Support us on Patreon to keep GamingOnLinux alive. This ensures all of our main content remains free for everyone. Just good, fresh content! Alternatively, you can donate through PayPal. You can also buy games using our partner links for GOG and Humble Store.
We do often include affiliate links to earn us some pennies. See more here.

Valve locking down publishing Steam builds with SMS codes due to Malware

By - | Views: 31,097

Valve announced recently some new changes for developers publishing public builds to their games on Steam, requiring a phone number and a text message confirmation code.

As the announcement says "As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing". The change is due to go live on October 24th and for developers who don't have a phone Valve simply say "Sorry, but you’ll need a phone or some way to get text messages if you need to add users or set the default branch for a released app". It will also be needed for adding new users, and Valve plan to add this requirement to "other Steamworks actions in the future".

Valve didn't mention why, but it didn't take long for the reason to make its way online. It turns some developer accounts were compromised, and used to spread malware on Steam. As noted by Simon Carless on X, showing a screenshot a developer received:


Screenshot via Simon Carless, SteamDB

In reply to the X post, developer Benoît Freslon said "Hey Simon, I'm the developer of this game. ALL my accounts were hacked by a Token Grabber Malware. Unfortunately, the 2FA i s useless if the token is still active. I just used my dev account to release the game few hours before the hack I suppose."

Valve confirmed to PC Gamer the issue affected less than 100 Steam accounts with the games installed.

Article taken from GamingOnLinux.com.
Tags: Game Dev, Misc, Steam
12 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly came back to check on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly.
See more from me
19 comments
Page: 1/2»
  Go to:

Nateman1000 Oct 12, 2023
I mean they gotta do what the gotta do
BlackBloodRum Oct 12, 2023
View PC info
  • Supporter Plus
Why is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.

They should absolutely be public about this.


Last edited by BlackBloodRum on 12 October 2023 at 3:01 pm UTC
Purple Library Guy Oct 12, 2023
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
BlackBloodRum Oct 12, 2023
View PC info
  • Supporter Plus
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Ehvis Oct 12, 2023
View PC info
  • Supporter Plus
I find it kind of weird that we've had to provide a login every time we have to pay, but that devs could just change public facing builds without any form of extra explicit authentication. Sounds like something that should have been done a long time ago.
Nateman1000 Oct 12, 2023
Quoting: BlackBloodRum
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Many think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this disease
Liam Dawe Oct 12, 2023
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security. They compromised their customers safety, so realistically it should be public knowledge (else, a customer could be infected by their infected game and not even know it!). Even if that may only be "less than 100 Steam Accounts". I doubt this is the first incident.

They should absolutely be public about this.
The developer only seems to have posted about it on their Steam forum but not in any announcement.
Kimyrielle Oct 12, 2023
I wonder why Steam can't just support hardware tokens, like everyone else. I hate using phones as security tokens because they become a single point of failure (and also because I don't trust big business not to lose/abuse my phone number). :S
artixbtw Oct 12, 2023
Quoting: KimyrielleI wonder why Steam can't just support hardware tokens, like everyone else. I hate using phones as security tokens because they become a single point of failure (and also because I don't trust big business not to lose/abuse my phone number). :S
Yep, phone numbers are a laughable form of security, I don't understand why Valve still believes it's reliable enough not to be replaced by actual 2FA that doesn't require a proprietary application (at least officially).

One extra hoop to jump through, which requires a separate device as a security measure (easily broken if the user syncs their SMS to their computer though), but a very unreliable one.

Come on, Valve.
denyasis Oct 12, 2023
Quoting: Nateman1000
Quoting: BlackBloodRum
Quoting: Purple Library Guy
Quoting: BlackBloodRumWhy is the game blurred? This developer should put their hands up and admit they failed basic computer security.
You mean . . . they're running Windows?!
That could well be true! Imagine having to use Windows every day though? The agony, the anger, the frustration, the distractions and to top it all off, you upload an infected game.
Many think windows disease is incurable but it is very curable. So make sure to get a Linux or BSD distribution for your computer and cure this disease

This is probably ignorance in my part, but how is security better with Linux in this situation? We're (mostly) running these programs wide open out of the home drive (maybe some ppl are using flatpack or snap, but even then that's not a default requirement on most distro and people still poke holes in those sandboxes regularly). No, it can't infect "the system", but since we're executing programs out of /home, isn't that good enough? The malware is still running under the users permissions, it can still execute in /home, read data, access the network, etc.

Maybe I'm missing something fundamental with Linux security, but it seems once I log in anything within the user space can run under my permissions, malware or not? Especially if it's malware hidden in a program/game that I intentionally started?

I've used Linux a very long time, but I'm self taught.... Security is one of those Linux areas that's always been complex for me to grasp in a meaningful way.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register


Or login with...
Sign in with Steam Sign in with Google
Social logins require cookies to stay logged in.