EDITOR’S NOTE: This situation is developing rapidly. If you are reading this, DO NOT attempt to log into the Escape from Tarkov website or link your Steam account until BattleState Games issues an official “All Clear.” The exploit described below allows attackers to bypass Two-Factor Authentication (2FA) and passwords.
THE BREACH: AN UNPRECEDENTED CATASTROPHE
In what is shaping up to be the most catastrophic security failure in the history of Escape from Tarkov (EFT), a critical vulnerability involving the game’s Steam account linking integration has left tens of thousands of accounts exposed. Reports are flooding in from Reddit, Twitter (X), and Discord confirming that hackers are using this exploit to gain unrestricted access to player profiles—bypassing email verification, Google Authenticator, and complex passwords entirely.
Unlike typical phishing scams where a user must make a mistake, this is a zero-click style vulnerability on the user’s end if they have previously linked their Steam account. The attackers are using this access not just to steal loot, but to malicious reset accounts to Level 1, effectively deleting thousands of hours of progress instantly.
The Core Issue: “Null” Verification
Preliminary technical analysis from the community and security researchers suggests the flaw lies in BattleState Games’ (BSG) implementation of the Steam OpenID login protocol.
When a user links their Steam account to their Tarkov profile, the BSG website seemingly relies on the SteamID returned during the handshake to authenticate the session. The vulnerability appears to be a lack of server-side validation. Attackers are reportedly intercepting the login packet and modifying the SteamID parameter to match a target’s ID.
Because the BSG backend “trusts” the modified packet without verifying that the person sending it actually owns the Steam account in question, the system logs the attacker straight into the victim’s dashboard.
Why 2FA Fails: This is the most terrifying aspect. Because the system believes the user is logging in via a “trusted” partner method (Steam), it bypasses the standard BSG login screen where 2FA is usually prompted. The “door” provided by the Steam link integration has no lock on it.
VICTIM REPORTS: STREAMERS AND VETERANS WIPED
The attack is not random. High-profile targets and veteran players are being specifically hunted, likely using public databases that link Tarkov usernames to Steam profiles.
BAXBEAST and The “Level 53” Wipe
Prominent streamer and community figure BAXBEAST reported losing a Level 53 account. This was not a fresh account; it was an account on the brink of Prestige 5, holding the “For Humanity” achievement. In a heartbreaking post on X, he confirmed that despite having double-log verification enabled, his account was accessed and wiped to zero.
The Reddit Megathreads
The Escape from Tarkov subreddit is currently in meltdown mode. A thread titled “Unlink your steam from your account, proven to be how accounts are breached” has garnered thousands of upvotes and comments. Users are reporting:
- “Error 0”: Many players cannot even log in to check their status, as BSG appears to have panicked and nuked the backend access to mitigate the spread.
- Profile Picture Changes: Before wiping the account, hackers are often changing profile pictures to mock the victims.
- Stolen Items: While wiping is the primary griefing method, some accounts are being stripped of Red Keycards, ledgers, and high-tier loot before the reset.
THE TECHNICAL BREAKDOWN: HOW IT WORKS
(Disclaimer: We are providing a high-level overview for educational and defensive purposes only. Do not attempt to replicate this.)
The exploit centers on the API Endpoint used for social logins.
- The Request: When you click “Login with Steam” on the BSG site, a request is sent to Valve.
- The Token: Valve returns a confirmation that User X is logged in.
- The Flaw: The BSG website takes the result of that confirmation (the SteamID) and logs the user into the associated Tarkov account.
- The Attack: A malicious actor sends a forged request to the BSG endpoint saying, “Hey, I am SteamID [Target’s ID], and I have successfully authenticated.”
- The Failure: The BSG server does not double-check the cryptographic signature or the session token validity with Valve. It simply accepts the ID and grants full administrative access to the web profile.
From the web profile, the attacker has access to the “Reset Game Profile” button, a feature intended for players who want to start the wipe over. Attackers are pressing this button, instantly erasing progress.
BATTLESTATE GAMES’ RESPONSE: “ERROR 0”
As of the time of writing, BattleState Games has not issued a comprehensive public post detailing the fix, but their actions speak volumes.
The “Nuclear” Option: Players attempting to access their profile on escapefromtarkov.com are currently being met with Error 0 or timeouts. It appears BSG has completely disabled the web server’s ability to process login requests or access profile management pages. This is a containment measure to stop the bleeding.
Nikita’s Comment: Nikita Buyanov, COO of BattleState Games, replied to concerned streamers on X, stating that they are “aware” and “investigating.” However, for many, this response is too little, too late.
IMMEDIATE DEFENSE STRATEGY
If you are reading this and are worried about your account, follow these steps strictly.
DO NOT Login to BSG Escape From Tarkov
Do not attempt to check your profile on the official website. Logging in might refresh session tokens or expose your account status to scrapers monitoring the API.
If you can, Unlink Steam. Steam Linking is Broken from BSG’s Side
If the website comes back online, your #1 Priority is to remove the Steam association.
- Go to Profile Settings.
- Look for “Linked Accounts” or “Social Networks”.
- Click UNLINK next to Steam.
- Note: If the site is down, you cannot do this. You must wait.
Check Your Email for “New Login” Alerts
Even though the exploit bypasses 2FA, some users reported receiving weird email notifications about profile changes. If you see one, assume you are compromised.
Disconnect Payment Methods
If you have a credit card or PayPal saved for merchandise or expansion purchases on the BSG site, remove them immediately if possible, or lock your cards via your bank app. While there is no confirmation of financial theft yet, an administrative bypass could theoretically expose billing details.
THE FALLOUT: WILL THERE BE A ROLLBACK?
The community’s biggest question is: Can this be fixed?
The Rollback Problem: Tarkov’s database structure is notoriously complex. “Rolling back” the entire server to a state before the attacks began (e.g., December 24th) would mean legitimate players lose millions of XP and loot earned over the holidays. However, not rolling back leaves thousands of victims with nothing.
The Likely Solution: BSG will likely attempt to identify specific accounts that executed a “Reset Profile” command during the exploit window and manually reverse those specific actions. However, given BSG’s history with customer support volume, this process could take weeks.
Compensation? In previous server outages, BSG has granted 1 million Roubles or Labs cards as an apology. For a player who lost a Level 53 Kappa-container account, 1 million Roubles is an insult. The community is demanding a full restoration of stats.
COMMUNITY OUTRAGE AND “SPAGHETTI CODE”
This incident has reignited the long-standing criticism of Tarkov’s codebase. The term “spaghetti code” is trending on the subreddit.
“It actually baffles me how the same team could cook up the best weapon modding system in FPS history and a steam integration that lets people into accounts with just a steam ID,” wrote one user on Reddit.
Security analysts point out that this is an OWASP Top 10 vulnerability (Broken Access Control). It is a fundamental error in web development to trust client-side input for authentication without server-side verification.
WHAT’S NEXT?
We are monitoring the situation hour by hour.
- Do not buy account recovery services. Scammers are already circling, claiming they can “restore” your wiped account for a fee. They cannot. Only BSG can.
- Watch the Official Twitter. @tarkov and @logisicalsolutions are the best sources for real-time updates.
Status: RED ALERT.
Recommendation: STAY OFFLINE. DO NOT LINK STEAM.
