X

77,000 Steam accounts hacked every month, new security measures deployed

"We're fully aware that this is a tradeoff with the potential for a large impact on trading."

GameSpot staff
CNET's sister site GameSpot is the world's leading site for video game news, reviews, features, and more. Visit us at www.gamespot.com.
GameSpot staff
3 min read

According to newly revealed statistics from Valve, some 77,000 Steam accounts are hacked every month.

Valve revealed the figure this week as part of a blog post in which it pointed out that account theft is nothing new on Steam. It's been happening since the platform's first days. But instances of hacking jumped by twenty-fold, or close to 2,000 percent, following the introduction of Steam Trading four years ago.

"Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers," Valve said.

2977454-steam.jpg
Valve

Valve's solution thus far has been to duplicate stolen items for people who lost them, but this isn't an ideal solution, especially when the pilfered items are of the rare variety.

"We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy," Valve said. "This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence."

Valve said this solution was deemed "unacceptable." Therefore, it's taken steps to improve security and close loopholes. The developer also says it's improved how and when it informs users that their account is at risk and has introduced a self-locking system and two-factor authentication through Steam Guard.

But accounts are still being hacked, in part because Steam users, generally, are not taking advantage of the new security features.

"At this time, most people have not protected their accounts with this increased level of security," Valve said. "Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone."

One option that Valve considered was removing trading entirely. It would have been easy and it would have curbed hacking dramatically, but Valve said this would be a "bad choice for users."

"Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely," it said. "It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge."

In the end, Valve ultimately decided that the three major changes would serve Steam best as it relates to hacking. These changes have now been deployed and include the following:

  • Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least seven days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to three days before delivery.
  • If you've been friends for at least one year, items will be held by Steam for up to one day before delivery.
  • Accounts with a Mobile Authenticator enabled for at least seven days are no longer restricted from trading or using the Market when using a new device, since trades on the new device will be protected by the Mobile Authenticator.

These measures aren't perfect, however, Valve admitted. These changes could end up having a "large impact" on trading, the company warned.

"Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products," Valve said. "Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle -- a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness."

You can read the full Valve security blog post here.