Valve has announced a Steamworks security update. The biggest change is that managing Steam builds will now require a verified phone number.
On October 10, Valve notified developers that they will need a phone number associated with their account to release new versions of their games/apps or adding new users to their account.
“This change will go live on October 24, 2023, so be sure to add a phone number to your account now,” the post reads. “We also plan on adding this requirement for other Steamworks actions in the future.”
Here is how the new security feature will work:
- If a developer wants to update their build, Steam will text them a confirmation code via SMS;
- They will need to enter this conde to set the default branch (the only exceptions are beta versions or games that are not yet released);
- The admin in the Steamworks acount will also need to enter an SMS code before sending an invite to a new user they want to add to the group.
Valve also noted that if a developer sets their build live via the SetAppBuildLive API, they will need to provide a specific steamID linked to the Steam Mobile app for confirmation.
So this update is aimed at improving security and preventing potential hacks of accounts. As pointed out by GameDiscoverCo, hackers can steal Steam dev credentials and use them to upload new .EXE that contains malware.
Below is an example of an email by Valve that notifies people who launched a compromised game (in this case, NanoWar: Cells VS Virus): “The build containing the suspected malware was promtly reverted and purged from Steam, but we strongly encourage you to run a full-system scan suing an anti-virus product that you trust or use regularly, and inspect your system for unexpected or newly installed software.”
Hey Simon, I’m the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose.
— Benoît Freslon 👨💻 VideoGameCreation.fr (@BenoitFreslon) October 11, 2023
“Thus far, no major games have been affected. But we know of demos of unreleased games that got ‘malware’-d too,” Simon Carless noted. “So it’s even an issue if your game isn’t out yet (or is long retired!) And it looks like Steam’s locking down before there’s a bigger incident.”
However, not everyone seems happy about the changes. Some developers complain about the need to use one phone number per account, while others think Valve could choose one-time passowrds (TOTP) over SMS or use its own Steam Guard system.