Security News > 2023 > October > Steam enforces SMS verification to curb malware-ridden updates
This is to deal with a recent outbreak of malicious updates pushing malware from compromised publisher accounts.
Starting in late August and into September 2023, there has been an elevated number of reports about compromised Steamworks accounts and the attackers uploading malicious builds that infect players with malware.
"As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing," reads Valve's announcement from earlier this week.
Freslon explained on Twitter that Valve's new SMS-based MFA security measure wouldn't have helped stop the attack as the info-stealer malware snatched session tokens to all his accounts.
The game installer dropped a password-stealing malware on his computer, which targeted his Discord, Steam, Twitch, Twitter, and other accounts.
Until the tokens were revoked or expired, the attackers continued to access the developer's accounts, remaining free to push malware-laced game updates to players.
News URL
Related news
- North Korean Hackers Update BeaverTail Malware to Target MacOS Users (source)
- Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware (source)
- Fake CrowdStrike updates target companies with malware, data wipers (source)
- Hackers breach ISP to poison software updates with malware (source)
- North Korean hackers exploit VPN update flaw to install malware (source)