Valve has announced a Steamworks security update. The biggest change is that managing Steam builds will now require a verified phone number.

Steam will require devs to use SMS verification to release new game builds, as Valves tries to fight account hacking

On October 10, Valve notified developers that they will need a phone number associated with their account to release new versions of their games/apps or adding new users to their account.

“This change will go live on October 24, 2023, so be sure to add a phone number to your account now,” the post reads. “We also plan on adding this requirement for other Steamworks actions in the future.”

Here is how the new security feature will work:

  • If a developer wants to update their build, Steam will text them a confirmation code via SMS;
  • They will need to enter this conde to set the default branch (the only exceptions are beta versions or games that are not yet released);
  • The admin in the Steamworks acount will also need to enter an SMS code before sending an invite to a new user they want to add to the group.

Valve also noted that if a developer sets their build live via the SetAppBuildLive API, they will need to provide a specific steamID linked to the Steam Mobile app for confirmation.

So this update is aimed at improving security and preventing potential hacks of accounts. As pointed out by GameDiscoverCo, hackers can steal Steam dev credentials and use them to upload new .EXE that contains malware.

Below is an example of an email by Valve that notifies people who launched a compromised game (in this case, NanoWar: Cells VS Virus): “The build containing the suspected malware was promtly reverted and purged from Steam, but we strongly encourage you to run a full-system scan suing an anti-virus product that you trust or use regularly, and inspect your system for unexpected or newly installed software.”

“Thus far, no major games have been affected. But we know of demos of unreleased games that got ‘malware’-d too,” Simon Carless noted. “So it’s even an issue if your game isn’t out yet (or is long retired!) And it looks like Steam’s locking down before there’s a bigger incident.”

However, not everyone seems happy about the changes. Some developers complain about the need to use one phone number per account, while others think Valve could choose one-time passowrds (TOTP) over SMS or use its own Steam Guard system.

Got a story you'd like to share? Reach us at [email protected]