Essentially, anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted, and sell or distribute them for pirates to use to play games from Steam. Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys. "To exploit the vulnerability, it was necessary to make only one request," Moskowsky told El Reg. "I managed to bypass the verification of ownership of the game by changing only one parameter. After that, I could enter any ID into another parameter and get any set of keys." How severe was the flaw? Moskowski says that, in one case, he entered a random string into the request, to pick a title at random, and in return he got 36,000 activation keys for Portal 2, a game that still retails for $9.99 in the Steam store.