It is a shame when Steam makes headlines for online attacks and security breaches instead of gaming news. Steam, the largest online store focused on video games, has announced that it will increase security after some developer accounts were hijacked and used in attacks.
Valve has already contacted video game developers whose accounts were hijacked and were used for the new for of sophisticated attacks.
Unfortunately, the problem is bigger than simply losing control over the profile. Attackers used the account to install and hide malicious code in a small portion of Steam video games.
The idea is simple, and you can probably already guess it. The attackers would set the game to receive a game update, but instead of a game update, users download a malicious code was onto their computers. The good news, if you can actually see it that way, is that the number of victims of the attacks is surprisingly small. Only about 100 users downloaded any of the malicious updates.
Security experts at Steam immediately took action. After discovering the attack, Valve rolled back to the previous versions of the games and removed the malicious updates from Steam. At the same time, they proactively contacted affected account owners to alert them to the security threat.
For greater security, and to prevent the situation from happening again, Valve has added additional security measures. One of them is mandatory double authorization and identity verification. Identity verification is via SMS, and developers must add a phone number to their profile before October 24. Furthermore, any upgrade that they push will have to be confirmed by SMS authorization.
Some of the developers are not satisfied with the urgency imposed by Valve, especially when it comes to finding a phone that they can use, reported NME. In general, this is a standard two-factor authentication. After releasing an update for a video game, Steam will send an SMS code to the developer which must then be entered into the client to select the current version of the game.
As an additional security measure, Valve will also limit who can send invitations to new users. This will only be enabled for admins in Steamworks groups in the future.
The company wants to be “crystal” clear about the change. Developers who do not enter a phone number will not be able to push updates after October 24th.
Steam has not yet released an exact number of compromised accounts, or how attackers gained access to developer accounts. One of the games that got involved into this whole mess is NanoWar: Cells VS Virus. The game’s creator, Benoît Freslon, says he was the victim of malware that stole his access tokens. With them, the attackers gained access to all the services on which he was logged in at the moment. As expected, one of the platforms he was logged into was Steam, reported PC Gamer.