The Hidden Cost of BYOD: Why Personal Devices Are Putting Your Business at Risk

In March 2026, the FBI confirmed it is investigating malware hidden inside games hosted on Steam, the world's largest PC gaming platform. The investigation, led by the FBI's Seattle Division, has identified seven malicious games—PirateFi, BlockBlasters, Chemia, Dashverse, Lampy, Lunara, and Tokenova—published over a roughly two-year period from May 2024 to January 2026, all believed to be the work of a single threat actor. The most documented case, PirateFi, was laced with the Vidar infostealer trojan—malware designed to harvest passwords, browser cookies, session tokens, cryptocurrency wallets, and credit card details from infected machines. Valve estimated between 800 and 1,500 users downloaded PirateFi alone before it was removed, and the FBI has since launched a victim identification portal and contacted affected individuals directly.

The immediate question is obvious: what happens when that infected machine is also used for work?

This is the BYOD problem in its most concrete form. Not a theoretical risk assessment exercise, but a real scenario playing out right now—a person downloads a game on their personal computer, and the malware silently harvests every credential on the device, including the ones that access corporate email, cloud platforms, and internal systems.

Why BYOD Deserves More Scrutiny Than It Gets

Bring Your Own Device policies have become the default for many organizations, particularly small and midsize businesses. The economics are straightforward: employees already own capable devices, and letting them use those devices for work avoids the cost of purchasing, configuring, and maintaining a separate fleet of corporate hardware.

The adoption numbers reflect this. According to industry surveys, roughly 82 percent of organizations have some form of BYOD program, and 67 percent of employees use personal devices for work even in companies without formal policies. The global BYOD market is projected to reach over $230 billion by 2029.

But the security trade-offs are significant. Research from Samsung found that 48 percent of companies with BYOD policies have experienced a data breach through an employee-owned device. The Verizon Mobile Security Index has documented a steady climb in mobile and endpoint-related security incidents, with 53 percent of organizations reporting such incidents in 2024. Perhaps most striking: Microsoft's Digital Defense Report found that 80 to 90 percent of ransomware attacks originate from unmanaged devices—the personal laptops, phones, and tablets that employees use for work without IT oversight.

The fundamental challenge is control. As we've explored in our articles on whether you should use personal devices for work and the dangers of letting employees use personal devices, when an employee uses a personal device for work, the organization has limited visibility into what else that device is used for—what apps are installed, what websites are visited, what games are downloaded, what links are clicked. And as the PirateFi incident demonstrates, the threats that come through personal use can be sophisticated, targeted, and difficult to detect until the damage is done.

When Personal Use Becomes a Corporate Breach

The Steam malware case isn't an isolated example. Several of the most consequential breaches in recent years trace back directly to personal applications or personal devices being used in work contexts.

LastPass (2022–2023): A Media Server App Led to 25 Million Compromised Vaults

In what may be the most instructive example, a LastPass DevOps engineer's personal home computer was compromised through a vulnerability in Plex—a media server application used for personal entertainment. The attacker exploited CVE-2020-5741, a known Plex vulnerability, to install a keylogger on the engineer's machine. Because the engineer used the same device for both personal media streaming and remote access to LastPass corporate infrastructure, the keylogger captured their master password. That single compromised personal app gave attackers access to encrypted vault backups for over 25 million LastPass users. Subsequent blockchain analysis has linked the stolen vault data to ongoing cryptocurrency theft.

3CX Supply Chain Attack (March 2023): A Trading App Compromised 600,000 Organizations

A 3CX employee installed a trojanized version of X_Trader—a personal financial trading application—on a device that also had access to 3CX's corporate build environment. The malware, attributed by Mandiant to the North Korean Lazarus group, pivoted from the personal trading software into 3CX's software build pipeline, ultimately compromising the 3CX desktop application used by approximately 600,000 organizations worldwide. The root cause was a personal application on a device with corporate access. We explored the broader implications of attacks like this in our article on supply chain attacks and software trust.

Chrome Extension Compromise (December 2024): 2.6 Million Users Affected

In late 2024, at least 36 Chrome browser extensions were compromised in a coordinated supply-chain attack, affecting approximately 2.6 million users. The compromised extensions—installed by users for personal productivity, AI tools, and browsing convenience—stole session cookies, authentication tokens, and credentials from platforms including Facebook, ChatGPT, and corporate services. As we covered in our piece on browser extension security risks, extensions installed for personal use on a device that also accesses work systems create a direct path from personal browsing habits to corporate credential theft.

