Steam Bug Allowed Password Resets Without Confirmation

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.

That's funny

That's pretty funny considering the NIGHTMARE I went through getting my steam account reset as the email account I used to register (DOH!) was a previous work email that is no longer active, so sending me an email asking if I want to change my email is pointless. And now I find out that if I had have waited, it wasn't even verifying the code?

FFS