Valve is bolstering the security on Steam after hackers compromised developer accounts and added malware to games.
Less than 100 gamers were affected by this breach. Valve told PC Gamer that there has been an increase in attacks targeting Steam developer accounts. To counter such threats, Valve is adding SMS-based two-factor authentication (2FA) to developer accounts starting October 24, 2023.
Malware in Game Updates
The hackers reportedly gained unauthorized access to multiple developer accounts and slipped malware into game updates. Alarmingly, the corrupted versions of the games were sent out to players. Valve was quick to notify the affected users about the risk via email.
In a tweet on Thursday, game developer Simon Carless shared a screenshot of an email Stream sent to developers in Sept. 2023. In the email, Steam informs them about the security incident and warns that their accounts may be infected with malware.
“The build containing the suspected malware was promptly reverted and purged from Steam, but we strongly encourage you to run a full-system scan using an anti-virus product that you trust or use regularly, and inspect your system for unexpected or newly installed software,” the email said.
“You may also consider fully reformatting your operating system to ensure that no malicious software remains on your machine.”
Benoît Freslon, the developer of “NanoWar: Cells VS Virus,” was among the affected parties. In a tweet on Wednesday, he said all his accounts were compromised.
“ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA is useless if the token is still active. I just used my dev account to release the game a few hours before the hack I suppose,” Freslon wrote.
2FA Defense
In light of this incident, Valve requires all developers to register a phone number to receive an SMS code for 2FA authentication. Developers will need to provide 2FA codes to release new builds of their games or add new users to their developer accounts.
“The change will go live on October 24, 2023, so be sure to add a phone number to your account now,” Valve said in a post. “We also plan on adding this requirement for other Steamworks actions in the future.”
Token grabbers — like the Blitzed Grabber used to target Discord users last year — can jeopardize game updates and a user’s online services, from emails to bank accounts, leading to data theft and subsequent attacks. Unfortunately, traditional defenses, like two-factor authentication, might fail against token misuse.
For more gaming news, follow us on X (Twitter), Threads, and Mastodon!
