A major source code leak for Valve’s biggest competitive PC multiplayer games—Counter-Strike: Global Offensive and Team Fortress 2—began making the rounds late Tuesday. Amid worries that this code leak for active, online games would lead to hackers finding exploits and developing root command exploits (RCEs), Valve issued a statement on Wednesday that such worries were moot.
There’s a catch, however. In an emailed statement to Ars Technica about the nature of the leak, Valve only offered a statement about CS:GO:
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds (as always, playing on the official servers is recommended for greatest security). We will continue to investigate the situation and will update news outlets and players if we find anything to prove otherwise. In the meantime, if anyone has more information about the leak, the Valve security page (https://www.valvesoftware.com/en/security) describes how best to report that information.
(To clarify: Valve’s Source Engine emerged in 2004 as the framework for a different version of Counter-Strike. Before Valve launched any games with that engine, its source code leaked. This week’s news is about an entirely different leak, which Valve claims first took place in 2018.)
Valve’s representatives did not answer our questions about the lack of TF2 in this statement—or whether existing TF2 players should be concerned or change their play patterns in any way. In terms of Valve’s official social media channels, its official @csgo account posted the above statement on Wednesday as a thread, while the official @teamfortress account hasn’t posted an update since August 2019.
Thanks to this vacuum of official word on TF2‘s state, fans are left to refer to panicky responses from major voices in the TF2 community. In particular, two popular, community-run server hubs, Redsun.tf and Creators.tf, have temporarily shut down their operations due to “the uncertainty surrounding security of our infrastructure, as well as a potential for damage to be caused to your computer.” In Redsun’s case, a widely circulated comment from one of its moderators says that their team is waiting for “Valve [to] give us the clear” before resuming operations.
Valve could go a long way toward dispelling fears by speaking directly to the leaked code’s references to TF2. Valve’s Source Engine base breaks into various branches, and while this leaked branch is, as Valve describes, a CS:GO code depot, it includes references to TF2—which one Ars Technica source claims date back to a 2011 build of TF2. Whether that dated, TF2-specific code could be exploited for the sake of RCEs in the current build of TF2 is unclear.
By Wednesday evening, online chatter about possible, live TF2 exploits came and went without apparent proof of anything in the wild. This prompted Garry’s Mod creator Garry Newman to cast doubt on any major vulnerability in the root Source engine—which would affect his popular mod—and asked fans to reach out if they learned of any major vulnerabilities or exploits.
In the meantime, the best bet for interested TF2 players is to operate with an abundance of caution and keep your eyes tuned to server hubs like the ones mentioned above. Until those fans are ready to resume TF2‘s hotly contested Payload matches, you should probably look elsewhere.