You've got a trojan on your pc. There is no other way to stole account. Try to remember what you have downloaded and started recently.
Comment has been collapsed.
Here, on this exact site, was a thread with 20 goddamn questions, and people willingly shared sensitive information about themselves, not a big deal to bruteforce the secret questions of these people. This thread is still around somewhere probably.
Don't ever share personal info together with a name of a steam account.
Comment has been collapsed.
so sorry to hear that
i heard that if you click some unknown links sent to you on steamchat,your steam account will be hacked so dont click any
Comment has been collapsed.
Did you enter multiple logincodes somewhere?
Seems, if you enter a 2fa code, they use that for login, if you enter another one, they use that one to remove authentificator/change phone number
And with enter I mean either into a phishing website, or somewhere else with a keylogger on your PC.
http://steamcommunity.com/discussions/forum/1/135513549099516945/?ctp=2
Comment has been collapsed.
Same thing was happening with discord invites too.
Comment has been collapsed.
Sorry to hear that, but no offense
3 years on steam
never changed password since the registered
using Mobile Auth
No incidence yet
kinda sceptical, just how crackable your password is
Even I never changed my 14 years email account's password (okay, blame my 7 special characters I used for my password)
Comment has been collapsed.
if legit this sucks, but as others have said, it's likely you were hacked, used simplistic passwords (although with 2step that shouldn't matter) Best bet update steam support ticket with all the available information and hope for the best..
I had something similiar happen like 6 or 7 years ago, back when I gamed on the console, pretty much used the same password for everything.. Sony had their massive breach and the person got hold of my email address and password, and lots of sites associated with it.. Was terrible as they went and changed literally all my passwords..
The only cost associated with me, was them getting access to my Xbox live account and buying over 200 dollars in Fifa my-team packs, the money was eventually refunded like 3 months later, but that taught me a massive lesson,, never use the same password and make that password as hard to crack as possible.. Random number, letters, symbols, caps and lower case, ..
Comment has been collapsed.
I call BS on your story.
While I can sympathize with you losing money/Steam wallet/gift etc, please don't spread misinformation.
Comment has been collapsed.
You can only turn off the mobile authenticator with the code you must have written on your memory or paper only. Failing to do that is a mistake.
Comment has been collapsed.
Long story short.........you messed up somehow OR it's someone you know personally and they had a few moments of access to your pc and your phone while you were dropping a deuce or something. Yes, sounds completely absurd so I'm going with the 'you messed up' part.
Comment has been collapsed.
Guys I just remembered something rather off I updated my bios about a week ago and it added that Intel security manager thing that's supposedly vanurable to hacks could they have used that to gain access to my PC enter my steam and turn the authenicator off?
Comment has been collapsed.
''Dont have money on your steam account and never ever use mobile verification''
You never should write something this dumb. Its worst advice ever .
Comment has been collapsed.
your story has a big problem. you did something wrong and they got access to your phone. millions of people use mobile authenticator without any problems.
Comment has been collapsed.
What did he do to get a ticket through? As in how did he eventually get them to do something
Comment has been collapsed.
What is the status of your current steam mobile authenticator ? is it still your authenticator ? If your phone is no longer the authenticator, then you will have a clue (they disabled your authenticator). If it still is, then there's something really strange about this story.
Comment has been collapsed.
Authentication was turned off it no longer works as an authenticator
Comment has been collapsed.
What if this post is just to convince some ppl to disable mobile auth just to get to their accounts easily at christmas sale fever ?
Comment has been collapsed.
Im just warning people Im saying email verification is much safer and has a trade hold which should make your account safer this is personal experience alone though so take it with a grain of salt
Comment has been collapsed.
Seriously don't reply leave this thread no one is trolling and you're just being rude
Comment has been collapsed.
What exactly happened to your friend ? because its hard to understand what happened to (TherealDarknes)
Lot of what he said did not make any sane at all.
Comment has been collapsed.
