Account got Hijacked - Please DON'T make my mistake!

Definitely not blaming them. I believe it was the same hijacker that took over my account. I hope that didn't go across wrong. Just tried to share what happened.

Normally I would know best, but this time the guy spoke with me like a normal person, so I didn't see much harm into it at the time. I should have known better. 😓

Clicking links is largely fine (though yes, you should obviously check the full URL first, most bullshit links are easy to identify) as long as your Antivirus is halfway decent.
The real problem is that most people falling for scams enter their login credentials on the webpage the scammer aks them to open.

That's where the actual number 1 most important rule on Steam comes into play: NEVER directly enter your login credentials into a site. Always go to Steam's homepage first and make sure you are logged in, then use your login token to sign into any third-party pages (since your token doesn't contain any info anyone could use to steal your account).
If a page is asking you to enter anything despite you having a login token already, it's 100% a scam.
Approximately 95%+ of all account thefts could be prevented if people followed that rule.

Actually, the first rule is to read URLs. All this happened because people these days don't read URLs...

And people don't read URL because everything is made to discourage them from doing so: browsers hiding URLs by default, Google browser integration encouraging you to always search instead of typing (a few letters of) URLs, Steam putting up excessive annoying warnings that noone reads because it's too damn annoying, Youtube just banning all URLs in comments, etc.

+1

What saved me was a good habit of not logging in on different sites than steam itself. Open new tab and check if you are legged in. If not then log in on steam site directly. Then refresh that other tab.
If you are logged in, but other tab is still asking for logging-in - It's a scam.

I'll remember to do that. I appreciate the suggestion.

Also don't get fooled that site looks like the real deal - that's the idea behind this whole scam. And it's not limited to steam. If you are not careful - you can end up logging in on the site that looks exactly like your baking site for example xD And that would bring more harm than hijacking steam account xD

Very true. The website log-in looked exactly like a Steam one.

Yes it is good advice to everyone and I do the same. But sometime I have such situations that I am logged to steam and the other page still asking as I would not be logged (not sure why, probably it is because you are logged too long an it will expire soon). In such situations I log out and log in again to the official stream page and then if it is not a scam you can log in to the other site without entering login and password.

What saved me was a good habit of not logging in on different sites than steam itself. Open new tab and check if you are legged in. If not then log in on steam site directly. Then refresh that other tab.
If you are logged in, but other tab is still asking for logging-in - It's a scam.

I avoided been scammed because of that

baking site

I hate when people steal my cookie recipes.. D:

I have... just that I am restricted to trade on Steam. Which is alright. I wasn't planning to do it anyway.

I did ask some of the other Steamgifts friends that are on my friend list to contact them, but two of them don't believe me and were upset because of it. I have no way to prove my innocence without talking to them, so I can to write here in hopes that they see what exactly happened and maybe unban me.

Corrected. I hope the rest is correct. Thanks!

Recovered it, but my entire inventory of steam cards is lost. The guy send it to an account.

Don't you save passwords in your browser? If site doesn't show your saved credentials, then its 100% not THE site.

I've recently reinstalled my windows and lost all my stuff there, including being logged in on Steam. I assumed I didn't log in via Steam so I did it then, but I was very wrong.

In what century you live bro? xD

It was more a negligence of mine rather the century I am from. I should have known better at the time. I didn't expect it being tricked into it because I knew that person. Just raising awareness about it.

Don't you save passwords in your browser?

I hope he doesn't, because they're extremely easy to stole. And I hope you don't either. If you do, delete them all and disable that feature right now. Use a proper password manager.

I only thought he wanted a vote and since RUST is on Steam, I expected I just needed to log in and vote so that my vote counts as a human one and not something like a bot. The website login request was an exact image of Steam and didn't think much of it. The guy didn't seem like a bot when I spoke with him, so I didn't expect it. 😥

I got scammed by an impersonator about a year ago, as a result of being exhausted, in a hurry, and ignoring my gut feeling of something being off - despite knowing about them for years.

It happens, they go for the newbies and the inattentive/unlucky people. The more we talk about it, the more people will recognize the scam by some bad vibes, passive knowledge can matter a lot :)

The problem was I had it on and logged in via their website which made me not realize it it was a scam. I thought I wasn't logged in via browser and that's how I handed my account to them like a dumbass.

I see. Okay and thanks for that suggestion.

I'm sorry for what happened. Hopefully there arent many items that were stolen.

Actually, he stole everything I had. Over 500+ Steam Cards.

If you havent do it already, i suggest you to change your password (including other sites if you reuse it in other places) to prevent another incident.

I secured my account and got it back. But still, had to contact friends, let them know it wasn't me and make sure they didn't get scammed either.

Yes, currently trying to get my inventory back or at least the value stolen from it. Luckily most my friends that got contacted by the scammer didn't steal from them, so that's safe to say they are safe.

Login using steam is absolutely safe, but you should never enter actual steam credentials in any "popup windows". When you enter using steam there should be one button "Sign In". If that's the case - you're safe. If site says "you are not logged in, please enter login and password" - DON'T do it. Open new tab, open steam there. If you are still logged in there - that site was a scam, close it and never go back. If you are not logged in in steam indeed - then login on that new page that you opened manually, then return to the tab with said site, and try to login using steam again - it should show single green button "Sign In". If it still requires login and password - well again, it's a scam site, and close it.

