Hello everyone. I bring some unfortunate news today. Yesterday, Christmas Day, at roughly 12:30 PM Eastern time, we experienced a security breach. At roughly 1:20 PM, that breach allowed a malicious upload to overtake our game on Steam's library. Our steam and discord accounts were hijacked, and though the Steam accounts were able to be recovered late in the evening, we were limited in our ability to warn or communicate immediately following the breach.
Given the scope of this project (a non-commercial free mod), I would honestly not judge them harshly for a much poorer response. It’s not their job; if they took a couple days to notice during the holiday season, then weren’t able to say much more than “we think you’re fucked if you have this mod installed”, a lot of harm might be done, and they’d definitely see a lot of criticism, but I’d understand. For a small team that don’t do security, especially one who aren’t even selling their product, getting hacked has the potential to be extremely overwhelming, and you very possibly don’t have the expertise or resources to investigate properly.
Instead, they put a bunch of real companies to shame. (Some of those companies have breaches that are a lot more complex in scope, but still.)
Yup, I 100% agree. I absolutely take the size of the org, the risk to me (e.g. medical info is more impacted than game playtime), and how much I paid into account when evaluating a response.
This was a way better response than I could ever hope for from such a project.
Given the scope of this project (a non-commercial free mod), I would honestly not judge them harshly for a much poorer response. It’s not their job; if they took a couple days to notice during the holiday season, then weren’t able to say much more than “we think you’re fucked if you have this mod installed”, a lot of harm might be done, and they’d definitely see a lot of criticism, but I’d understand. For a small team that don’t do security, especially one who aren’t even selling their product, getting hacked has the potential to be extremely overwhelming, and you very possibly don’t have the expertise or resources to investigate properly.
Instead, they put a bunch of real companies to shame. (Some of those companies have breaches that are a lot more complex in scope, but still.)
Yup, I 100% agree. I absolutely take the size of the org, the risk to me (e.g. medical info is more impacted than game playtime), and how much I paid into account when evaluating a response.
This was a way better response than I could ever hope for from such a project.