There is no way someone was able to trade after deactivating steam auth ;) +steam support can see when it was deactivated;)
If someone duplicated his sim card then he traded and then deactivated steam mob auth after trade ;) +and still steam support can check that ;) So i am confused that in his story and yours some things don't add up :)
Comment has been collapsed.
"It is not possible as it is surely all totally fail-safe. And the Titanic is still floating around because it was called to be unsinkable."
similarly as depicted in up to 1:37:
https://www.youtube.com/watch?v=M8aqYlanC5I
I mean, IT-illiteracy may of course be an issue in this case as it is in many other cases, and who knows what programs on in the case involved system haven't all been updated in perhaps even years, etc.. But to make statement putting as if hand in fire for infallibility of Valve's code, as if saying that there never was an oil spill south of U.S. based perhaps based on some notion of as if corporations surely were perfect in every way, such I personally find to be quite a bold statement to be made.
So or so, whether in this case an issue that happened user-side, client-side, and/or server-side, quite difficult to tell without loads of logs from more than one source anyhow.
Comment has been collapsed.
I am not saying that Valve are invincible ,read his story and then his comments ,if you think all adds up ,then i am happy for you :)
Comment has been collapsed.
OP said that they had Steam mobile authenticator enabled, that it was turned off without them doing so, and that someone else took (before or after authenticator was disabled) quite some from inventory and wallet (and according to screenshot apparently with someone having had the time to check how much was in wallet).
In that to say that the authenticator was clearly to blame, such surely seemed a bold statement as well, especially as it isn't clear whether those items were in trade hold for 14 days before noticed, etc. But e.g. myself I haven't tried whether when disabling the mobile authenticator thing the trade hold applies pretty much immediately, so to say that it does when I haven't seen it so in at least one case while the Steam FAQ doesn't even specifically say "immediately (and not in perhaps an hour)", such would be rather a guess even if one assumes glitch- and bug-freeness.
Anyhow, while SG forum surely isn't the (most) appropriate place for technical issues of other websites, it seems common courtesy to not have an attitude of as if only MIT graduates were allowed to post online, you know what I mean? By that I do not mean as if everyone would have to be everyone's tech support, but if it is assumed that most of the cases of alleged "hacks" were due to IT-illiteracy, in which e.g. login details were handed out to phishing sites or similarly, just saying e.g. "BS!", such surely doesn't really contribute anyhow to increasing that IT-literacy, does it?
Comment has been collapsed.
Read his comments ,contact steam support if you want to know something and yea ,when you turn off mob auth ,you get trade hold immediately(done it quite a few times and never had bug or problem ,at least not yet).............Steam is safe if you don't login every gambling site ever made etc.
Comment has been collapsed.
I find this hard to believe, last time I removed mobile authenticator from my account it was on a few days lock.
Comment has been collapsed.
This! There is something else going on here. I think he was doing some shady stuff and got burned.
Comment has been collapsed.
Ok this story is 100% bs or he somehow doesn't really understand how steam works..
Comment has been collapsed.
Your story is either 100% bullshit or you're messing up so many facts that I don't even know where to start.
Let's start from your authenticator and how hacker stole your entire inventory. Removing authenticator just like that forces cooldown during which you can't trade with anybody without issuing at least 3 days trade hold. The only way to "remove" authenticator and not run into forced trade hold is to move it, and for moving your authenticator, hacker would need to access your phone, as in read actual SMS with the code, as I stated a while ago. This is easily possible with SMS permission in Android.
The only possible way for your situation to exist in the first place is to have a phone hacked. And that is plain easy with users downloading every shit app from the google play store they can think of. Even the game you trust can easily ask for extra permissions and "hack" you. Moreover, it's so easy it doesn't even require almost any effort. Putting malicious app in the store is the single easiest way of hacking anybody today, since even Google barely verifies the shit people upload, and very rarily actual updates.
