John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Three separate security events this week. None of them made front-page news on their own. But put them together and they tell you exactly how attackers are operating right now: through the platforms you already trust.
Steam: Malware Disguised as Games
This one’s wild. Eight Steam game listings were caught distributing malware. Steam has over 130 million active accounts, and most gamers don’t think of their gaming platform as an attack vector.
But it is. Get your malware listed as a game and you’ve got a delivery pipeline to millions of PCs, many running powerful hardware with minimal endpoint protection.
The FBI is actively looking for victims. If you’ve installed anything new or sketchy on Steam lately and your system’s been acting weird, file a report at ic3.gov.
For PC gamers: keep your antivirus running (yes, really), be skeptical of newly listed games with barely any reviews, and stick to publishers you recognize.
Starbucks: Phished Through the Employee Portal
Hundreds of Starbucks employees had their data exposed after attackers phished their way into the company’s Partner Central HR portal.
“Hundreds of employees” sounds small for a company worth $120 billion. But HR portals hold the good stuff: Social Security numbers, payroll details, personal contact info, work schedules. And they’re almost never hardened the way customer-facing systems are.
The attack wasn’t sophisticated. Someone clicked a convincing email and typed their password into the wrong form. That’s it. MFA on HR portals would’ve stopped this cold, but most companies still don’t bother.
If you work at Starbucks, watch for follow-up phishing that uses your real name, schedule, or other internal details. That’s the second punch after a breach like this.
Loblaw: Your Grocery Loyalty Data Is Worth More Than You Think
Loblaw, Canada’s biggest grocery chain (Loblaws, Shoppers Drug Mart, Real Canadian Superstore, PC Optimum), disclosed a customer data breach and force-logged out every account holder.
When a company voluntarily disrupts its own operations that broadly, they’ve decided the alternative is worse.
Here’s the thing about loyalty program data. It’s not just your email and password. It’s your purchase history across multiple store brands, your home address, your points balance (redeemable for real goods), and sometimes payment info. An attacker who knows what you actually buy can craft phishing emails that are scarily specific. “Your PC Optimum points are expiring” hits different when they know you shop there every Tuesday.
If you’ve got a Loblaw or PC Optimum account: log in through the official app, change your password, and be extra suspicious of any emails referencing your shopping habits in the coming weeks.
The Thread
None of these attacks required a zero-day. Phishing, credential theft, malware in a trusted marketplace. The boring stuff. The stuff that keeps working because people aren’t expecting it from platforms they use every day.
Enable MFA everywhere you can. Not just your bank. Your HR portal, your loyalty accounts, your gaming platform. Change passwords on anything affected this week. And if an email references specific personal details you didn’t expect a stranger to have, that’s your cue to slow down and verify before clicking anything.