Valve to implement security improvements for Steam devs accounts after attacks of games updated with malware

Untitled.jpg

Some Steam game developers have fallen victim to hackers recently, as the attackers gained access to developer accounts and updated games with malware bundled into them. It seems that both game developers and players alike that could have been affected by this attack were contacted directly through an email by Valve, letting them know if they launched one of the compromised games and when the dates of the malware update and build reversions took place:



Some reports mention that less than 100 Steam accounts were affected, and according to some of the emails sent out to the users (which date back to Septermber, 2023), the compromised game builds (for some cases) were updated on August 24th, 2023, and then reverted back on August 25th, 2023. The game mentioned in the Twitter/X post above has been confirmed to be NanoWar: Cells VS Virus developed by Benoît Freslon, who had all of his accounts compromised due to the attack, but at the time of writing, it is yet to be confirmed which other games specifically have been affected by this malware attack, and if the compromised builds were all updated on the same dates listed in the mail or if it was a case-per-case basis for the malware-infected game builds.

As a response to these hacks, Valve has started to take action, and to counter these malware attacks, and improve the security of their developers, Steam will be implementing new changes to manage builds and Steamworks users, in which they are now requiring the Steamworks accounts to have a phone number associated with their account to get an SMS confirmation through the mobile device; basically Two-Factor Authentication/2FA but for certain changes instead of a login, and this will be effective for both managing builds of games as well as adding new users too.

Valve's Developer Event post said:
We wanted to give everyone a heads up on some important changes to how builds will be managed in Steamworks, along with adding new users to your Steamworks partner. As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing. The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.

As mentioned in the excerpt from Valve, the change will take effect on October 24th, 2023, and Valve is considering implementing said changes for other Steamworks actions later down the road. Some Steam developers haven't been to keen to these kind of changes, but if it means more security for everyone, end-user or developer, it's a necessary change for the better.

:arrow: Source
:arrow: Valve's Developer Event Post
 

diggeloid

Alex
Member
Joined
Apr 29, 2019
Messages
488
Trophies
2
Age
35
Location
gbatemp.net
XP
2,748
Country
United States
Hopefully they offer something more secure than SMS eventually, like FIDO or any OTP app. Sim swap attacks aren't really a huge concern for the average person, but a developer with a popular game is probably a juicy target for hackers.
 

Noctosphere

Nova's Guardian
Member
Joined
Dec 30, 2013
Messages
7,148
Trophies
5
Age
31
Location
Biblically accurate Hell
XP
23,027
Country
Canada
So, you can get virus even when you legit buy game, get them from official servers, and all...?
There was a time when it was one of the only few advantages of buying games, to be sure to not get malware.
Post automatically merged:

Hopefully they offer something more secure than SMS eventually, like FIDO or any OTP app. Sim swap attacks aren't really a huge concern for the average person, but a developer with a popular game is probably a juicy target for hackers.
i dont know how this thing worked, but it did. It didn't require wifi or anything afaik. I had one and never configurated it.
1697125082897.png


There was a serial code on the back that I entered in my account, and it was all set. I pressed the button and it gave me a code that i would enter as a OTP.
 
  • Like
Reactions: orangy57

Vine-gar

Active Member
Newcomer
Joined
Feb 1, 2020
Messages
33
Trophies
0
XP
125
Country
United States
It looks like this new SMS code is only used as an extra means of validation and doesn't replace/substitute existing methods or any primary means of verifying someone is legit. SMS is insecure and SIM swapping is a serious vulnerability, but this is probably fine as a security measure. That's probably a result of it being tacked on.

So now Valve developers who don't have a linked phone number have 12 days to add one. I wonder if Valve will feed that data into one of those Facebook-style meta-data webs that find connections and patterns. I wonder if it'll later be used to catch a dev dodging Steam developer bans.
 

Noctosphere

Nova's Guardian
Member
Joined
Dec 30, 2013
Messages
7,148
Trophies
5
Age
31
Location
Biblically accurate Hell
XP
23,027
Country
Canada
Maybe they should sell somekind of Pagette to those dev?
But instead of delievering a phone number, they can only receive messages from steam, which will be the OTP.
The Pagette would just have to stay at their workplace, so no real threat of it being copied (except from those who have acces to it, which means that if it is indeed copied, it would be easier to track who had acces to it).
 

wartutor

Well-Known Member
Member
Joined
Dec 25, 2012
Messages
803
Trophies
2
Age
46
XP
2,698
Country
United States
This wouldnt be a problem if dev's produced games and not steaming piles of shit that constantly need patched to barely keep running. Then they could go back to putting games on physical media and would never need to worry about this crap.
 