If you want to confirm that then you can ask your mobile phone operator for a printed note with all numbers, SMSes and their content that arrived to your phone in last month or so. Verify yourself that there is no Steam code there, I can assure you that there is one, since there is no other way to move authenticator in the first place, and removing it would force cooldown. The fact that it's not visible on your phone is not an argument - app with SMS permission can easily remove message once it's read.
In fact, in order to hack Steam account it's much easier to just hack into the phone, since you have full access from it. This is why 2FA is bullshit in general in terms of actual security, but still better than nothing in terms of brute-force of passwords. This is also why you should refrain from recommending to remove 2FA in the first place, because that itself is bigger security risk than having your phone hacked. It's easier to brute-force password than put malicious app on the phone, since second thing requires actual effort from user, while first one is cost-free.
BTW, removing/moving authenticator wasn't needed in the first place, but I guess hacker was too stupid to get into Steam app permissions, so he just silently asked for SMS and moved authenticator on his own phone (or any emulator), and from there did everything else. It's physically not possible to issue immediate trade without 2FA in-place, so the only way for your story to be at least 50% correct was hacker using either your own mobile authenticator, or moving it to his own phone/emulator. In second case there should still be 24h lockdown, but hacker could as well use your own details initially, then move authenticator once he's done with transferring your entire inventory. Possibilities are endless, but everything starts in your phone, not on your PC.
Comment has been collapsed.
JustArchi so many people are saying that to him but he is just ignoring it for some reason..
- +for a novel that is more into details than any of us went to :D
Comment has been collapsed.
It's easier to brute-force password than put malicious app on the phone
That must be why law enforcement bruteforces passwords to encrypted files/volumes rather than trying to steal them. Oh, wait... I got it backwards there, didn't I?
What might be easier than putting a malicious app on the phone, though, could be putting malicious software on the PC. Depends on your phone, what you do with it, and what you do with your PC. Many phones have unfixed vulnerabilities because manufacturers can't be bothered to publish updates more than a few months after release (hi OnePlus and Xiaomi), so when someone gets physical access to them they can do whatever they want real quick.
OP actually makes some sense IMO when recommending not using 2FA. As you say, it's "bullshit in general in terms of actual security". And at least, when you don't have it on, you receive e-mail confirmations for every trades, and then trades are put on hold for 15 days. 2 things you for some reason just cannot have when you enable 2FA (thanks Valve!). Without 2FA, OP would probably still have all their stuff because everything would have been on hold for 15 days.
2FA doesn't suck because it's not very secure, it sucks because the people who issue 2FA (and pretty much force you to use it) act as if it were secure. i.e., when you do something with 2FA, they act as if it 100% is you, even if you usually connect from Boston and this time the connection is from Hong Kong and traded $100 worth of items out of your account. So smart.
I pretty much agree with the rest of your comment, though.
Comment has been collapsed.
It's not a matter of discussion how safe or unsafe your phone might be. Brute-forcing passwords doesn't require your cooperation and is in fact the most common method of cracking anything, including cracking AES encryption of hard drives belonging to people caught by the NSA or FBI, as well as cracking SSL connections.
It's true that OP could still have his items when not using 2FA because of 15 days trade hold but it's not any argument. You also have a trade hold when removing authenticator, and even regardless of that it's very, very unlikely that OP would notice trade hold if attacker got also access to his e-mail, which you can safely assume he does if he got access to his phone - with, or without Steam 2FA at this point.
So no, not using 2FA is not any more secure and I'd be happy if people didn't act like it was otherwise. Only because it's bullshit from security point of view doesn't mean that not using 2FA is not even bigger bullshit and actual threat that is much bigger than having 2FA attached. I repeat what I said - cracking non-2FA Steam account by password alone is much easier than putting malicious app on the phone, regardless how much secure or insecure your phone would be. This is because 1 + 0 can never be more than 1 + X, where X is security of your phone in 0+ scale.
Comment has been collapsed.
Brute-forcing passwords doesn't require your cooperation and is in fact the most common method of cracking anything
Only when people use crappy passwords. Just because people usually use crappy password doesn't mean everyone should be punished by being imposed a bloody 2FA that has more chances to lock you out of your account if something happens to your smartphone than to actually be useful.
