The Steam accounts of multiple game developers were recently compromised and used to update their games with malware. Fewer than 100 Steam users had the games installed when the malware was added, and they’ve been directly notified of the risk by email, according to Valve. The company confirmed details of the story, reported earlier this week by GameDiscoverCo newsletter founder Simon Carless, in an email to PC Gamer today.
Although this attempt to use Steam to distribute malware wasn’t very effective, Valve has taken a major step to prevent it from happening again. Starting October 24, game developers will be required to pass a two-factor authentication check before updating the default branch of a released game—the version that Steam will automatically deliver in an automatic update to most players who have it installed.
An SMS text message will be the only way to receive the two-factor code, so Steam partners must register a mobile phone number to be used any time they want to update their game’s main release version. To developers who don’t have a phone, Valve’s post about the change says “sorry,” but they’ll “need a phone or some way to get text messages” if they want to continue updating their games.
Valve tells PC Gamer that this “extra friction” for partners is a “necessary tradeoff for keeping Steam users safe and developers aware of any potential compromise to their account.” This recent incident hasn’t been the only attempt to gain illegitimate access to Steam partner accounts: Valve says it has seen “an uptick in sophisticated attacks” targeting the accounts of devs who release games on Steam.
Steam partners will also need to use SMS verification to add new users to their group, and Valve says that it plans to add the two-factor security check to other Steam backend actions in the future.
One of the games temporarily compromised was NanoWar: Cells VS Virus, whose developer, Benoît Freslon, said on X that he was himself the victim of malware which stole his browser access tokens, giving the attackers temporary access to any web service he was logged into at the time. “I just used my dev account to release the game few hours before the hack I suppose,” he said.