Valve is bolstering the security of its Steamworks platform by introducing SMS verification for developers, aiming to prevent future incidents of hackers infiltrating developer accounts.
The move comes in response to previous breaches where malevolent actors compromised developers’ accounts and injected malware into various game builds.
While these attacks, as confirmed by PC Gamer, impacted fewer than 100 Steam users, developer Benoît Freslon, the creator of NanoWar: Cells VS Virus, disclosed on X (formerly Twitter) on October 11 that hackers gained control of his browser access tokens. This allowed them to access any services associated with Freslon’s logged-in accounts.
“This reflects a trend [we have] been seeing over the past few years as adversaries shift the focus of their attacks to developers who often have access to the crown jewels of tech companies – their source code,” commented Ken Westin, field CISO at Panther Labs.
According to the security expert, the potential for financial gain is significant when infiltrators access code repositories, DevOps tools and cloud infrastructure. Their capabilities extend beyond code theft and malware deployment to include the insertion of malicious code, thereby compromising downstream customers.
“This trend is increasingly being utilized by not only criminal groups but also nation-state actors, as we have seen with the Lazarus Group out of North Korea,” Westin explained.
Read more on the Lazarus Group: Lazarus Group Targets macOS in Supply Chain Assault
“Organizations need to take additional measures to not only secure developers themselves but also the environments they interact with on a daily basis – those with privileged access are particularly vulnerable,” Westin added.
Valve is now taking measures to thwart such breaches. The company announced that changes would be implemented in Steamworks, the free suite of developer tools, particularly concerning build management and user additions to Steamworks groups.
These changes will mandate associating a phone number with a user’s Steamworks account. Steam will send a confirmation code via SMS for any published application when developers attempt to update a build to the default branch. A similar two-factor authentication (2FA) process will apply when Steamworks administrators invite new group members.
The implementation of these security enhancements is scheduled for October 24, prompting Steam users to ensure their phone numbers are linked to their accounts.
Furthermore, Steam has hinted at expanding this requirement to other Steamworks actions in the future.
Image credit: Rokas Tenys / Shutterstock.com