Xzi

BUSTAH WOLF!!!
Member
Joined
Dec 26, 2013
Messages
18,848
Trophies
3
Location
The Lands Between
Website
gbatemp.net
XP
11,425
Country
United States
so much for steams almighty steel tight security
It's not Steam's fault if a developer gets their login info compromised. Good that they're doing this to protect careless developers from themselves, though.
 

RAHelllord

Literally the wurst.
Member
Joined
Jul 1, 2018
Messages
904
Trophies
1
XP
3,458
Country
Germany
So, you can get virus even when you legit buy game, get them from official servers, and all...?
There was a time when it was one of the only few advantages of buying games, to be sure to not get malware.
Post automatically merged:


i dont know how this thing worked, but it did. It didn't require wifi or anything afaik. I had one and never configurated it. View attachment 398840

There was a serial code on the back that I entered in my account, and it was all set. I pressed the button and it gave me a code that i would enter as a OTP.
That thing is effectively a hardware based 2FA google authenticator specifically for battle.net accounts, they also offer(ed?) a phone app to do the same for free, but that thing certainly has a draw being something tangible.
Otherwise google offers an authenticator app directly, but authenticator project is open source so anyone can make their own, or turn it into a gadget like that.
 
  • Like
Reactions: Ryccardo

Deleted member 194275

Edson Arantes do Nascimento
Member
Joined
Aug 19, 2009
Messages
2,685
Trophies
2
XP
4,351
Steam should verify the files before releasing them, blaming leaked logins is a poor excuse, quality control is required.

(But it's a billionaire corporation, so skipping quality for money is the rule)
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Sicklyboy @ Sicklyboy:
    man I'm hungry. Gonna have more of that leftover chili mac ;)
    +1
  • K3Nv3 @ K3Nv3:
    Making skillet porkchops
    +2
  • K3Nv3 @ K3Nv3:
    Life is just like fry everything like a steak yolo
  • Sicklyboy @ Sicklyboy:
    I slipped and fell on ice in the parking lot at my apartment complex a little while back, managed to fall onto my knee and catch myself in a pose like a Spartan doing armor lock in Halo Reach lmao
  • K3Nv3 @ K3Nv3:
    Rip grandkids
  • BigOnYa @ BigOnYa:
    I'm making... a phone call to wifey, "Get dinner!"
    +1
  • BigOnYa @ BigOnYa:
    Was gonna cook but now caught up in this avowed game n don't feel like it.
  • K3Nv3 @ K3Nv3:
    Anything can be a steak
    20250218-173042.jpg
    +1
  • Sicklyboy @ Sicklyboy:
    wishlisting until it's like $30, wtf is this $70 bullshit 😭
    +1
  • Sicklyboy @ Sicklyboy:
    idfk if my pc can even run it anyway my pc is fuckin struggling these days
  • Sicklyboy @ Sicklyboy:
    2080 Super has less oomph these days than I would've expected it to
  • K3Nv3 @ K3Nv3:
    Lol SteamDeck can even run Pokémon yellow pleb
  • BigOnYa @ BigOnYa:
    Its on gamepass. Just came today. Is pretty good, I likey.
  • K3Nv3 @ K3Nv3:
    Owning eggs is like owning a 5090
  • Sicklyboy @ Sicklyboy:
    I have a half dozen eggs left from before the bird flu shit really kicked off and jacked up the prices. $500, no lowballs, I know what I got
    +1
  • K3Nv3 @ K3Nv3:
    499
  • Sicklyboy @ Sicklyboy:
    no lowballs I know what I got
    +1
  • Sicklyboy @ Sicklyboy:
    PRICE IS FIRM
  • K3Nv3 @ K3Nv3:
    498
  • Sicklyboy @ Sicklyboy:
    I got lowballed today lol. That tonneau cover, I l isted it for $80, current retail price for it is $240. Guy hit me up and said $45. Ignored him
  • K3Nv3 @ K3Nv3:
    American way lowball until they say yes
  • Sicklyboy @ Sicklyboy:
    Not only did I ignore him, I messaged the next guy in line and he's like I can meet up today, didn't bat an eye at the price.
  • K3Nv3 @ K3Nv3:
    Only slept two hours
  • Sicklyboy @ Sicklyboy:
    sleep more
    Sicklyboy @ Sicklyboy: sleep more