Gaming platform Steam is dealing with regular attacks from hackers who are stealing and selling user data, as well as malware attacks and phishing, researchers warn

This article is more than 6 years old

This article is more than 6 years old

The Steam gaming platform is having to cope with frequent and varied attacks, with reams of user data posted online by malicious hackers, security experts have warned.



Online cyber criminal forums are littered with Steam credentials harvested by botnets - networks of infected PCs controlled by hackers - selling for small sums.

A post seen by The Guardian from one dark web dealer on a Russian forum offered a full log of Steam-related data from their botnet for just $15 (£9), which likely included usernames and passwords. The malicious software sitting on infected machines making up a botnet often has a feature to siphon off login credentials.

“We have seen a fair amount of Steam account data floating around on the black market. Because of ease of trafficking and its market value, Steam account data is a high-valued commodity,” said Alex Holden, chief information security officer at Hold Security.

“To the best of our knowledge, most of the Steam accounts get stolen via botnets. However, in the past, we have seen exploitation attempts against the platform.”

Gamers have been faced with myriad attacks in recent months, including in-game spam and scam titles hitting the Steam Store.

Those hungry for game achievements have been caught out by malware disguised as game hacks and survey scams, or have paid hackers to acquire achievements for them, said Chris Boyd, malware intelligence analyst at Malwarebytes.

Phishing, where scammers try to trick people into giving over credentials, has become a problem on Steam, due to heavy use of its instant messaging and community tools, added Boyd.

“The Steam Marketplace allows Steam account holders to sell rare in-game items for funds which are deposited into their Steam wallet. With this money (non-transferable) they can purchase new games on their account. Steam hold holiday specific sales which add new items and visibility to the Marketplace,” he told the Guardian.

“With this in mind, Steam phishing has shifted away from imitating the standard Steam homepage - store.steampowered.com - to focusing on the increasingly popular Community portal, where everything from trading items to selling content on the marketplace occurs.”

Attackers are doing their best to get around the extra protections added by Valve, the Steam creator. They’re “constantly” trying to bypass Steam Guard, a form of two-step authentication for verified Steam accounts, where one-time codes are sent via email when users login on a new device, Boyd adds.

Steam hackers have also been spied creating sites asking gamers to upload their SSFN file, which is created when Steam Guard approves a device and which is checked when logging in. Getting hold of that file allows the scammer to bypass Steam Guard entirely.

Gamers are fretting over Valve’s Early Access model too, which allows for quick and easy upload of games to Steam. One Early Access game, FPS Earth: Year 2066, was recently removed from the market having been lambasted for its poor quality, amidst claims it was a scam.

On a community post, Steam said “developers make their own decisions about promotion, features, pricing and publication”, indicating Valve is relinquishing a fair degree of control over its platform. Critics fear scam titles will now flood the marketplace, duping customers out of money for flawed titles.

Even when inside a game, hackers can get at users. In April, developers of the popular Steam title Garry’s Mod noted an exploit affecting titles based on Valve’s Source 3D video game engine, used in popular titles like Half-Life 2 and Counter-Strike Source, which made it possible to send files with any extension (such as .exe or .png) to a user’s PC or a game server.

The attacks on Garry’s Mod resulted in a variety of spam messages being sent both in-game and in Steam chat.

Valve had not responded to a request for comment at the time of publication.

• US cybercrime laws being used to target security researchers