Hack in the same way as small ones.
The article describes the usual SQL injection, when data is substituted directly into the SQL query.

I just doubt that valve can hire such people in the backend

No need to doubt.
There are no "special ways to hack".
And there is such a thing as "effective managers". For which the size of the premium depends on how much money they saved shareholders.
If there were prepared expressions, then there would be no hacking.
But instead of prepared expressions, large companies have effective managers. Which save on normal programmers, and order development in India, in the state of Bangalore. Where does some Hamish Kumar live, who was born in the caste of scooping shit out of the toilets. And now he has only one chance not to draw shit all his life - by hook or by crook to learn to program, even for food. Compare with silicone programmer with requests of $250k per month. The savings are there!
Just in case, let me remind you that for one hundred percent protection against injections, you must always follow two simple rules :

1. data is substituted into the request only through placeholders
   
2. we substitute identifiers and keywords only from the white list specified in our code.
   

The key word here is "always". As soon as arguments like “well, this data is already safe, you don’t need to protect it”, then at this moment we add an injection to our site. It should be understood that we are protecting not the data, but the request . We are not interested in the data at all - what they are, where they came from, are they "safe" or not. What matters is not where they came from, but where they are going. In a SQL query? Use prepared expressions, period.

The most-most hacks are either a virus attack or social. engineering. The rest - no more than 10%.