Bybit (February 2025): A Single Compromised Developer Machine Led to a $1.5 Billion Theft

In what became the largest cryptocurrency theft in history, a developer at Safe{Wallet}—a widely used crypto custody platform—had their machine compromised through social engineering. The attacker, attributed by the FBI to North Korea's Lazarus group, used access to the developer's device to inject malicious JavaScript into the Safe{Wallet} interface, specifically targeting the cryptocurrency exchange Bybit. The result: $1.5 billion in Ethereum stolen during what appeared to be a routine wallet transfer. The code was designed to activate only when it detected Bybit's specific contract address, staying hidden from other users. The root cause was a single compromised device with access to production infrastructure—a pattern that repeats across nearly every major breach we've examined.

Samsung and ChatGPT (2023): Personal AI Tool Habits on Work Devices

Samsung semiconductor employees pasted confidential source code and internal meeting notes into ChatGPT on multiple occasions—not because they were careless, but because they were using a personal tool that had become part of their workflow. Samsung subsequently banned generative AI tools on company devices. This incident didn't involve malware, but it illustrates a subtler BYOD risk: when personal app habits carry over to work contexts, sensitive data can leave the organization through channels IT has no visibility into. We examined the broader implications of this pattern in our article on shadow AI and what business leaders should know.

The Gaming and App Store Threat Is Growing

The PirateFi incident on Steam is part of a broader trend. The FBI's investigation covers seven malicious titles from a single threat actor, and that's not counting separate incidents—another game, Sniper: Phantom's Resolution, was independently removed from Steam in 2025 after researchers discovered it contained credential-stealing malware. In one documented case, the game BlockBlasters stole $32,000 from a streamer during a live fundraising event. The attackers' approach was methodical: they submitted clean game builds that passed Steam's review process, then pushed post-launch updates that injected malicious code.

Mobile app stores face similar challenges at larger scale—something we've covered in our look at mobile devices as a business security blind spot. Zscaler ThreatLabz identified over 200 malicious apps on Google Play in 2024, collectively downloaded more than 8 million times. In February 2025, researchers discovered SparkCat—an OCR-based stealer found in both Google Play and Apple's App Store, disguised as food delivery and AI assistant apps, designed to scan photo galleries for cryptocurrency wallet recovery phrases. It was downloaded over 242,000 times from Google Play alone.

Kaspersky's broader gaming threat research documented approximately 6.6 million attempted cyberattacks exploiting popular game brands in a single year. The attack surface is vast, and the delivery mechanisms—free games, mods, companion apps, browser extensions—are precisely the kinds of things people install on personal devices without much scrutiny.

When those personal devices double as work devices, every malicious app, every compromised game, every trojanized browser extension has a potential path to corporate credentials and data.

The Best Option: Corporate-Issued Devices

The most effective way to control endpoint security is to issue corporate-managed devices and keep them separate from personal use. This isn't always feasible—particularly for smaller organizations—but the security benefits are substantial.

Corporate-managed devices with proper endpoint protection experience significantly fewer security incidents than unmanaged personal devices. Managed devices achieve patch compliance far faster because updates are pushed centrally rather than depending on employees to act. Industry data consistently shows managed devices achieve patch compliance two to three times faster than unmanaged personal devices.

A corporate device policy should include:

• Endpoint detection and response (EDR) or extended detection and response (XDR) deployed on every device. As we covered in our articles on endpoint security and keeping endpoints secure, visibility into what's running on your devices is foundational.
• Restriction of personal applications. Corporate devices should be limited to business-approved software. Games, personal media apps, and unvetted browser extensions should be explicitly prohibited—not out of distrust, but because every additional application is additional attack surface. As we discussed in our article on reducing your attack surface, fewer unnecessary applications means fewer potential entry points.
• Centralized management. Mobile device management (MDM) or unified endpoint management (UEM) tools give IT teams the ability to enforce security policies, push updates, and respond to incidents regardless of where the device is physically located.
• Strong authentication. Corporate devices should require multi-factor authentication—and ideally phishing-resistant authentication such as hardware security keys or passkeys—for accessing corporate resources.

The cost of a corporate device—typically $1,200 to $1,800 per year including hardware, management, and software—can feel significant. But a single breach involving a compromised personal device can cost orders of magnitude more. The LastPass breach, triggered by one employee's personal Plex server, has resulted in ongoing cryptocurrency theft affecting thousands of victims. MGM Resorts lost over $100 million from a breach that began with a social engineering call.

