Recently we walked through our thinking on account security and trading http://store.steampowered.com/news/19618/, and introduced some new tools for users to protect their accounts. Now that we've had some time to gather data, we'll be making a few more changes to account security, market transactions, and our account restoration process.

Below are the changes that will take place on March 9th. If you are already protected by the Steam Guard Mobile Authenticator (or if you add the security feature to your account today), the first two points below will not impact you:

• Trade hold duration will be increased to 15 days (for long-time Steam friends the duration will remain 1 day)


• Listing on the Steam Community Market will have a hold of 15 days before an item can be sold


• Steam Support will no longer restore items that have left accounts following a successful trade or market transaction (a process that previously created duplicates of original items)

To help understand these changes, we wanted to walk you through the results we've seen so far and our reasoning behind these next steps.

First, it's worth revisiting our goals behind the two main ways customers interact with in-game economies on Steam: Trading and the Steam Community Market. Our primary goal for Trading is to allow customers to easily exchange items with their friends. Our goal for the Steam Community Market is to provide customers with a way to sell any unwanted goods to other players. Both systems work well for these purposes, but they can be a source of pain if the security of your account is ever compromised.

Account and Item Theft

In December we took steps to improve account security by adding more security features, including the Steam Guard Mobile Authenticator and trade holds.

Since then, we've seen lots of users adopting the Steam Guard Mobile Authenticator (two-factor authentication) for trade and market confirmations, and now roughly 95% of daily trades use the mobile authenticator, with trade volumes as high as ever. The authenticator is the best tool that users have to protect their accounts, and the fastest and most secure way to trade items.

Trade Holds

For users who have yet to transition to the Steam Guard Mobile Authenticator, trade holds provide a way to continue to exchange items. Items in a trade hold are held by Steam for a period of time before delivery. This allows users whose accounts have been compromised to quickly cancel any fraudulent trades to recover their items. Trade holds are effective, but unfortunately the current three-day hold fails to protect users who log in less frequently and who need more time to identify a problem. So we'll be adjusting the system to accommodate the majority of customers by increasing trade holds to 15 days.

If you're exchanging items with a friend, and you've been friends for more than a year, don't worry - the trade hold duration is still one day.

Market Holds

Trade holds have been successful, but until now they've been limited to trades. If the Steam Guard Mobile Authenticator was not enabled on a user's account, it was still possible for a hacker to quickly liquidate a user's inventory through the Steam Community Market. To further protect users who haven't enabled the authenticator, holds will now also apply when you list items on the Steam Community Market. Market listing (like trades) will still be instantaneous if you're using the Steam Guard Mobile Authenticator.

Item Duplication

Since the last account security update, we've made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we'd hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.

Our work isn't finished, but we've seen enough progress in account security to finally address an old problem: item duplication. Currently, if an account is compromised and items have been lost through a successful trade or market transaction, we would manually restore the items, creating duplicates of the original items in the process. That process of manual restoration and duplication has the negative side effect of changing an item's scarcity - as more copies of the item are created, the value of every other similar item is reduced. In addition, it created a method by which users could be rewarded for faking account hijacks.

While we'll continue to assist users with the recovery of their account if they encounter an issue, beginning March 9th we will no longer be manually restoring items that have left the account due to a successful trade or market transaction.

Balance

There's a delicate balance between account security and the convenience of interacting with the market or trade. Any time we make changes, there's the risk of significant disruption. We recognize that today's changes will be inconvenient for users who have yet (or are unable) to use the Steam Guard Mobile Authenticator. But if you're a high volume trader (who our data shows is likely using the authenticator already), or a trader who likes to exchange items with friends, these changes won't really affect you at all. We believe these steps are necessary to ensure that accounts are made more secure, that users are empowered to identify and solve problems, and that the economic systems enjoyed by millions of customers are not compromised by people with malicious intent.

Account security is an issue that affects everyone, and we hope this post has helped to explain our goals and reasoning as we move forward. Please continue to provide your feedback and account security ideas in the Steam forums and elsewhere on the web.

