​

Some Steam game developers have fallen victim to hackers recently, as the attackers gained access to developer accounts and updated games with malware bundled into them. It seems that both game developers and players alike that could have been affected by this attack were contacted directly through an email by Valve, letting them know if they launched one of the compromised games and when the dates of the malware update and build reversions took place:

​

Some reports mention that less than 100 Steam accounts were affected, and according to some of the emails sent out to the users (which date back to Septermber, 2023), the compromised game builds (for some cases) were updated on August 24th, 2023, and then reverted back on August 25th, 2023. The game mentioned in the Twitter/X post above has been confirmed to be NanoWar: Cells VS Virus developed by Benoît Freslon, who had all of his accounts compromised due to the attack, but at the time of writing, it is yet to be confirmed which other games specifically have been affected by this malware attack, and if the compromised builds were all updated on the same dates listed in the mail or if it was a case-per-case basis for the malware-infected game builds.

As a response to these hacks, Valve has started to take action, and to counter these malware attacks, and improve the security of their developers, Steam will be implementing new changes to manage builds and Steamworks users, in which they are now requiring the Steamworks accounts to have a phone number associated with their account to get an SMS confirmation through the mobile device; basically Two-Factor Authentication/2FA but for certain changes instead of a login, and this will be effective for both managing builds of games as well as adding new users too.

We wanted to give everyone a heads up on some important changes to how builds will be managed in Steamworks, along with adding new users to your Steamworks partner. As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing. The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.

As mentioned in the excerpt from Valve, the change will take effect on October 24th, 2023, and Valve is considering implementing said changes for other Steamworks actions later down the road. Some Steam developers haven't been to keen to these kind of changes, but if it means more security for everyone, end-user or developer, it's a necessary change for the better.

Source
Valve's Developer Event Post

 

[Ryab]

Good. Another verification step that makes things safer on the users end. Adds maybe 10 seconds of effort for the dev.

 

[diggeloid]

Hopefully they offer something more secure than SMS eventually, like FIDO or any OTP app. Sim swap attacks aren't really a huge concern for the average person, but a developer with a popular game is probably a juicy target for hackers.

 

[Noctosphere]

So, you can get virus even when you legit buy game, get them from official servers, and all...?
There was a time when it was one of the only few advantages of buying games, to be sure to not get malware.

Post automatically merged: Oct 12, 2023

Hopefully they offer something more secure than SMS eventually, like FIDO or any OTP app. Sim swap attacks aren't really a huge concern for the average person, but a developer with a popular game is probably a juicy target for hackers.

i dont know how this thing worked, but it did. It didn't require wifi or anything afaik. I had one and never configurated it.

There was a serial code on the back that I entered in my account, and it was all set. I pressed the button and it gave me a code that i would enter as a OTP.

 

[Bladexdsl]

so much for steams almighty steel tight security

 

[Vine-gar]

It looks like this new SMS code is only used as an extra means of validation and doesn't replace/substitute existing methods or any primary means of verifying someone is legit. SMS is insecure and SIM swapping is a serious vulnerability, but this is probably fine as a security measure. That's probably a result of it being tacked on.

So now Valve developers who don't have a linked phone number have 12 days to add one. I wonder if Valve will feed that data into one of those Facebook-style meta-data webs that find connections and patterns. I wonder if it'll later be used to catch a dev dodging Steam developer bans.

 

[Noctosphere]

Maybe they should sell somekind of Pagette to those dev?
But instead of delievering a phone number, they can only receive messages from steam, which will be the OTP.
The Pagette would just have to stay at their workplace, so no real threat of it being copied (except from those who have acces to it, which means that if it is indeed copied, it would be easier to track who had acces to it).

 

[ZeroFX]

indie devs...

 

[wartutor]

This wouldnt be a problem if dev's produced games and not steaming piles of shit that constantly need patched to barely keep running. Then they could go back to putting games on physical media and would never need to worry about this crap.

 

[petspeed]

MFA is a MUST

 

[Xdqwerty]

luckily i dont have steam

 

[Bladexdsl]

This wouldnt be a problem if dev's produced games and not steaming piles of shit that constantly need patched to barely keep running. Then they could go back to putting games on physical media and would never need to worry about this crap.

most of them made with unity

 

[Xzi]

so much for steams almighty steel tight security

It's not Steam's fault if a developer gets their login info compromised. Good that they're doing this to protect careless developers from themselves, though.

 

[RAHelllord]

So, you can get virus even when you legit buy game, get them from official servers, and all...?
There was a time when it was one of the only few advantages of buying games, to be sure to not get malware.

Post automatically merged: Oct 12, 2023

i dont know how this thing worked, but it did. It didn't require wifi or anything afaik. I had one and never configurated it. View attachment 398840

There was a serial code on the back that I entered in my account, and it was all set. I pressed the button and it gave me a code that i would enter as a OTP.

That thing is effectively a hardware based 2FA google authenticator specifically for battle.net accounts, they also offer(ed?) a phone app to do the same for free, but that thing certainly has a draw being something tangible.
Otherwise google offers an authenticator app directly, but authenticator project is open source so anyone can make their own, or turn it into a gadget like that.

 

[Deleted member 194275]

Steam should verify the files before releasing them, blaming leaked logins is a poor excuse, quality control is required.

(But it's a billionaire corporation, so skipping quality for money is the rule)

 

[Fugelmir]

I've been saying for years these devs need to start submitting sperm samples bi-weekly.

 

[datapagan]

Are we going to ignore the fact that the game was called nanowar cells vs VIRUS? that's hilarious

 

[kb7cxWMSrPwL]

Steam Sandbox for games when?

 

[SylverReZ]

Glad they're trying to at least implement better security.

 

[HarveyHouston]

It's a minor setback to now also need your phone number, as I'm sure most people have at least one they can use, but it still stinks.