LogInAccording to Betide Studio, this is Unreal's default packaging behaviour.
A Reddit user going by sudo make recently raised concerns about a popular plug-in for developers, designed to provide seamless integration between Steam and Unreal Engine, with full Blueprint support. According to their findings, if you've used the 1-Click Steam Setup feature, there's a good chance that your Steam business account username and password have been exposed to players.
"The plug-in asks for your username and password to log into SteamCMD as part of the upload process. Unfortunately, it saves this data in your DefaultEngine.ini config, and it never cleans it up during the build and upload process, meaning that if your players ever go into your Config directory and open the file, they will have plain text access to your credentials. This is the case whether you pushed a free demo build that anyone can access or if it's your full game.
You can verify this by checking your build output, which is uploaded directly to the Steam depot, in your Project/Saved/StagedBuilds/[Windows]/Game/Config directory, opening DefaultEngine.ini and Ctrl+F'ing for 'password'."
sudo make suggests a short-term workaround: remove the username and password fields from your most recent build's DefaultEngine.ini, manually reupload the build to Steam, and set it live to push the update to players. While this won't undo the exposure, it can help minimize further damage.
DeveshMishraUe4, one of the Steam Integration Kit creators, clarified that the plug-in doesn't require storing credentials in DefaultEngine.ini. This happens because Unreal Engine auto-saves Project Settings to config files. The username and password fields are optional and meant for convenience. However, they acknowledged the issue and are considering auto-wiping credentials from packaged builds to improve safety.
You can find the Steam Integration Kit plug-in here. Also, don't forget to join our 80 Level Talent platform and our new Discord server, follow us on Instagram, Twitter, LinkedIn, Telegram, TikTok, and Threads, where we share breakdowns, the latest news, awesome artworks, and more.