People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic Steam is the largest digital distribution platform for PC video games. But on Wednesday, Valve, which runs the Steam store, announced account theft has become an epidemic.

Around 77,000 Steam accounts are “hijacked and pillaged each month,” Valve said in a Wednesday news post.

The company says account theft has been around since the inception of Steam in 2003, but “the problem has increased twenty-fold” since the 2013 introduction of something called Steam Trading.

Basically, Steam Trading lets people trade games, in-game items, and virtual cards that are stored in your Steam account. But unfortunately, this system has made it easier to steal from other users, and more difficult for Valve to protect its Steam customers.

The main problem is once something is stolen, people trade those items again and again, and often times, it’s eventually “sold to an innocent user,” according to Valve.

Valve says “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers… practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

The short-term fix was to duplicate all the stolen items in order to replace them for the victims; but Valve points out that “duplicating the stolen items devalues all the other equivalent items in the economy.”

But Valve is working on more long-term fixes. The company said it’s improved security features, closed loopholes, and improved their system for telling people when their accounts are at risk.

Valve has also created a specialized two-factor authentication, the same kind of system Google uses to protect its users. It uses a separate device aside from your PC to confirm your identity, like a smartphone, which is not as easily compromised as PCs, according to Valve.

Valve explained why they needed to create their own special two-factor authentication:

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Valve said it’s considered removing trading entirely, which was the easiest solution even though it generates revenue for the company. But in the end, the company settled on two-factor authentication and a series of other changes, including a way to approve trades. You can learn more about the changes here.

Right now, Valve says most people haven’t protected their accounts with the new two-factor authentication, and many don’t even know about this theft issue. People that haven’t enabled the new security features can still trade, but they’ll have to wait several days for the trade to go through, which gives Valve time to discover if Steam accounts have been hacked and recover them before theft can occur.



Valve says it’s aware that adding security steps makes it more difficult to use its products. But it also said “this is one of those times where we feel like we’re forced to insert a step or shut it all down.”

“We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”