Valve has been in contact with several game developers who were hit by hackers who used a vulnerability to hide malware in their games on Steam.
The hackers’ intention was to play the malware off as an update to the installed game on players’ PCs, then infecting them when the “new build” was downloaded.
Fortunately, less than 100 players had these compromised games installed on their systems and they were also contacted by Valve to notify them of the security breach.
Wondering why Steam devs will have to confirm via SMS before publishing new game versions or adding users? (https://t.co/EIyLHyA02N….) Looks like it’s related to hackers taking over Steam dev accounts & adding malware to game builds. (Screenshot via @SteamDB from Sept. 2023.) pic.twitter.com/WfjGiHdhxm
— Simon Carless (@simoncarless) October 10, 2023
“The build containing the suspected malware was promptly reverted and purged from Steam, but we strongly encourage you to run a full-system scan using an anti-virus that you trust or use regularly,” advised Valve via GameDiscoverCo’s Simon Carless on X.
As a result of “an uptick in sophisticated attacks” on game developers, said Valve in a comment to PC Gamer, the requirements for the safety of their accounts have been changed.
Before October 24, developers must add a phone number to their account so the act of uploading and rolling out an update must be cleared with a confirmation code sent to the phone.
If developers don’t have a phone, Valve said “sorry” but they will “need a phone or some way to get text messages if [they] need to add users or set the default branch for a released app.”
According to Carless, some developers are displeased with the short notice for finding a phone number to attach to their accounts and that text messages can still be a way for hackers to dupe the receivers.
However, Valve explained that if the developer uses the SetAppBuildLive API, they will be able to decide which Steam ID to use and therefore which phone number to use for confirmation.
In other gaming news, Psyonix has revealed that Rocket League player-to-player trading will be removed in December, to the irritation of fans who view that feature as integral to the game.