Folks exploited indie game giveaway for 30,000 extra Steam keys, dev says

Friday, 1 November 2013 18:48 GMT By Phil Owen

Yesterday, we told you that Wadjet Eye was giving away copies of their adventure title The Blackwell Deception, and today the dev has said some unscrupulous folks exploited the purchase mechanism on the seller’s website to generate thousands of extra codes for themselves.

There were a couple problems. First, the Steam keys the site was generating were for the entire collection of Blackwell games rather than just The Blackwell Deception. That was dealt with quickly. Then came the real drama. Here’s the story as told by the developer to Red Door Blue Key.

“A few hours later, I learned that the offer was so popular that it shut down BMT’s servers. BMT being the sales provider I use to handle the sales and distribution of our games. I looked into it and discovered why. People were ordering multiple copies of the game – hundreds at a time. And collecting Steam keys for reselling later. This is something I didn’t anticipate happening, so I removed the Steam keys from the giveaway and placed the game on a few other websites to use as mirrors. BMT made the game live again, and I hoped that was the end of it. Sadly, no. It almost instantly led to a large number of angry emails and tweets – people like playing on Steam! – so in the end I decided to see if I could do something about it. I asked BMT if we could create some kind of “1 code per IP” system, to prevent exploiting. They said it was possible, and created a Steam key generator page that could detect your IP.

This didn’t deter the resellers, however. They easily masked their IPs and began chewing through the Steamcodes again. At that point I threw up my hands and decided to cancel the free giveaway altogether. I had been monitoring the giveaway and dealing with the Steam issues and download problems for 36 straight hours and I was exhausted. There was only so much work I was willing to do for a free giveaway, and I had reached my limit. I told BMT to cancel everything and put the regular sales page back up. I finally collapsed to get some much needed sleep!

The next morning I woke up to discover something terrifying. BMT did remove the link to the Steam key generator, but they hadn’t removed the generator itself. It was still being exploited. The link to the generator had propagated its way onto the internet, and the resellers had been hard at work. 30,000 keys were nabbed overnight while I was sleeping.”

He says Steam has since invalidated all the keys generated after midnight (UTC, I’m guessing) and pulled the game from the accounts of folks who had redeemed any of those keys (I did not know that was a thing). Nobody was banned.

And the moral of this story is…