The hack allowed anybody to access any account with a security loophole in the “lost password” process. Thankfully, Valve has stated the bug has now been fixed.
Multiple Steam accounts are thought to have been hijaked with a bizarre security glitch last week, which saw private user information left vulnerable. The Steam Store and website were briefly unavailable this morning, but it’s unclear whether this is a result of the hack, and Valve’s attempt to fix it.
The hack allowed anybody with a customer’s username to request a new password from any email address with the “lost password” security check; in theory, anybody with a username could change a password and access data from any account. It’s unclear how many accounts may have been affected, but the hack is thought to have lasted from 21st to the 25th of July. Valve are currently checking any accounts with suspicious password changes made in that time.
A statement from Valve to Kotaku reads:
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
There’s probably no need to panic, but it is worth checking your Steam account yourself just to be on the safe side.