Recently we walked through our thinking on account security and trading http://store.steampowered.com/news/19618/, and introduced some new tools for users to protect their accounts. Now that we've had some time to gather data, we'll be making a few more changes to account security, market transactions, and our account restoration process.

Below are the changes that will take place on March 9th. If you are already protected by the Steam Guard Mobile Authenticator (or if you add the security feature to your account today), the first two points below will not impact you:

• Trade hold duration will be increased to 15 days (for long-time Steam friends the duration will remain 1 day)


• Listing on the Steam Community Market will have a hold of 15 days before an item can be sold


• Steam Support will no longer restore items that have left accounts following a successful trade or market transaction (a process that previously created duplicates of original items)

To help understand these changes, we wanted to walk you through the results we've seen so far and our reasoning behind these next steps.

First, it's worth revisiting our goals behind the two main ways customers interact with in-game economies on Steam: Trading and the Steam Community Market. Our primary goal for Trading is to allow customers to easily exchange items with their friends. Our goal for the Steam Community Market is to provide customers with a way to sell any unwanted goods to other players. Both systems work well for these purposes, but they can be a source of pain if the security of your account is ever compromised.

Account and Item Theft

In December we took steps to improve account security by adding more security features, including the Steam Guard Mobile Authenticator and trade holds.

Since then, we've seen lots of users adopting the Steam Guard Mobile Authenticator (two-factor authentication) for trade and market confirmations, and now roughly 95% of daily trades use the mobile authenticator, with trade volumes as high as ever. The authenticator is the best tool that users have to protect their accounts, and the fastest and most secure way to trade items.

Trade Holds

For users who have yet to transition to the Steam Guard Mobile Authenticator, trade holds provide a way to continue to exchange items. Items in a trade hold are held by Steam for a period of time before delivery. This allows users whose accounts have been compromised to quickly cancel any fraudulent trades to recover their items. Trade holds are effective, but unfortunately the current three-day hold fails to protect users who log in less frequently and who need more time to identify a problem. So we'll be adjusting the system to accommodate the majority of customers by increasing trade holds to 15 days.

If you're exchanging items with a friend, and you've been friends for more than a year, don't worry - the trade hold duration is still one day.

Market Holds

Trade holds have been successful, but until now they've been limited to trades. If the Steam Guard Mobile Authenticator was not enabled on a user's account, it was still possible for a hacker to quickly liquidate a user's inventory through the Steam Community Market. To further protect users who haven't enabled the authenticator, holds will now also apply when you list items on the Steam Community Market. Market listing (like trades) will still be instantaneous if you're using the Steam Guard Mobile Authenticator.

Item Duplication

Since the last account security update, we've made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we'd hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.

Our work isn't finished, but we've seen enough progress in account security to finally address an old problem: item duplication. Currently, if an account is compromised and items have been lost through a successful trade or market transaction, we would manually restore the items, creating duplicates of the original items in the process. That process of manual restoration and duplication has the negative side effect of changing an item's scarcity - as more copies of the item are created, the value of every other similar item is reduced. In addition, it created a method by which users could be rewarded for faking account hijacks.

While we'll continue to assist users with the recovery of their account if they encounter an issue, beginning March 9th we will no longer be manually restoring items that have left the account due to a successful trade or market transaction.

Balance

There's a delicate balance between account security and the convenience of interacting with the market or trade. Any time we make changes, there's the risk of significant disruption. We recognize that today's changes will be inconvenient for users who have yet (or are unable) to use the Steam Guard Mobile Authenticator. But if you're a high volume trader (who our data shows is likely using the authenticator already), or a trader who likes to exchange items with friends, these changes won't really affect you at all. We believe these steps are necessary to ensure that accounts are made more secure, that users are empowered to identify and solve problems, and that the economic systems enjoyed by millions of customers are not compromised by people with malicious intent.

Account security is an issue that affects everyone, and we hope this post has helped to explain our goals and reasoning as we move forward. Please continue to provide your feedback and account security ideas in the Steam forums and elsewhere on the web.

