77,000 Steam accounts get hijacked every month, so Valve’s getting tough with traders

As the game industry grows, so does the criminal element within it.

Valve says that hackers hijack and pillage more than 77,000 accounts on its Steam digital platform every month. And these aren’t just accounts belonging to new or naive users — they’re professional gamers, Reddit users, and item traders, according to a recent Steam blog post. Valve says that hacking is more widespread now that most users are involved in Steam’s virtual economy in some way, holding virtual items and trading cards that can be traded or sold (for Steam Wallet funds or even real money).

Valve didn’t share any financial details around these cybercrimes, but it did say that “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers.” A recent report claimed that hackers cost companies around $400 billion globally every year.

In order to combat this hijacking issue, Valve introduced new security measures earlier this year, including two-factor authentication that requires a second device (like a smartphone) to authenticate an account. But not everyone has signed up to this Steam Guard Mobile Authenticator, so Valve has now introduced restrictions on item trading for anyone not using it.

Anyone losing items in a trade will now need to have the Steam Guard Mobile Authenticator enabled on their account for at least seven days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to three days before delivery. If you’re trading with a friend of at least one year, items will be only be held by Steam for up to one day.

Valve realizes that this change will likely have a big impact on an item-trading community, which is used to the convenience of instant trades, but it says “this is one of those times where we feel like we’re forced to insert a step or shut it all down.”

So item trading goes on, but it’ll be a much slower process for anyone not using the Steam Guard Mobile Authenticator.

“Asking users to enter a password to log into their account isn’t something we spend much time thinking about today, but it’s much the same principle — a security cost we pay to ensure the system is able to function,” says Valve. “We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”