A huge gaping hole that allowed attackers to hijack Steam accounts has been discovered, exploited last week, and finally closed by Valve Corp. this weekend.
The attackers didn't have to have any technical skills whatsoever - they just had to know the target's account username and enter it in the password reset form, and after choosing the "Email an account recovery code to
email@address.com" option, Steam would send a recovery code to the users' email.
Unfortunately for the targeted users, attackers discovered that no recovery code has to actually be entered in order to allow them to proceed and finish the password reset procedure by choosing a new password.
