Valve adds new security check after attackers compromise Steam accounts of multiple game devs and update their games with malware

News
By Tyler Wilde
published

Fewer than 100 Steam users had the games installed, but Valve is adding a new SMS verification step for all developers to try to prevent it from happening again.

Valve logo with a man with a steam valve for an eye.
(Image credit: Valve)

The Steam accounts of multiple game developers were recently compromised and used to update their games with malware. Fewer than 100 Steam users had the games installed when the malware was added, and they've been directly notified of the risk by email, according to Valve. The company confirmed details of the story, reported earlier this week by GameDiscoverCo newsletter founder Simon Carless, in an email to PC Gamer today.

Although this attempt to use Steam to distribute malware wasn't very effective, Valve has taken a major step to prevent it from happening again. Starting October 24, game developers will be required to pass a two-factor authentication check before updating the default branch of a released game—the version that Steam will automatically deliver in an automatic update to most players who have it installed.

An SMS text message will be the only way to receive the two-factor code, so Steam partners must register a mobile phone number to be used any time they want to update their game's main release version. To developers who don't have a phone, Valve's post about the change says "sorry," but they'll "need a phone or some way to get text messages" if they want to continue updating their games.

Valve tells PC Gamer that this "extra friction" for partners is a "necessary tradeoff for keeping Steam users safe and developers aware of any potential compromise to their account." This recent incident hasn't been the only attempt to gain illegitimate access to Steam partner accounts: Valve says it has seen "an uptick in sophisticated attacks" targeting the accounts of devs who release games on Steam.

Steam partners will also need to use SMS verification to add new users to their group, and Valve says that it plans to add the two-factor security check to other Steam backend actions in the future.

One of the games temporarily compromised was NanoWar: Cells VS Virus, whose developer, Benoît Freslon, said on X that he was himself the victim of malware which stole his browser access tokens, giving the attackers temporary access to any web service he was logged into at the time. "I just used my dev account to release the game few hours before the hack I suppose," he said.

Tyler Wilde
Tyler Wilde
Executive Editor

Tyler grew up in Silicon Valley during the '80s and '90s, playing games like Zork and Arkanoid on early PCs. He was later captivated by Myst, SimCity, Civilization, Command & Conquer, all the shooters they call "boomer shooters" now, and PS1 classic Bushido Blade (that's right: he had Bleem!). Tyler joined PC Gamer in 2011, and today he's focused on the site's news coverage. His hobbies include amateur boxing and adding to his 1,200-plus hours in Rocket League.

See comments