t gotten any emails or have been able to get onto Steam no problem, you’re probably not one of the people affected. But if you did, well… better hurry with those password changes, kids.

This is a pretty baffling “bug” Steam found itself with. I wonder how long it’s been going on, and I wonder who, exactly figured out it was a thing. Hopefully there wasn’t too much damage caused by this, but… this is the internet, who are we kidding?  There's probably a Mexican Drug Lord ruining your ranked score in DOTA 2 right now.