It’s not clear which and how many projects have been affected by the hacks, but the incident appears to date back to late August, and victims include NanoWar: Cells VS Virus developer Benoît Freslon, who told GameDiscoverCo’s Simon Carless on Xitter that all of his accounts were hacked using a token grabber. (Freslon mournfully added that “ironically, in my game, players fight viruses”.)
Wondering why Steam devs will have to confirm via SMS before publishing new game versions or adding users? (https://t.co/EIyLHyA02N….) Looks like it’s related to hackers taking over Steam dev accounts & adding malware to game builds. (Screenshot via @SteamDB from Sept. 2023.) pic.twitter.com/WfjGiHdhxm
— Simon Carless (@simoncarless) October 10, 2023
Valve are purging the builds affected, and are beefing up Steam’s security mechanisms. A company representative has told PCGamer that there has been “an uptick in sophisticated attacks” against Steam devs, and that “extra friction” for partners is a “necessary tradeoff for keeping Steam users safe and developers aware of any potential compromise to their account.”
Valve have outlined their security changes in a post on Steam. “As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing,” it reads.
“The same will be true for any Steamworks account that needs to add new users,” it continues. “This change will go live on October 24, 2023, so be sure to add a phone number to your account now. We also plan on adding this requirement for other Steamworks actions in the future.”
Developers will need a text message confirmation code whenever they update a build in the default branch of a Steam app, but they won’t need a code to update a beta branch or an app that hasn’t been released. Steamworks partner group admins will also need a text message code in order to invite a new user to the group.
There’s a Q&A with some additional specifics in the full post.