Also, "bruteforcing" (that would rather be a dictionary attack, even on most crappy passwords bruteforcing isn't that practical) an internet account password is way harder than bruteforcing an encrypted hard drive, because properly secured websites will massively throttle the speed at which you can try passwords. If it was so easy, why does none of my 900+ accounts get hacked this way on a daily basis?
also access to his e-mail, which you can safely assume he does if he got access to his phone
Good luck accessing my e-mails from my phone, even I can't... 👀
Comment has been collapsed.
If it was so easy, why does none of my 900+ accounts get hacked this way on a daily basis?
Yet I'm hearing all the time about hacked accounts without even SteamGuard getting bruteforced in one way or another. Most of the time those are people using same password everywhere, where leak of a single service poses a risk to all other services given person is using. Sure, if you're aware user then the actual risk is rather minimal and you can probably sleep safe, but you keep forgetting that 2FA is enforced not for aware users, as those didn't get scammed on daily basis in all sort of different ways - it's here so making an actual attack is much harder than just me dumping some random leaked database and finding out which moron on Steam is using the same combination of e-mail/password. I guess you will agree with me that putting such dump in ArchiBoT and letting it get through it at its own, as you mentioned it, "throttled" pace is easier than putting malware on your phone.
Like I said, lack of cooperation is what making this method effective. And of course people being dumb, but 2FA is an extra layer of protection in this case, and it works much better than lack of it, regardless how you look at it. We can discuss how significant having 2FA is in terms of increasing security, but there is no place for discussion when talking if it increases security, because it does in all cases, at worst in very insignificant way (for example for me or you, who know it's bullshit security).
Comment has been collapsed.
Most of the time those are people using same password everywhere
Yes that's probably most often the issue. Far from bruteforce, a "dictionary" attack with one word (per account) ^^ Although leaked databases should hopefully all contain proper hashes by now...
2FA is enforced not for aware users
Yes, and because of those "not aware" users, "aware" users have to deal with that insufferable 2FA PITA.
Comment has been collapsed.
https://www.youtube.com/watch?v=e2Da2_pZAkg
Just leaving this here.. I think you fell for this scam. STAY SAFE EVERYONE
Comment has been collapsed.
I'll probably sound like a dick now but the thing with the Suguri emoticon is kind of like a nice touch :D
How do they say... To add insult to injury
I'll also repeat what other have said: Please remove your "advice" to disable 2FA. It's just bad advice and shows that you're not very familiar with how Steam works.
Comment has been collapsed.
Shouldn't he be the prime suspect? That emoticon definitely did it.
Comment has been collapsed.
A few points of clarification that should help some:
What happened to the money?
You can see what it was spent on too, so like the trades you're seeing that data should be available. Was it gifted games, or just wasted game purchases on your account?
What sort of items are gone---and which are left?
You mention only the emoticon, but aside from it and a few cards I"m also seeing almost 300 tradeable TF2 items and some uh blockbuddies whatever its called ones that are also tradeable? And most all of them having some market value tioo , if not much. Presumably the main reason not to leave them, is that you're moving them by hand so dragging one at a time from the inventory.
Would you mind posting a few screenshots with all sensitive data blacked out? (including trade partner, in matching with the rules set up here)
They would be really helpful just for extra clarification and easy visual representation of what this person did once they had access to your account.
What all do you know about the account that they went to?
Specifically where did the (presumed) Steam Gifts go that the money got spent on? Private, or public? One, or split across a few? Obviously it had mobile auth set up too (cause if not, you can still cancel those trades), but can you tell if its a dummy account, or just a dummy using their real account?
Where was your cell phone at the time? Who was around it, and could they have done the trades?
`
From what you say, all the trades had to happen before auth was disabled, so that means access to your phone/authenticator. Guessing you don't have it emulated anywhere. Sure a cell phone hack could still happen,--but I think its far more likely and easily done by someone in person.