The Steam Subscriber Agreement (http://store.steampowered.com/subscriber_agreement/) has some updates for the new year.

The biggest change relates to Valve now selling hardware in the European Union (EU), specifically the Steam Controller and Link. Going forward, our hardware distribution in Europe will be the primary responsibility of our Luxembourg subsidiary, known as Valve SARL. Meanwhile digital content and services in Europe move back under our US company, Valve Corp., just as they were before the Luxembourg office opened in July 2012.

In practice, this changes nothing for our European customers. We will continue to operate with respect to relevant European laws, such as local data and consumer protection, and we'll continue to provide the same services we have for years.

Those who simply want to keep playing their games and are not making a purchase at this time are free to simply ignore the SSA update for now. It only takes effect for users who explicitly confirm it, usually during a new purchase.

A full copy of the updated 2016 SSA is available for viewing here: http://store.steampowered.com/subscriber_agreement/

The Steam Subscriber Agreement (http://store.steampowered.com/subscriber_agreement/) has some updates for the new year.

The biggest change relates to Valve now selling hardware in the European Union (EU), specifically the Steam Controller and Link. Going forward, our hardware distribution in Europe will be the primary responsibility of our Luxembourg subsidiary, known as Valve SARL. Meanwhile digital content and services in Europe move back under our US company, Valve Corp., just as they were before the Luxembourg office opened in July 2012.

In practice, this changes nothing for our European customers. We will continue to operate with respect to relevant European laws, such as local data and consumer protection, and we'll continue to provide the same services we have for years.

Those who simply want to keep playing their games and are not making a purchase at this time are free to simply ignore the SSA update for now. It only takes effect for users who explicitly confirm it, usually during a new purchase.

A full copy of the updated 2016 SSA is available for viewing here: http://store.steampowered.com/subscriber_agreement/

We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

We'd like to follow up with more information regarding Steam's troubled Christmas.

What happened

On December 25th, a configuration error resulted in some users seeing Steam Store pages generated for other users. Between 11:50 PST and 13:20 PST store page requests for about 34k users, which contained sensitive personal information, may have been returned and seen by other users.

The content of these requests varied by page, but some pages included a Steam user’s billing address, the last four digits of their Steam Guard phone number, their purchase history, the last two digits of their credit card number, and/or their email address. These cached requests did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user.

If you did not browse a Steam Store page with your personal information (such as your account page or a checkout page) in this time frame, that information could not have been shown to another user.

Valve is currently working with our web caching partner to identify users whose information was served to other users, and will be contacting those affected once they have been identified. As no unauthorized actions were allowed on accounts beyond the viewing of cached page information, no additional action is required by users.

How it happened

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

In response to this specific attack, caching rules managed by a Steam web caching partner were deployed in order to both minimize the impact on Steam Store servers and continue to route legitimate user traffic. During the second wave of this attack, a second caching configuration was deployed that incorrectly cached web traffic for authenticated users. This configuration error resulted in some users seeing Steam Store responses which were generated for other users. Incorrect Store responses varied from users seeing the front page of the Store displayed in the wrong language, to seeing the account page of another user.

Once this error was identified, the Steam Store was shut down and a new caching configuration was deployed. The Steam Store remained down until we had reviewed all caching configurations, and we received confirmation that the latest configurations had been deployed to all partner servers and that all cached data on edge servers had been purged.

We will continue to work with our web caching partner to identify affected users and to improve the process used to set caching rules going forward. We apologize to everyone whose personal information was exposed by this error, and for interruption of Steam Store service.

Recently we've seen the community have a good discussion about the pros and cons of trade holds. We thought we'd walk through how we decided to implement them, in the hopes that it helps you understand why they're absolutely necessary.

Compromised accounts and item theft

Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users. Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers.

Once an account was compromised, the items would be quickly cleaned out. They'd then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn't too hard to figure out what happened, but undoing it was harder because we don't want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.

The number of hijacked accounts continues to grow

This was an unacceptable status quo and we needed to address it. In revisiting our strategy to stop it, we found two things of note.

First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.

