Skip to main content

Valve upgrades Steam's security after several games are hacked and filled with malware

Platform owner reports "an uptick in sophisticated attacks" on Steam devs

Valve's Steam logo
Image credit: Valve

Valve are introducing text message verification for game developers using Steamworks, following what the platform-holders describe as a limited incident which saw hackers taking over several Steamworks accounts and adding malware to their games. Reportedly, fewer than 100 Steam players have been affected by the malware – I hope you’re not among them.

It’s not clear which and how many projects have been affected by the hacks, but the incident appears to date back to late August, and victims include NanoWar: Cells VS Virus developer Benoît Freslon, who told GameDiscoverCo’s Simon Carless on Xitter that all of his accounts were hacked using a token grabber. (Freslon mournfully added that "ironically, in my game, players fight viruses".)

Valve are purging the builds affected, and are beefing up Steam's security mechanisms. A company representative has told PCGamer that there has been "an uptick in sophisticated attacks" against Steam devs, and that "extra friction" for partners is a "necessary tradeoff for keeping Steam users safe and developers aware of any potential compromise to their account."

Valve have outlined their security changes in a post on Steam. "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing," it reads.

"The same will be true for any Steamworks account that needs to add new users," it continues. "This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future."

Developers will need a text message confirmation code whenever they update a build in the default branch of a Steam app, but they won’t need a code to update a beta branch or an app that hasn’t been released. Steamworks partner group admins will also need a text message code in order to invite a new user to the group.

There's a Q&A with some additional specifics in the full post. I feel bad for Freslon, so let me end by linking to his free mobile puzzle game Enigmbox, which you can play on Android and iOS.

Read this next