Steam Security: Explained: How Steam is planning to stop hackers from pushing malware-laden game updates
What is Steamworks and how is it involved
Steamworks is a set of tools and services that software developers use to distribute their products on the Steam platform.These tools and services are one of the core reasons for these security enhancements.
With Steamworks, game publishers can handle various aspects of their title, This includes DRM (digital rights management), multiplayer modes, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving and community-made content sharing (Steam Workshop).
In the last few months, a high number of compromised Steamworks accounts have been reported. Using these accounts, hackers are uploading malicious builds of the game that can infect players with malware.
In a note shared by Valve, the company assured the gaming community that the impact of these attacks was limited to a few hundred users. Steam-parent also noted that it sent individual notices to these users to inform them of the potential breach.
How Valve is planning to tackle the issue
Valve is set to enforce a new SMS-based security check starting on October 24 to solve the “compromised account” issue. In a blog post, the company confirmed that game developers have to pass this authentication before pushing an update on the default release branch. However, this verification system will not cover beta releases.
If someone tries to add new users to the Steamworks partner group, which is already protected by an email-based confirmation, will also have to go through this authentication system. Starting October 24, the group admins of respective channels have to verify the action with an SMS code.
Valve also noted that there will be no workaround for developers without a phone number. So, game makers need to find a way to receive text messages to continue publishing on the platform.
Read what the company has to say
“As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing. The same will be true for any Steamworks account that needs to add new users. This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.”