Steam reports that last week, a major security bug in its software allowed the hijacking of many of its users' accounts by using the Steam client's lost password feature.
The bug allowed hackers access to accounts by a very simple means: all they needed was a person's username to reset the password on that account through the Steam client, without the process ever requiring any verification or even an email address. Hijackers changed multiple passwords on multiple accounts, giving them access to many of Steam's users' accounts.
Steam discovered the bug after users began complaining about being locked out of their accounts, while hijackers all over world had access to and used those accounts.
This particular bug seems like a major oversight for a company that previously only had issues with hacking thanks to an external security issue back in November, 2014. That situation resulted in compromised credit card and personal information, as well as its website forums hacked. Steam, however, fixed the issue quickly and communicated its dedication to security.
"To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected," wrote the company to Kotaku. "Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password."
Valve apologized for the inconvenience to its users, but also mentioned that those users with Steam Guard had protection against any unauthorized login to the site. Steam Guard is available as a free service to Steam users and alerts the user if someone tries to sign into Steam as them from an unauthorized computer.
Earlier this year, Valve took steps to protect its users from phishing and scams. However, now, this latest bug seems a huge oversight as anyone could basically hijack someone else's account if they know someone's username. The company is also now testing a two-factor authentication system.
Last month, Steam passed the 10 million concurrent users mark. The service's popularity puts a target on its back for would-be hacker and hijackers.