So... could anyone have just gotten on it while you were away, seeing as then they could have done those trades/purchases without even needing to know your password/auth info if you were already logged in?
Comment has been collapsed.
I will send screenshots when I get home the idiot bought from his real account and then tried to cover it up by spam buying csgo crates all of the items went directly to burner scam accounts you can easily spot that there not legitimate on first glance
Comment has been collapsed.
The money itself went to the community market the idiot bought from his own account when he did it
They took everything of value in my tf2 account likely until they had no more inventory space
Phone was in my hand or pocket
Trades went to clear alts as I said before sorry for making a new message I thought my old one was to rambly
Comment has been collapsed.
There are basically three situations I can see it playing out still (unless I missed something)
Someone getting.either:
1) Physical access to the phone while its signed into the mobile app
2) Complete hack of the phone enabling access to the steam app / authenticator
3) Copy of authentication emulation (like winauth) that therealdarkness already had setup^^^
^^^[as setting this up would still require #2, or #1 if already rooted, so basically same as each itself]
`
Comment has been collapsed.
Hmm I do have a small amount of things backed up but my phone is off as in it can't call right now I didn't think they could do anything like this without a text message?
Comment has been collapsed.
But were you around anyone at the time? School, work, "friends"?
It's surprisingly easy for someone to snag your phone when you're preoccupied with other stuff in a (normally) safe and relaxed environment. The time line should be important cause its someone taking a while to fuck with it versus, say, heading to the bathroom for a few minutes and returning before you notice.
Especially with the money being wasted on market stuff, the act speaks to a certain type of maliciousness based on fucking with you rather than mostly personal gain. It could still be someone with virtual access to your phone rather than physical, but it seems less likely with little to gain from the way bigger hassle.
Comment has been collapsed.
Steam will refund it if you ask support.
I lost $470 from steam wallet plus all my skins, which were worth a fair bit. They returned it all.
Comment has been collapsed.
Ok but how there's not spot on the support page for scams or wallet theft I put it under wallet purchase issues or something like that
Comment has been collapsed.
I just had everything stolen from my steam account all my money 21 dollars i had for the steam sale gone down the fucking drain.
No idea how they got my password possibly some site linked to my steam account got leaked or a lucky guess either way my Christmas is ruined and years of cards emoticons and backgrounds are now lost
It seems that those who have access to your steam account ie password cracking/breaches/guessing can now turn off 2 step verification and take everything and anything because i had the mobile authenticator and got an email stating that it had been turned off even though whoever did this could have had no access to my authenticator to verify themselves
so don't buy any steam wallet cards ever keep your steam account at zero dollars or 2 cents as 2 cents cant be spent on the community market where they can blow everything and valve seems to refuse to give you refund option for it
and make sure to not use the mobile authenticator ever as i personally at least never had any issues with email verification but mobile seems to slip up and let some things go through without a second verification i noticed this myself and thought nothing of it because i had used steam on my browser on my computer before
sorry if this is long and rambly im just having an awful time the steam sale was all i was looking forward to this christmas and that was ruined and all the emoticons i worked on gathering for years were just stolen like it was nothing OH AND THE ASS LEFT ME WITH ONE EMOTICON ITS FUCKING DEVIOUS FROM SURUGI WITH THE DESCRIPTION I'LL ERASE IT ALL, EVERYTHING! sigh HE HAD TO RUB IT IN WHAT AN ASSHOLE YOU HAVE MY MONEY YOU DESTROYED ALL MY SHIT AND YOU LEAVE ME WITH THIS UGGG sigh
TLDR Dont have money on your steam account and never ever use mobile verification
UPDATE they got in through intel securtiy managment a bloatware peice of software that came with a bios update i also cant figure out how to get rid of it. My time on the email was also spot on rather than 10 minuites late like i had thought
New TLDR steam support is trash and Intel put what is essentially a hackers dream into my bios
Comment has been collapsed.