Valve Says ‘Practically Every Active’ Steam Account Is Worth A Hacker’s Time

Valve Says ‘Practically Every Active’ Steam Account Is Worth A Hacker’s Time

In a lengthy missive outlining the reasoning behind the introduction of trade holds on the Steam marketplace, Valve has revealed the amount of accounts that are subject to pirates and hackers — and it’s a fair amount.

According to the corporation, approximately 77,000 accounts are “hijacked and pillaged” every month by people looking to gain access to others’ inventories. It’s a figure that continues to grow every month, Valve says, and it doesn’t help that users think they are more secure than they are.

“First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers,” Valve wrote. “Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

To put that in perspective, consider that the peak number of concurrent Steam users in the last 24 hours was just under 10.4 million, and at the time of writing there are 6.915 million users actively on Steam. And it’s not just people signing up for the first time who are getting targeted, either. “These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc,” Valve stressed.

“Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.”

The interesting element of this is that despite introducing two-factor authentication earlier this year, many Steam users “don’t believe that they are actually a worthwhile target for a hacker who’s out to make money”. And that’s where the logic behind trade holds came in, as hackers are dependent on moving goods quickly before their target notices to profit.

“So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn’t enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn’t move the stolen goods off the hacked account, then they couldn’t sell them for real money, and that would remove the primary incentive to steal the account.”

So to properly enshrine this, Steam is enacting the following changes to trades:

Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

If you’ve loaded up Steam at any point in the last several weeks, you’ll have seen the front-page notification telling you to get the mobile app for two-factor authentication. If you’ve got it, then you can trade as per normal. “Users who haven’t enabled it, or can’t, can still trade, but they’ll have to wait up to 3 days for the trade to go through,” Valve wrote.

Introducing an extra barrier between users and trading is undoubtedly going to upset a few apples in the cart, but with the spate of people complaining about losing whole inventories of items worth thousands, even tens of thousands of dollars, it’s not a surprise. To Valve, these steps are the evolution of asking people to enter in a password: it’s the price of entry you pay for the convenience and access for a a Steam account.


  • I’d be surprised if my item inventory was worth $2. I don’t collect the cards, sell them for a few cents to put towards my next steam game and I don’t play CS:GO despite owning it.

  • Well they dont currently have an authenticator app for Windows Phone, so I guess im out of luck, not gonna attempt to use the third party ones

  • The mobile app doesn’t work on my android phone. Just comes up with a blank screen. I have got two-factor via email though, does that count?

  • It’d be nice if they let you use third party authenticator apps rather than forcing the use of the Steam mobile app. I’ve got all my other 2FA tokens loaded up in Google Authenticator, and having these secrets managed by a dedicated app rather than one that embeds a web browser and chat client seems like a more secure option.

Show more comments

Comments are closed.

Log in to comment on this story!