​

Some Steam game developers have fallen victim to hackers recently, as the attackers gained access to developer accounts and updated games with malware bundled into them. It seems that both game developers and players alike that could have been affected by this attack were contacted directly through an email by Valve, letting them know if they launched one of the compromised games and when the dates of the malware update and build reversions took place:

​

Some reports mention that less than 100 Steam accounts were affected, and according to some of the emails sent out to the users (which date back to Septermber, 2023), the compromised game builds (for some cases) were updated on August 24th, 2023, and then reverted back on August 25th, 2023. The game mentioned in the Twitter/X post above has been confirmed to be NanoWar: Cells VS Virus developed by Benoît Freslon, who had all of his accounts compromised due to the attack, but at the time of writing, it is yet to be confirmed which other games specifically have been affected by this malware attack, and if the compromised builds were all updated on the same dates listed in the mail or if it was a case-per-case basis for the malware-infected game builds.

As a response to these hacks, Valve has started to take action, and to counter these malware attacks, and improve the security of their developers, Steam will be implementing new changes to manage builds and Steamworks users, in which they are now requiring the Steamworks accounts to have a phone number associated with their account to get an SMS confirmation through the mobile device; basically Two-Factor Authentication/2FA but for certain changes instead of a login, and this will be effective for both managing builds of games as well as adding new users too.

We wanted to give everyone a heads up on some important changes to how builds will be managed in Steamworks, along with adding new users to your Steamworks partner. As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing. The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.

As mentioned in the excerpt from Valve, the change will take effect on October 24th, 2023, and Valve is considering implementing said changes for other Steamworks actions later down the road. Some Steam developers haven't been to keen to these kind of changes, but if it means more security for everyone, end-user or developer, it's a necessary change for the better.

Source
Valve's Developer Event Post

 

[64bitmodels]

This wouldnt be a problem if dev's produced games and not steaming piles of shit that constantly need patched to barely keep running. Then they could go back to putting games on physical media and would never need to worry about this crap.

Physical games can be buggy crocks of shit too. Also, Elden Ring got patches. TOTK got patches, even after a year of polish. Hi-Fi Rush and Resident Evil 4 got patches. Every game needs a set of patches.

 

[wartutor]

Physical games can be buggy crocks of shit too. Also, Elden Ring got patches. TOTK got patches, even after a year of polish. Hi-Fi Rush and Resident Evil 4 got patches. Every game needs a set of patches.

Did you not notice i said "This wouldnt be a problem if dev's produced games and not steaming piles of shit that constantly need patched to barely keep running." Company's use to be held responsible if something was broken in games due to the inability to patch them now they are barely games when released and 99% of them are unplayable until patched multiple times and consumers make excuses for them.

 

[A-Hacked-Soul]

Those with power should always have higher security requirements on their accounts. You hear that FBMM?

 

[DeadSkullzJr]

No game is bug free (some cases malware free either), but this is one of the reasons I tend to prefer physical media. Majority of the solutions you use, whether it be an operating system (Windows for example), a gaming service, etc. all tend to force you to update just to play what you have. On the PlayStation Vita and Nintendo 3DS, you didn't have to update a game if you didn't want to, you were given the option to continue playing the build you had anyways, you would just be unable to participate in online activities. Digital environments make that much more difficult to achieve, solutions like Steam will automatically update stuff for you, and I'm sure there may be an option to manually update, I know you can pause the updates, but that doesn't count as a means to control what you install. The benefit to physical media is also the fact that the media is written to once, then it basically is locked out from being written to again. The only other means would be patches being potentially malicious, but that also kind of brings me to the next point.

If developers would just stop rushing games and start taking more time to actually test and tune the games, you won't need as many patches that keep being pumped for all of these titles. It would reduce the amount of physical variations that would need to exist as some games tend to have revision releases, and it wouldn't cause people to have to update so damn often just to enjoy a game. I should be able to wait for a game, and play it when it comes out, preferably without having to update it period from day one. It's sad if we need patches right out the damn gate. If patches are absolutely necessary, then take the damn time to tune that ONE patch, instead of being suboptimal with multiple. I could also apply this to a lot of homebrew too, can't tell you how many ridiculous versions exist for certain homebrew software, all because someone didn't want to test their own work.

I feel like situations like these could be avoided with better actions. Either fix your game so you don't need billions of patches, or making it so updates aren't forced automatically, then you won't have to deal with potential malware either.

 

[codezer0]

Good. Another verification step that makes things safer on the users end. Adds maybe 10 seconds of effort for the dev.

And adds ten more hours of brain damage levels of screeching for why their latest game is only making $10 per second instead of $10.01 like their forecasts depended on to afford that 13th yacht the ceo wants.

 

[64bitmodels]

If developers would just stop rushing games and start taking more time to actually test and tune the games, you won't need as many patches that keep being pumped for all of these titles.

If someone hacked into your Steam account or whatever and were trying to upload a virus through a game update then it wouldn't matter how bugfree the game is, the virus is still going to be getting in there. This isn't a result of buggy games or digital only or patches it's quite simply just incompetence on the part of Valve. (and the developers, somewhat)

The real takeaway should be that people who develop games should make it a priority to keep their software and databases in check so no asshole comes in trying to make everything worse for everyone. Or in other words don't be an idiot and avoid a scam/virus when you see one.

 

[Gamemaster1379]

So, you can get virus even when you legit buy game, get them from official servers, and all...?
There was a time when it was one of the only few advantages of buying games, to be sure to not get malware.

Post automatically merged: Oct 12, 2023

i dont know how this thing worked, but it did. It didn't require wifi or anything afaik. I had one and never configurated it. View attachment 398840

There was a serial code on the back that I entered in my account, and it was all set. I pressed the button and it gave me a code that i would enter as a OTP.

Basically, how these things work is there is a very complex, long secret/token (think password, basically) that the device knows about. You, the user, transmit the code to the service on the other side you want to log into (or, they already have it if they issued it to you). This exchange happens exactly once. That secret/token is never exchanged again for security reasons.

From there, both sides have a special algorithm that uses the secret and the current time, and calculates them in a special way to produce a 6 digit code.

When you log in, you provide that 6 digit code to the server, and it uses its secret and tries to calculate it. If they match, you're let in. If they don't, it fails.