Several game developers' Steam accounts were recently compromised and used to spread malware through game updates. According to Valve, fewer than 100 users installed the game after the malware was added, and they were informed of the risk via email.
While this incident didn't affect too many people, Valve has taken significant steps to prevent this from happening again. Starting October 24, game developers will need to pass a two-factor authentication identity check before updating the default branch version of a published game. The "default branch" is the version that Steam pushes to most installed game players in automatic updates.
This two-factor verification requires receiving mobile phone text messages, so future Steam game developers must bind mobile phone numbers. For developers who do not have mobile phone numbers, Valve said it is "sorry" for this change, but if they want to continue to update the game, developers must have a mobile phone or other means to receive text messages.
Valve told PCGamer that this "inconvenience" for partners is "a necessary trade-off to keep Steam users safe and developers aware of any potential threats to their accounts."
And Valve also stated that this was not an isolated incident. The company said it has seen a recent increase in "sophisticated attacks" targeting developer accounts of published games on Steam.
In the future, Steam developers will also be required to perform SMS two-factor verification when adding new users to company groups. Valve said it plans to add two-factor verification to other Steam backend operations in the future.
One of the games affected includes NanoWar: CellsVSVirus. Developer Benoit Freslon said on Twitter (X) that he himself was a victim of malware that stole the access token on his browser, allowing the attacker to access any web service he logged into. "I think it was a few hours before the hack that I released the game using my development account," he said.