An exploit in Steam’s account recovery system made it possible for anyone to take over a Steam account for at least the past five days, Rock, Paper, Shotgun (RPS) reported.
The digital distribution service for video games was offline on 26 July while Valve, which owns Steam, worked on the issue.
RPS said that Valve has been silent about the vulnerability and the downtime, but added that the security hole appears to be fixed.
A Twitch streamer demonstrated the ease with which it was possible to exploit the vulnerability, showing that all a would-be account hijacker had to do was know your username.
There is no indication that changing passwords in this way allowed attackers to bypass Steam Guard, which requires that logins from unrecognised devices be authenticated with a one-time password sent to your e-mail address.
At least one report from a Steam user suggested that attackers may have been able to bypass Steam Guard without hacking an e-mail account.
However, there is some debate about whether the “hackers” were able to access their victim’s Steam account.
Users with Steam Guard active therefore may not have been vulnerable to the attack, except for being inconvenienced by their passwords being changed.