Cyber Incident Victim: Valve Corporation

In March 2015, a malicious actor exploited structural vulnerabilities in Steam’s Greenlight platform to distribute malware through cloned game listings. Between Sunday, March 22, and Monday, March 23, a user operating under the alias "bluebunny14" replicated five legitimate game pages within Greenlight’s submission system. These cloned pages meticulously copied all original content—including text descriptions, screenshots, and promotional videos—from authentic Greenlight projects but concealed malicious links leading to trojan-infected files. The fraudulent submissions bypassed initial moderation checks, remaining publicly accessible for approximately 24 hours before detection. Valve’s community and internal teams identified the threat through reports from users and external media outlets like Polygon, prompting swift containment measures.

Valve’s incident response involved a two-phase takedown: malicious links embedded in the cloned pages were disabled by early Monday, March 23, and the fraudulent listings themselves were fully removed by that afternoon. Company spokesperson Doug Lombardi publicly acknowledged the incident but did not disclose technical specifics of the malware or the exact number of affected users. The attack highlighted ongoing risks associated with Greenlight’s community-driven submission model, which had previously implemented a $100 developer fee in September 2012 to deter low-quality or abusive submissions. While this fee complicated mass account creation for attackers like bluebunny14, it failed to prevent the targeted cloning tactic employed in this incident. No data breaches or secondary compromises of Steam’s core infrastructure were reported, with impacts confined to users who interacted directly with the fraudulent links during their brief availability.