Valve Says 77,000 Steam Accounts Get Hijacked Per Month

Illustration for article titled Valve Says 77,000 Steam Accounts Get Hijacked Per Month

Lately, Valve’s been putting a big focus on beefing up Steam’s security—sometimes with measures that players find annoying or limiting. As part of a new security measure’s roll-out, they explained why.


Valve began by pointing out that current security measures absolutely aren’t enough to keep precious, precious accounts under lock and key. In a post about security and trading, they confessed that thousands of accounts get hacked, cracked, and popped every month.

“What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don’t understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.”

“We can help users who’ve been hacked by restoring their accounts and items, but that doesn’t deter the business of hacking accounts. It’s only getting worse.”

In addition to phone-based two-factor authentication, Valve recently upped Steam’s defensive ante with trade holding, a three-day delay before items traded between users are delivered when people don’t use the aforementioned phone authentication. The latter is actually a direct response to the former—or, more specifically, the fact that a lot of people aren’t using the former, aren’t tying their Steam accounts to Steam’s iOS/Android mobile app.

Problem is, some people simply can’t. Maybe they don’t have a cell phone, or maybe they don’t have the right kind of phone (not everybody uses iOS or Android, after all). Valve believes that code-based authentication sans the app isn’t secure enough; it opens opportunities for hackers to trick their way in. So they needed another solution to prevent theft for people unable to use two-factor authentication. Trade holding is what they came up with.

Basically, if you’re trading with people, the Steam mobile app will let you confirm trades—essentially functioning as another form of authentication on a separate (and therefore presumably secure) device. If you can’t do that, trades will be put on hold for up to three days. In the event of fraud or theft, that three day period will, Valve hopes, give users and Valve time to get to the bottom of the issue before potentially irreparable damage is done.

It might sound annoying, and for some people it probably will be. But Valve hopes what they’re doing is for the best.


“Once again, we’re fully aware that this is a tradeoff with the potential for a large impact on trading,” Valve wrote. “Any time we put security steps in between user actions and their desired results, we’re making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we’re forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn’t something we spend much time thinking about today, but it’s much the same principle - a security cost we pay to ensure the system is able to function. We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”

Here’s hoping Valve—notoriously slow when it comes to customer service—can make good use of the three-day trade delay period. That said, I’m glad Valve is contorting itself into a balloon animal of a pretzel of the world’s most intricate snowflake to keep Steam accounts from falling into the wrong hands. It took a while, but they’re finally fighting a battle that’s pretty damn important. Steam has a hacker/account jacker epidemic on its hands, no doubt about it. Unfortunately, Valve’s latest measure only treats a symptom—not the disease. There’s still tons more work to be done.


You’re reading Steamed, Kotaku’s page dedicated to all things in and around Valve’s stupidly popular PC gaming service. Games, culture, community creations, criticism, guides, videos—everything. If you’ve found anything cool/awful on Steam, send us an email to let us know.

To contact the author of this post, write to or find him on Twitter @vahn16.



Man, gets me right back to Steam’s unstable years when Steam would have these weird bugs happening all the time and I always thought my account was hijacked or something.

Can’t remember it well (this was probably over 5 years ago) but I think my account was locked down once, which got me in cold sweats thinking I had lost everything... but I got my account back intact after getting in contact with them. Never found out what it really was about.

I’m pretty sure I had a CS:S gameplay time resetted once too... but I dunno what triggered it - hijack, report or whatever. Never cheated in my life.

In any case, it’s been a while I don’t have problems. Then again, I always go for two-factor when available... 77,000 accounts sounds like a huge number, but it’s actually 0.0616% user accounts considering Steam has 125 million users. Not sure how it fairs comparatively with other big services, but it sounds relatively safe.