Steam protects its developers by adding two-factor authentication!

Recently, there was a situation where the Steam accounts of some game developers were compromised and used to sneak malware into their games. Thankfully, only a small number of Steam users, fewer than 100, had the affected games installed, and Valve has reached out to them directly via email to inform them of the potential risks. This issue, originally reported by Simon Carless from the GameDiscoverCo newsletter, has now been confirmed by Valve.

To make sure this doesn’t happen again, Valve is taking some significant steps. Starting on October 24, game developers will have to go through a two-factor authentication process before updating the default branch of a released game. This is the version that Steam automatically sends as an update to most players who have the game installed.

The two-factor authentication code will be sent via SMS text message, which means that Steam partners must register a mobile phone number. If a developer doesn’t have a phone, Valve’s stance is clear: “sorry,” but they will need a phone or some way to receive text messages if they want to continue updating their games.

Valve told PC Gamer that this additional layer of security for its partners is seen as a necessary measure to ensure the safety of Steam users and to keep developers informed about potential security compromises. This recent incident isn’t the only attempt to breach Steam partner accounts; Valve has reported an increase in sophisticated attacks targeting the accounts of game developers who release their games on Steam.

In addition to SMS verification for updates, Steam partners will also need to use this method to add new users to their group. Valve has plans to introduce two-factor security checks for other Steam backend actions in the future.

One of the games briefly compromised was NanoWar: Cells VS Virus, and its developer, Benoît Freslon, shared that he fell victim to malware. This malicious software stole his browser access tokens, allowing the attackers temporary access to any web service he was logged into at the time. He noted, “I just used my dev account to release the game a few hours before the hack, I suppose.”