Valve takes steps after hackers add malware to Steam games

Valve takes steps after hackers add malware to Steam games

Valve has taken some big steps to add more security to the Steam game updating process, after hackers compromised a number of games by adding malware to them. While fewer than 100 Steam users had the infected games installed at the time the hack took place, Valve has responded quickly and decisively by adding mandatory two-factor authentication as part of the process for updating games.

The two-factor authentication will be required during the process of updating the default branch of a released game, i.e., the type of update which is automatically pushed out to all users with the game installed. As such, all game developers on Steam will be required to have a phone number attached to their account in order to receive the 2FA code. Valve has apologised to those developers who don’t have phones, but have confirmed this is its way of ensuring protection for Steam users. The "extra friction" this change causes is, in Valve’s mind, worthwhile to ensure users are safe, and developers are kept aware of any potential breaches in their security.

Adding new users to Steam partner groups will also require two-factor authentication, and Valve has also mentioned it will be looking to add 2FA to more areas of the Steam backend. So, if you’re a Steam developer and don’t have a phone of your own, it’s definitely time to invest in at least a cheap dumb phone, just to keep your account secure.

The games which were compromised have not been named en masse, but all affected players have been individually informed by email, and with less than 100 players being hit by this, it’s unlikely you’ve been affected by it. One of the games hit by this was the game NanoWar: Cells VS Virus, by Benoît Freslon. Freslon has stated that his security was breached after malware stole his browser access tokens, which gave the hackers temporary access to anywhere he was logged into at the time. Since he’d just used his dev account to release the game a few hours before, they were able to roll out an infected update to users.

Hopefully, requiring 2FA will cut down on these possible attacks in future.