"Please note that while an account password was potentially modified during this period the password itself was not revealed. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password. Relevant users will receive an email with a new password. "To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. However, Valve did at least speak to Kotaku about it yesterday, saying that they learned about the hole on Saturday, July 25th and that it had been exploited since last Tuesday, July 21st. Folks who lost their accounts were left digging around forums and subreddits and sites trying to find out what was going on. Valve being Valve, they've fixed this but not announced anything about it. Here's someone demonstrating how simple the exploit was: If you knew an account's name, you could take over it without access to the owner's e-mail or anything. They'd then have access to the account, and could change the password to something new. By saying they'd forgotten the password, they could select the option to send a recovery code to the account's registered e-mail address - but then skip that step by entering nothing where the code should go. The exploit had let folks take over accounts whose username they knew by abusing the password recovery feature. Valve have closed the hole, but Steam's website - including the Store - is down now and I have no idea whether that's connected, because they aren't announcing anything about this. Say, if for five days a security hole had let ne'er-do-wells easily take over people's accounts. They should shout and yell and scream and let everyone know what's going on. At times, though, they really should break the silence. Mercy knows if I received ten thousand e-mails and tweets about Half-Life 3 every day, I'd dedicate my life to obliterating the written word. Valve are a taciturn company, which is fair enough.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |