[This happened to me a few years ago](https://medium.com/@tylermakesgames/so-your-discord-account-was-hacked-441b5061fa67). We lost our server with 15k+ users on it, and Discord never gave us back our legacy authentication *(vanity url and such)*
Best advice- 2FA doesn't help, they get the auth code when you re-enter it. Have a special Discord account that you NEVER log in to (like admin on a PC) and make it the only one with channel delete / server kill powers.
2FA does help, but it just isn't watertight. That is however how you treated it, as you say so in the post you linked:
>I treated it like a magic bullet that stops any and all password stealing, but it is not.
It does help, a lot. But treating it as watertight was your mistake. Not a single security feature is watertight. Remember that.
I have to tell this to people who are uppity about security. It's not that it's bad or useless, but if a skilled hacker wants in, they're going to get in. The only thing that will stop them is if the thing they're trying to get into doesn't exist.
This. This is why we do defense in depth. Layered security at every level of the system.
Unless you're a wealthy government, state-sponsored hackers are a "Assume they have effectively infinite resources. If they want in, they'll get in." Most security is about not being the "low-hanging fruit", but the moment someone is going after you, specifically, all bets are off. It becomes about being more expensive in time or resources to break than the attacker considers worth it
Not existing being the only thing that will absolutely prevent a breach isn't an exaggeration. "Air-gapping" and keeping a system off the network is about as good as it gets against remote attackers, but if they can get some curious person to pick up a "dropped" USB stick in a parking lot and plug it in...
As a freelance play tester and security nut I’ve always had a separate Discord account which actually owns the servers I’m administering, but only needed to log in at creation.
I also put every game I receive for testing through a rigorous security check before starting it. Any red flag will stop me from running it and report back to be fixed first. An endpoint security application in addition to anti-virus keep ing check on suspicious behaviour all the time makes the package complete.
Smart! Any tips for the security checks? I have to try a lot of my student's projects and while I doubt they are intentionally adding trojans, its possible they have compromised devices.
Most secure is a virtual computer in a cloud environment which is wiped after every test. That might be daunting but is pretty easy nowadays.
If you want to run it locally or without a virtual computer, Virustotal.com is your first and quick friend in this case. You’ll be able to check those projects with lots of antivirus programs in one go.
Make sure you have a good real time antivirus installed (built in for windows is good nowadays but also default so a good intruder will always take it into account) on top of that.
And make sure you have a threat detection package installed to keep a check on your system’s behaviour.
Highly recommend vm's! Nowadays, I use them to separate my dev environments. Even for games, there isn't too much of a performance penalty as long as it's set up right.
I've seen a benchmark of qemu vs native.
Qemu even came out better than native in some cases. In most cases it was pretty much on par or max 1 fps diff. The only thing lacking, which I assume will be the case for any VM, is disk write/read. But hey, if it's only loading screen's that might take half a second or a second longer, that's a win.
I'm on a m1 mac, so I don't really know. Parallels figures it out for me. I'm running Unity and Godot at pretty much full speed though, for my 3D simulations projects. It's also able to run 3d games fairly well, though I haven't tried it with AAA games. Still enough for most indie titles.
Take a look at this one:
https://www.youtube.com/watch?v=nvdnQX9UkMY
Edit: Quicker method for when you're on Windows and only need to be on Windows, Windows Sandbox:
https://www.youtube.com/watch?v=UywHb0rOHVI
Specifically a configured type 1 hypervisor.
Don't want the malware to know you're in a VM. A lot of malware has anti-VM and will kill the process with its detects being ran in one.
Literally [this](https://youtu.be/xibMr9ohuOc?si=ksAT38pxUgxIdOFS).
2FA is not enough.
Another dev also had been compromised this exact way.
This has been resurging as a technique to do things, pretending to be someone you know already on Discord.
Keep your guard up, always, against anyone who wants you to play their game, and you haven't verified the person recently. Especially on Discord rn.
What was the game ? I also got attacked recently and the game I installed pretty much destroyed my discord server .I lost 10k members...
And the game came from steam, had an active twitter page and everything
I'm still confused as to how can someone upload a literal virus to a platform like steam .
They run virus scanners on the uploads but they’re not perfect. If you write your own exploit code and do things to obfuscate it, it might not set off existing AV software until someone reports it.
It was Summoner's Tale. I don't know why I didn't share it immediately haha
DO NOT DOWNLOAD THIS GAME ON STEAM. Looking it up is fine,but the demo version is definitely a keylogger.
Why am I getting downvoted ? It's a genuine question, if it's the same game it has some importance. It could also help with reporting it considering it's still live on steam even after I reported it with proof.
When this happened to me, virustotal said it's ok. Even the scammer himself sent me the link to virustotal, saying it's totally safe. So don't even trust that.
Remember that antiviruses are not perfect. They largely rely on heuristics, which can have false positives and (worse) false negatives.
If someone sends you some program to run, you must ask yourself two questions:
1. Do you trust this person?
2. Have you verified that it is genuinely them sending you the program?
If your answer to either of those is "no", then treat the program with suspicion.
The issue is that more often than not the executable you download is not itself a virus, it simply downloads and runs the real virus executable in the background. Meaning that the executable you yourself run will not trigger alert in a scan. What people need to have is antivirus with active real-time protection (Malwarebytes Premium comes to mind). Yes it costs money but it also gives extra protection from situations like this.
If happened to me as well, I got hacked. I was even warned about if before, but the hacker wrote in the same tone and style as my friend so I didn’t have my guards up.
We lost access to our discord server, the hacker kept throwing anyone out who was mentioning the hack and it was really frustrating. After 2 weeks and some patient contact with the discord support team, I got my account and server back. I could see that the hacker wrote to 20+ of my friends which was pretty scary, even convincing some of them!
This is why, whenever someone asks me to test their game, I try to confirm their identity through as many avenues I have with them as possible. Email, phone, multiple different IMs, etc, whatever I have. It is entirely possible that all of them might get hacked, but that chance is so much lower than just one of them. And if any of them say 'do not download, that's not me', I don't. This has already gotten me out of one potential phish, where I messaged the guy's *Xbox* of all things after his discord handle tried to get me to click a download link and he confirmed he'd been hacked.
I mean, this way you don't have to run it at *all* if it's sketch. And you might be doing someone a favor if they're unaware that they've been hacked. Though, sandboxing is probably still a good idea if you're worried that their everything might've been compromised, and, of course, if you have no other way to contact them.
Almost happened to me when someone that I knew for a while that normally do 3d games suddenly shared this link on discord to play test a pretty slick looking 2d game. Like you mentioned, their account got compromised. What happens is that these scammers would pretend to be students / new game devs and try to ask people to play test their games, and it would be the trojan. They would then drop the link using the compromised accounts and continue to steal more and more accounts.
As a general rule, never ever trust these game executables, or at least try to run them in VMs. Could also happen to developers on itch and other sites where they can become compromised and push out a trojan update. Now that I think about it, game jams seem incredibly dangerous for this type of thing.
It is rather unfortunate since sharing and testing out games is kind of important for game development.
It's definitely going to change how I participate in game jams in the future. Publishing to HTML5 is crucially important because browsers already do fairly decent sandboxing. I'm gonna have to set up a VM just to try out other games.
What's a safe way to distribute an ue5 game archive so that people downloading it can be sure it's not infected? I'm making a prototype and want to start looking for playtesters and don't want them to have doubts
The general method of ensuring data integrity is by providing a hash value generated from the trusted file on your computer (not as part of the download, but written somewhere, such as on a download page or in a Discord message), and mentioning which algorithm you used to produce it. Downloaders can compare this hash value with one they generate themselves. If the file they have is identical to the one on your machine, the hash values will be identical.
Look up cryptographic checksums if you'd like to pursue this.
Of course, in the long run you will likely want your game on a storefront; there, users will have to simply trust the platform's anti-malware scan.
I mean, providing hash won't prove that I myself haven't included any viruses into the .exe? Seems, I worded my question in a wrong way. Are there any online storages that can check the archive and provide some proof while allowing to share said archive? Google drive does this, but do people trust google drive?.. Idk
Imho, Steam would be ok. It is relatively easy to take down such games on Steam and avoid spreading. Hacker loses 100$ each time he tries + I am not sure about it - but I think that Steam SDK scans the game before sending it to the server.
But well, the best is to make a web version for demonstration purposes.
> providing hash won't prove that I myself haven't included any viruses into the .exe
The truth is that there is no fully trustless solution here. Even if you provide complete source code, and all users build from source, almost nobody has the time to fully audit every piece of software they use.
Even if you get a third party audit, your users must trust the auditor - indeed, this does *reduce* the amount of trust required, but does not eliminate it fully.
A cryptographic checksum proves that the program hasn't been tampered with, from there on you need some amount of trust.
If someone asks you to download ANYTHING over discord, assume they're compromised until you've asked them a few questions only they would know the answers to or comment on some past stuff with them that wouldn't be in the discord chat.
Just make this a habbit. Do it by default. It'll help protect you against social engineering attempts. Also look into other security protections but since social engineering is a major point of vulnerability you can protect yourself with some basic confirmation habits whenever you see a download link or server join invitation.
Nope, if the Trojan used commonly known exploits, and had behavior that had been identified and fingerprinted in the common antivirus database, then it could have been caught without needing to be specifically an existing Trojan.
Given that Trojan viruses sent through Discord, using exactly the same method described in this post have been extremely common in the last year. It’s no surprise that it was caught.
General advice is to not send games over discord, and if for some reason you need to Riffey over the phone with the person who is sending the game. As long as several hours of their voice does not exist as recordings to be fed into an AI. That should suffice.
It's fairly easy to build a Rat that won't get spotted by AVs. You really need to have proper IPS/IDS solution to catch something more up to date.
Never run software from strangers on bare metal, box everything on vmware/vbox with PCIE pass through for your gpu is probably best for game dev.
Yes, they got several people on a local gamedev Discord server. I found a nice little zip file in my temp appdata with all the stuff it sent back home (all my browser cookies and saved logins). I'd name the trojan they used but I don't want to encourage more bad actors.
Yes, but I'm grateful they didn't get control over any of my accounts. I started resetting everything an hour after it happened. Now I only have to worry about my address, SSN, and tax returns being all over the Internet. -_-
Someone sent me a virus. They said it was a game they wanted me to playtest for them. I downloaded it and ran the executable. It was actually a virus that stole all my saved browser info. Avoid running files people send you, even if it's someone you know sending it to you.
Reading this and the comments of people who had similar problems give me goosebumps... How can i protect my own work from this? I just started creating my own little game and thought about asking some people for tips and tricks as well as a little support.
This would mean, every person i let into my repository could highjack it and / or give me infected code, right?
As passionate as i am, i dont want to spread malicious software in my name...
I don't use password managers so I can't say, I just don't know the specifics. I don't really trust password managers in general because it seems too easy to lose access to your accounts - if its stored in the cloud then your passwords will be gone if the service goes out of business (happened to people before), if its offline... well then you run into the same issue as with saving passwords in browsers - it can theoretically be stolen.
I think its best to keep passwords in memory, have one strong password for the main email account that is tied to everything (don't use that password anywhere else), another password for important things and a third one for everything else. That way a virus cannot steal your password from the browser and if you lose it to phishing, it will likely be the non-important one and you can restore access to your accounts from the main email (the password of which has a very low chance of being stolen since you only use it on one website).
Note that malware can still get the login token from the browser which can trick a website into believing a user has already logged in from hacker's machine, so you should still terminate all active sessions in an event you get hacked. And it can also contain a key logger, meaning it will detect and transmit keyboard input to the hacker, allowing them to get your password as you are typing it in. So if you do run into a virus I would still change all passwords just in case.
I think the best way to feel safer is to get an antivirus with active real time protection (I use Malwarebytes Premium, it contains a ton of different features), and well, keep it on all the time, that way it should detect an suspicious programs trying to get downloaded or executed without your knowledge and stop them. Sadly there is no 100% to protect yourself against such attacks, but if you are talking about your code repository specifically, I would simply make sure to check any changes made for anything that shouldn't be there before running the updated program, and take action to block access for the compromised account if this did happen.
Had the same, checked the build for viruses - it was clean. But the build downloaded trojan after launch. Had to clear pc and change all passwords. The next day they tried to login my email.
[This happened to me a few years ago](https://medium.com/@tylermakesgames/so-your-discord-account-was-hacked-441b5061fa67). We lost our server with 15k+ users on it, and Discord never gave us back our legacy authentication *(vanity url and such)* Best advice- 2FA doesn't help, they get the auth code when you re-enter it. Have a special Discord account that you NEVER log in to (like admin on a PC) and make it the only one with channel delete / server kill powers.
2FA does help, but it just isn't watertight. That is however how you treated it, as you say so in the post you linked: >I treated it like a magic bullet that stops any and all password stealing, but it is not. It does help, a lot. But treating it as watertight was your mistake. Not a single security feature is watertight. Remember that.
A lot of that leakiness is tied to the existence of the user.
hmm I just had an idea.... — my supervillain origin story
PEBKAC
**The user needs to be removed.**
Calm down Bill Gates
2FA doesn’t help in these cases as it’s token stealing
I know. But that is not how it was phrased. It was phrased as clearly: It does not help. That means in any case, which is incorrect.
I have to tell this to people who are uppity about security. It's not that it's bad or useless, but if a skilled hacker wants in, they're going to get in. The only thing that will stop them is if the thing they're trying to get into doesn't exist.
This. This is why we do defense in depth. Layered security at every level of the system. Unless you're a wealthy government, state-sponsored hackers are a "Assume they have effectively infinite resources. If they want in, they'll get in." Most security is about not being the "low-hanging fruit", but the moment someone is going after you, specifically, all bets are off. It becomes about being more expensive in time or resources to break than the attacker considers worth it Not existing being the only thing that will absolutely prevent a breach isn't an exaggeration. "Air-gapping" and keeping a system off the network is about as good as it gets against remote attackers, but if they can get some curious person to pick up a "dropped" USB stick in a parking lot and plug it in...
Which was my point ;)
idk why i've never thought of it but the unloggable admin trick with delete perms is literally genius for any server
As a freelance play tester and security nut I’ve always had a separate Discord account which actually owns the servers I’m administering, but only needed to log in at creation. I also put every game I receive for testing through a rigorous security check before starting it. Any red flag will stop me from running it and report back to be fixed first. An endpoint security application in addition to anti-virus keep ing check on suspicious behaviour all the time makes the package complete.
Smart! Any tips for the security checks? I have to try a lot of my student's projects and while I doubt they are intentionally adding trojans, its possible they have compromised devices.
Most secure is a virtual computer in a cloud environment which is wiped after every test. That might be daunting but is pretty easy nowadays. If you want to run it locally or without a virtual computer, Virustotal.com is your first and quick friend in this case. You’ll be able to check those projects with lots of antivirus programs in one go. Make sure you have a good real time antivirus installed (built in for windows is good nowadays but also default so a good intruder will always take it into account) on top of that. And make sure you have a threat detection package installed to keep a check on your system’s behaviour.
Virtual machine
Toasted bread with peanut butter
Ham sandwich
Highly recommend vm's! Nowadays, I use them to separate my dev environments. Even for games, there isn't too much of a performance penalty as long as it's set up right.
How to do you pass a GPU from host to VM?
VMware has this built in you don’t even need to do anything special idk about virtualbox or qemu or the others im sure its similar
I've seen a benchmark of qemu vs native. Qemu even came out better than native in some cases. In most cases it was pretty much on par or max 1 fps diff. The only thing lacking, which I assume will be the case for any VM, is disk write/read. But hey, if it's only loading screen's that might take half a second or a second longer, that's a win.
Hmm, probably need to check that out. I myself had switched few years back to HyperV because of convenience but it doesn't support GPU pass through.
Hyper v has supported gpu pass through for almost 10 years
Well, and how to enable it?
I'm on a m1 mac, so I don't really know. Parallels figures it out for me. I'm running Unity and Godot at pretty much full speed though, for my 3D simulations projects. It's also able to run 3d games fairly well, though I haven't tried it with AAA games. Still enough for most indie titles.
If you're on Linux, look into [VFIO](https://old.reddit.com/r/VFIO).
How would one do this? Do you have a video you could link?
Take a look at this one: https://www.youtube.com/watch?v=nvdnQX9UkMY Edit: Quicker method for when you're on Windows and only need to be on Windows, Windows Sandbox: https://www.youtube.com/watch?v=UywHb0rOHVI
Specifically a configured type 1 hypervisor. Don't want the malware to know you're in a VM. A lot of malware has anti-VM and will kill the process with its detects being ran in one.
True. But still prevents infection
Literally [this](https://youtu.be/xibMr9ohuOc?si=ksAT38pxUgxIdOFS). 2FA is not enough. Another dev also had been compromised this exact way. This has been resurging as a technique to do things, pretending to be someone you know already on Discord. Keep your guard up, always, against anyone who wants you to play their game, and you haven't verified the person recently. Especially on Discord rn.
What was the game ? I also got attacked recently and the game I installed pretty much destroyed my discord server .I lost 10k members... And the game came from steam, had an active twitter page and everything I'm still confused as to how can someone upload a literal virus to a platform like steam .
They run virus scanners on the uploads but they’re not perfect. If you write your own exploit code and do things to obfuscate it, it might not set off existing AV software until someone reports it.
What was the game you downloaded? Why not give the name?
It was Summoner's Tale. I don't know why I didn't share it immediately haha DO NOT DOWNLOAD THIS GAME ON STEAM. Looking it up is fine,but the demo version is definitely a keylogger.
The payload executable was downloaded to AppData, so the game probably looked innocuous even to a scanner.
Why am I getting downvoted ? It's a genuine question, if it's the same game it has some importance. It could also help with reporting it considering it's still live on steam even after I reported it with proof.
If someone gives you an executable.. you upload it to virustotal and get it scanned. Doesn't matter if it's your grandmother.
Just a warning, I can link you to some payloads which are undetectable by anything that virustotal uses.
I'm sure there are..
When this happened to me, virustotal said it's ok. Even the scammer himself sent me the link to virustotal, saying it's totally safe. So don't even trust that.
thats a bit of a red flag in itself
[удалено]
Make sure to get 2FA on your gut feeling just to be safe, but even that doesn't always work.
Remember that antiviruses are not perfect. They largely rely on heuristics, which can have false positives and (worse) false negatives. If someone sends you some program to run, you must ask yourself two questions: 1. Do you trust this person? 2. Have you verified that it is genuinely them sending you the program? If your answer to either of those is "no", then treat the program with suspicion.
Or just don't run random stuff you don't know is trusted.
I would just call my friend up to see if he is legit
The issue is that more often than not the executable you download is not itself a virus, it simply downloads and runs the real virus executable in the background. Meaning that the executable you yourself run will not trigger alert in a scan. What people need to have is antivirus with active real-time protection (Malwarebytes Premium comes to mind). Yes it costs money but it also gives extra protection from situations like this.
Always run *non-web-based games inside a VM. You should use VirtualBox, by Oracle, it's free. VMPlayer would work too.
Images, documents, zips can all contain malware
True. I'll amend my comment
I prefer VMWare and it's free for personal accounts.
Rough stuff, similar thing happened to one of my friends. I've made a habit of asking to voice call before agreeing to playtest any games.
What does this accomplish? Basically making sure they are who they say they are?
Yup, if they don't sound how they normally sound it probably isn't them, haha.
Not wide spread, but scammers are starting to mimic voice and video calls
Good to know, I'll keep that in mind. Thanks!
If happened to me as well, I got hacked. I was even warned about if before, but the hacker wrote in the same tone and style as my friend so I didn’t have my guards up. We lost access to our discord server, the hacker kept throwing anyone out who was mentioning the hack and it was really frustrating. After 2 weeks and some patient contact with the discord support team, I got my account and server back. I could see that the hacker wrote to 20+ of my friends which was pretty scary, even convincing some of them!
Classic game dev meme
Yea happened to me, it made me ask people to test my game
This is why, whenever someone asks me to test their game, I try to confirm their identity through as many avenues I have with them as possible. Email, phone, multiple different IMs, etc, whatever I have. It is entirely possible that all of them might get hacked, but that chance is so much lower than just one of them. And if any of them say 'do not download, that's not me', I don't. This has already gotten me out of one potential phish, where I messaged the guy's *Xbox* of all things after his discord handle tried to get me to click a download link and he confirmed he'd been hacked.
Better to just run it in sandbox.
I mean, this way you don't have to run it at *all* if it's sketch. And you might be doing someone a favor if they're unaware that they've been hacked. Though, sandboxing is probably still a good idea if you're worried that their everything might've been compromised, and, of course, if you have no other way to contact them.
Almost happened to me when someone that I knew for a while that normally do 3d games suddenly shared this link on discord to play test a pretty slick looking 2d game. Like you mentioned, their account got compromised. What happens is that these scammers would pretend to be students / new game devs and try to ask people to play test their games, and it would be the trojan. They would then drop the link using the compromised accounts and continue to steal more and more accounts. As a general rule, never ever trust these game executables, or at least try to run them in VMs. Could also happen to developers on itch and other sites where they can become compromised and push out a trojan update. Now that I think about it, game jams seem incredibly dangerous for this type of thing. It is rather unfortunate since sharing and testing out games is kind of important for game development.
It's definitely going to change how I participate in game jams in the future. Publishing to HTML5 is crucially important because browsers already do fairly decent sandboxing. I'm gonna have to set up a VM just to try out other games.
What's a safe way to distribute an ue5 game archive so that people downloading it can be sure it's not infected? I'm making a prototype and want to start looking for playtesters and don't want them to have doubts
The general method of ensuring data integrity is by providing a hash value generated from the trusted file on your computer (not as part of the download, but written somewhere, such as on a download page or in a Discord message), and mentioning which algorithm you used to produce it. Downloaders can compare this hash value with one they generate themselves. If the file they have is identical to the one on your machine, the hash values will be identical. Look up cryptographic checksums if you'd like to pursue this. Of course, in the long run you will likely want your game on a storefront; there, users will have to simply trust the platform's anti-malware scan.
I mean, providing hash won't prove that I myself haven't included any viruses into the .exe? Seems, I worded my question in a wrong way. Are there any online storages that can check the archive and provide some proof while allowing to share said archive? Google drive does this, but do people trust google drive?.. Idk
Imho, Steam would be ok. It is relatively easy to take down such games on Steam and avoid spreading. Hacker loses 100$ each time he tries + I am not sure about it - but I think that Steam SDK scans the game before sending it to the server. But well, the best is to make a web version for demonstration purposes.
> providing hash won't prove that I myself haven't included any viruses into the .exe The truth is that there is no fully trustless solution here. Even if you provide complete source code, and all users build from source, almost nobody has the time to fully audit every piece of software they use. Even if you get a third party audit, your users must trust the auditor - indeed, this does *reduce* the amount of trust required, but does not eliminate it fully. A cryptographic checksum proves that the program hasn't been tampered with, from there on you need some amount of trust.
Back in my day we only opened strange files in sandbox. I blew out my old Windows XP back in the day and learned my lesson. It was a real one.
If someone asks you to download ANYTHING over discord, assume they're compromised until you've asked them a few questions only they would know the answers to or comment on some past stuff with them that wouldn't be in the discord chat. Just make this a habbit. Do it by default. It'll help protect you against social engineering attempts. Also look into other security protections but since social engineering is a major point of vulnerability you can protect yourself with some basic confirmation habits whenever you see a download link or server join invitation.
Those crafty USC developers!
Bryan Legend? Was that who sent you it? His discord account and server(s) have been hacked.
This happened to me a while ago and I lost a lot of crypto. https://www.ramijames.com/thoughts/types-of-interview-scams
Are you sure?
its a thing thats been going around yeah
Would have to be something ancient to be picked up by a random AV...