The "I got hacked" story is told so frequently it's become commonplace. And that makes it easy to forget its significance; compromised security of email accounts and PCs, Steam account violation, and theft. We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically na ve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or na ve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.

How we can stop it

We've worked to improve account security features, closed loopholes, improved how and when we message users that their account is at risk, added self-locking, and created the Steam Guard Mobile Authenticator (two-factor authentication).

Two-factor authorization is the use of a separate device to confirm your identity. The security of this system is based on moving that step from your PC to a device a hacker can't access, such as your smartphone. PCs can be easily compromised, therefore a PC-based authenticator would not provide better security than a password or email authentication.

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Here's the tradeoff

At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.

So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.

One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:

• Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.


• If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.


• Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.

A difficult balance

Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.

Hopefully this post has given you some insight into the problem, and why we've taken this approach. As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts.

We've seen a lot of Steam users lose access to their Steam accounts. Most often it’s because an attacker has compromised a user's email account. That email account can then be used to change the password and email address on that user's Steam account, blocking access to their games and items.

There are several methods attackers use that are hard to combat: malware in the guise of other programs like a ‘TeamSpeak update or missing audio codec’ or a ‘CS:GO weapon upgrader!’, malware disguised as images and screenshots, identifying users who reuse passwords on their Steam and email accounts, or via an exploit in their web browser or operating system.

It's a complicated situation and even very sophisticated Steam users can fall victim. Any Steam user who has made a purchase or earned a trading card has value in their account and should use these new features to protect it and all the time invested.

Account recovery with a phone number

Add a phone number to my account
Read the FAQ

By associating a phone number with your Steam Account you can easily regain access if:

• You forget your password
  
• You lose access to your email account
  
• You get a new smartphone or lose your mobile authenticator
  
• Your account is compromised
  

Steam can send you a text message to get you back into your account.

Steam Mobile Authenticator through the Steam Mobile app

Get the Steam Mobile app
Read the FAQ

Using the Steam Mobile app on iOS or Android, you can:

• Confirm log ins to your Steam account
  
• Confirm trades
  
• Confirm Community Market listings
  

Using a second device (aka 2 factor authorization) makes it very difficult for an attacker to access your account, even if they obtain your password, without physical access to your mobile device.


You can manage your Account Security and phone number anytime from your Account Details page.

We've seen a lot of Steam users lose access to their Steam accounts. Most often it’s because an attacker has compromised a user's email account. That email account can then be used to change the password and email address on that user's Steam account, blocking access to their games and items.

There are several methods attackers use that are hard to combat: malware in the guise of other programs like a ‘TeamSpeak update or missing audio codec’ or a ‘CS:GO weapon upgrader!’, malware disguised as images and screenshots, identifying users who reuse passwords on their Steam and email accounts, or via an exploit in their web browser or operating system.

It's a complicated situation and even very sophisticated Steam users can fall victim. Any Steam user who has made a purchase or earned a trading card has value in their account and should use these new features to protect it and all the time invested.

Account recovery with a phone number

Add a phone number to my account
Read the FAQ

By associating a phone number with your Steam Account you can easily regain access if:

• You forget your password
  
• You lose access to your email account
  
• You get a new smartphone or lose your mobile authenticator
  
• Your account is compromised
  

Steam can send you a text message to get you back into your account.

Steam Mobile Authenticator through the Steam Mobile app

Get the Steam Mobile app
Read the FAQ

Using the Steam Mobile app on iOS or Android, you can:

• Confirm log ins to your Steam account
  
• Confirm trades
  
• Confirm Community Market listings
  

Using a second device (aka 2 factor authorization) makes it very difficult for an attacker to access your account, even if they obtain your password, without physical access to your mobile device.


You can manage your Account Security and phone number anytime from your Account Details page.

We're releasing a major update to how we handle requests for refunds for purchases on Steam. You can read through all the details about refunds on Steam here, or visit http://help.steampowered.com if you ™re having trouble with a purchase. We hope this will give you more confidence in trying out titles that you're less certain about.

Let us know what you think.