When BYOD Is Unavoidable: Your Options

For organizations where issuing corporate devices to every employee isn't practical—and that's many small and midsize businesses—there are ways to reduce the risk of BYOD without eliminating it entirely.

Virtual Desktops (VDI/DaaS)

Virtual desktop infrastructure or Desktop-as-a-Service solutions create a clear separation between the personal device and corporate data. The employee's personal laptop or tablet serves as a display terminal, while all corporate applications and data run in a virtual machine hosted centrally. No corporate data is stored on the personal device. If that device is compromised by malware from a game or malicious app, the attacker gains access to the personal environment—but the corporate virtual desktop is isolated.

Solutions like Microsoft Windows 365 (Cloud PC), Azure Virtual Desktop, Amazon WorkSpaces, and Citrix DaaS range from roughly $20 to $60 per user per month. The trade-off is that they require reliable internet connectivity and may introduce some latency, but they offer strong isolation between personal and corporate environments.

A BYOD Policy With Teeth

If virtual desktops aren't practical either, a well-crafted BYOD policy can meaningfully reduce risk—but only if it's enforced. NIST SP 800-124 Rev 2 provides a framework for managing personal devices in enterprise environments. Key elements include:

• Minimum security requirements. Require current operating system versions, device encryption, screen lock policies, and up-to-date security software as conditions for accessing corporate resources. Devices that don't meet baseline requirements should be blocked at the network level.
• Application containerization. Solutions that create a separate, encrypted container for corporate data and apps on a personal device. Corporate data stays within the container and can be remotely wiped without touching personal photos or apps.
• Network segmentation. BYOD devices should connect to a separate network segment with limited access to corporate resources. As we discussed in our article on layering your security, network segmentation limits the blast radius when a device is compromised.
• Application restrictions. Define which categories of applications are prohibited on devices that access corporate resources. High-risk categories include games from unvetted sources, sideloaded apps, and browser extensions outside an approved list.
• Remote wipe capability for corporate data. MDM or containerization tools should provide the ability to wipe corporate data from a personal device when an employee leaves or when a device is reported compromised—without erasing personal content.
• Incident reporting requirements. Employees must know to report suspected compromises immediately—not after they've tried to fix it themselves.

Zero Trust as a Foundation

Regardless of whether you issue corporate devices or allow BYOD, a zero trust framework provides the right security model. Zero trust doesn't assume that a device connecting from an employee's home is safe because it has a VPN connection. It continuously evaluates device health, user behavior, and access context before granting access to resources. A personal device that suddenly exhibits suspicious behavior—unexpected network connections, newly installed unsigned software, access from an unusual location—can be flagged or blocked in real time.

What the PirateFi Case Should Tell Every Business

The FBI investigating malware hidden in Steam games isn't a story about gaming. It's a story about the collision between personal digital lives and corporate security—a collision that happens every day on millions of devices that serve double duty.

The Vidar trojan that was embedded in PirateFi doesn't discriminate between personal Steam credentials and corporate Microsoft 365 session tokens. It harvests everything. And the person who downloaded that game may well have had their corporate email open in another browser tab, their VPN client running in the background, and their password manager unlocked.

This is the same pattern that played out at LastPass, at 3CX, at Bybit, and in the Chrome extension compromise. The personal and the professional share the same device, and an attacker who compromises one side immediately has access to the other.

The solution isn't to blame employees for having personal lives. It's to design environments where those personal lives don't create corporate risk:

• Issue corporate devices when possible and restrict them to business use.
• Use virtual desktops when corporate devices aren't feasible, creating a clear boundary between personal and work environments.
• Implement and enforce a BYOD policy when virtual desktops aren't an option, with minimum security requirements, application restrictions, and remote wipe capabilities.
• Layer your defenses with endpoint security, strong authentication, remote work security practices, and employee security awareness training that covers the risks of personal app use on work-connected devices.

The cost of getting this wrong isn't abstract. It's measured in compromised customer data, operational disruption, regulatory fines, and in some cases—as the LastPass aftermath has shown—direct financial theft that continues for years after the initial breach.

The convenience of BYOD is real. But so is the risk. And right now, the attackers are counting on organizations that haven't figured out where to draw the line.

This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified cybersecurity professionals to assess their specific device management needs and develop appropriate policies.