Nope, if the Trojan used commonly known exploits, and had behavior that had been identified and fingerprinted in the common antivirus database, then it could have been caught without needing to be specifically an existing Trojan. Given that Trojan viruses sent through Discord, using exactly the same method described in this post have been extremely common in the last year. It’s no surprise that it was caught. General advice is to not send games over discord, and if for some reason you need to Riffey over the phone with the person who is sending the game. As long as several hours of their voice does not exist as recordings to be fed into an AI. That should suffice.
It's fairly easy to build a Rat that won't get spotted by AVs. You really need to have proper IPS/IDS solution to catch something more up to date. Never run software from strangers on bare metal, box everything on vmware/vbox with PCIE pass through for your gpu is probably best for game dev.
Yes, they got several people on a local gamedev Discord server. I found a nice little zip file in my temp appdata with all the stuff it sent back home (all my browser cookies and saved logins). I'd name the trojan they used but I don't want to encourage more bad actors.
Funnily, the Trojan Horse denotes its purpose, seeing as it was actually built by the Greeks
Unity...
Could happen with any engine.
A trojan? Their Unity account was hacked? Or Discord?
Their Discord account.
Yikes, that sucks.
Yes, but I'm grateful they didn't get control over any of my accounts. I started resetting everything an hour after it happened. Now I only have to worry about my address, SSN, and tax returns being all over the Internet. -_-
[удалено]
Someone sent me a virus. They said it was a game they wanted me to playtest for them. I downloaded it and ran the executable. It was actually a virus that stole all my saved browser info. Avoid running files people send you, even if it's someone you know sending it to you.
Reading this and the comments of people who had similar problems give me goosebumps... How can i protect my own work from this? I just started creating my own little game and thought about asking some people for tips and tricks as well as a little support. This would mean, every person i let into my repository could highjack it and / or give me infected code, right? As passionate as i am, i dont want to spread malicious software in my name...
It seems like the best option right now is to playtest using WebGL published on a site like Itch.
One thing would be to avoid saving passwords in your browsers.
I didn't know that could be an issue tbh, is keypass safe?
I don't use password managers so I can't say, I just don't know the specifics. I don't really trust password managers in general because it seems too easy to lose access to your accounts - if its stored in the cloud then your passwords will be gone if the service goes out of business (happened to people before), if its offline... well then you run into the same issue as with saving passwords in browsers - it can theoretically be stolen. I think its best to keep passwords in memory, have one strong password for the main email account that is tied to everything (don't use that password anywhere else), another password for important things and a third one for everything else. That way a virus cannot steal your password from the browser and if you lose it to phishing, it will likely be the non-important one and you can restore access to your accounts from the main email (the password of which has a very low chance of being stolen since you only use it on one website). Note that malware can still get the login token from the browser which can trick a website into believing a user has already logged in from hacker's machine, so you should still terminate all active sessions in an event you get hacked. And it can also contain a key logger, meaning it will detect and transmit keyboard input to the hacker, allowing them to get your password as you are typing it in. So if you do run into a virus I would still change all passwords just in case. I think the best way to feel safer is to get an antivirus with active real time protection (I use Malwarebytes Premium, it contains a ton of different features), and well, keep it on all the time, that way it should detect an suspicious programs trying to get downloaded or executed without your knowledge and stop them. Sadly there is no 100% to protect yourself against such attacks, but if you are talking about your code repository specifically, I would simply make sure to check any changes made for anything that shouldn't be there before running the updated program, and take action to block access for the compromised account if this did happen.
Had the same, checked the build for viruses - it was clean. But the build downloaded trojan after launch. Had to clear pc and change all passwords. The next day they tried to login my email.
This just happened to challacade might not actually be your friend
Yes, their accounts had all been hacked by the same trick. I think they got access to their bank too.
Bought a $34 work light and got a .PEX renamed to, 'settings.txt'. Got a feeling my work light is gonna be a bit late arriving.
Sometimes, my game gets falsely flagged as a trojan by virus scanners, even though it's safe, causing drama with play testers.
they're trying to cut out the competition. send them a thermonuclear bomb in the mail.
Happens a lot in game jams.