Many Steam users have experienced their accounts being hacked at least once but a security breach showed what happens when a game developer’s account gets compromised; gamers get hit with malware.
That’s exactly what happened when hackers attempted to use compromised game developers’ accounts in an attempt to distribute malware. The attack wasn’t particularly successful but it did reveal a major gap in the security measures implemented by Valve, Steam’s developer. If successful, it could have effectively turned games on Steam into Trojan horses.
Since the attack, Valve has scrambled to update its security to prevent a repeat occurrence. This was still a situation that could have been a disaster for both the company and users.
How was the malware distributed on Steam?
Hackers gained access to game developers’ accounts and used Steam to distribute malware through patches to those developers’ games.
This distribution method is particularly frightening because the default setting for Steam updates is automatic. While auto-updates can be turned off, most users don’t bother. This means that in the case of malware being distributed via game updates, many users would see their hardware infected automatically.
In response to this threat, Valve recently announced new security features that will go live on October 24. This update will require game developers on Steam to use two-factor SMS authentication when releasing a game update to better protect against another malware attack. In theory, this means the developer will have to prove their identity before they are allowed to update their game.
This proposed solution has faced some criticism, however, because phone numbers can still be compromised. There is also no shortage of Counter-Strike 2 players who have had two-factor authentication and seen their backpacks emptied by hackers. It remains to be seen if Valve will implement more robust protections.
What games were affected by the attack?
Valve has not released a full list of Steam games that distributed malware, but one affected game was NanoWar: Cells VS Virus.
While the company has not published a full list of affected games, it has stated that all affected users have been alerted via email. This means that any Steam users who have not received such an email can safely conclude they have not been affected.
In order to receive the malware, the Steam user needed to have one of the affected games installed and updated while the accounts were compromised. Valve stated that fewer than 100 Steam users were impacted by this attack. A very small percentage of users were affected by this malware attack, but it’s easy to imagine how this could have been a catastrophe.