Yeah. Well, I wish there was a possibility. I mean I can trace all my belonging to one account and that has a friend that plays RUST. It's their only friend, so unless that's the culprit I don't know really what it is. The account it was gifted is a Level 0, so it's definitely a puppet account.

In the end, I am paying for my mistake, but I want to warn others to be careful to not make the same mistake as I did.

I'd feel even worst if it did. 😓 Apparently, I was the only serious victim of theft and sending mass messages to others.

Thanks for the heads-up, thankfully you got your account back, but I'm curious how was he/she able to get your cards? He sold them and transferred the funds somehow afterwards?

He sent them to a puppet account by the looks of it. Once he was on my account he messaged others, then blocked them or blocked communication and took everything from my account and sent it there. I have all info on which account and the fact that that account has 1 friend that played RUST for over 1000 hours with a VAC BAN. So that's what I kinda linked up the two.

Why did you have some many cards around anyway?

Farmed them to resell and build badges so I can level it up mainly.

(no offense, but 500 seems a LOT)

Non taken. I had over 2000 in the past that I've sold and made over £30-80 off of it. Traded over 1000 with someone in the past that I wanted to help and was left to about 500 that was well... stollen from me.

I'm sorry for what happened to you, man, that sucks... on 31 Dec at that...

Overall 2022 was a really bad year for me. A lot of personal problems happened. So I don't really know what's up with that.

Thanks for sharing your story with us, so that it became a reminder for us to stay vigilant.

Your welcome. I may never be able to recover my items back though as it seems to in the Steam Guidelines.

And don't forget to change your password, and in case you got the same password for another account, change that too.

That I did. I don't have other accounts.

Glad you got your account back

Thank you, although my items are all gone. 😥

There's no way to get the items once they are given away even if it was stolen according to Steam Guidelines. At this point, I wish I would have sold or done something with all those cards.

The security comes from the fact that bad guys need two things: your password and your 2FA code. Both are on separate devices: your PC and your phone. So if one is compromised, the other hopefully is not.

There are many ways for your password to be compromised: if you re-use the same password for multiple accounts and there is a data leak elsewhere. If malware gets on your PC and all your stored passwords are stolen. And so on.

This does not protect the user from himself however, as is the case here with phishing: by tricking the user into giving them both.
If you need to give your 2FA code, you need to be thinking very critically of what you are doing. Normally you don't need to enter your 2FA code on day to day use as your computer should be remembered after the first time logging in.

That's good. He was doing all this while I was not paying attention. At the time of the warning, I was even working on a project that was important to be finished and launched on 1st. I stopped at once to assess the damage. Little did I know he cleaned my inventory too. I thought he only collected people's data. I just found out my account was affected today, after I reached out to everybody the scammer contacted through my account.

I got my account back quickly too, but did you lose anything? Items and steam cards?

According to Steam Restoration Item Policy, it doesn't seem possible unless Valve goes the extra mile to do it.

View attached image.

Thanks for the kind words. I appreciate it and stay safe out there!

I am optimistic it's gonna be a better year for me. I've lost what I've had to lose. It's time to gain back and maybe more. Despite the incident, I am feeling alright. I'll try to not let it bum me down.

Yeah, but I could never win a debate with them over that. I can't blame them but the scammers and myself for not paying attention and having my guard down. I wish it was as easy to just get the value in money from the cards lost, but I would probably ask for too much. It would be a nice gesture from Valve to be honest. I've been a loyal user and even if I sound now all entitled and stuff and I doubt I deserve that much, I do appreciate that they at least reestated my account back without further damage.

that would at least alert people who enter their credentials on phishing sites.

That's some wishful thinking.

Not the same thing, but I got a bit worried a few days ago when I noticed that in the activity feed from steam there was an entry that I...was now friends with another account...completely in asian letters.

My account is private, I don't have many friends in my list and I haven't gotten or accepted any friendrequest of him/her.
I might have sent a friendrequest to him/her a long long time ago because if this site because I had some people who didn't activate their wins after a longer waiting period.
But I'm not sure and I don't know if steam even "holds" requests that long.

Well I deleted him/her from my list and searched the preferences and the web on how to disable auto accept of a friendrequest on steam.
But I couldn't find such an option and I'm not sure if it even exists. Maybe I'm just very blind.

Nothing bad has happend (up to this day) but I'm still a bit confused about it.

I think friend requests last a long time, but I think being safe than sorry is the ideal thing to do. If you don't know the person or can't remember doing any changes, it's a good sign to change your password and reset your connected devices. This mistake was all on me, so I am well aware how big of a dumbass I am for not checking and trusting my friends.

I don't have anything worth stealing in my account anyway, maybe that was the reason :D

I did and I'm currently bashing my head why I never bothered to sell or trade them all when I had the chance. I kept them in hopes to build it up and then do a bulk sale. I've done that last year and made off of a chunk of my cards about £25 and during Winter Sales on Steam, I bought myself some nice games. This year, I didn't bother to do that, so I left my account easy for picking. I've been farming all year new cards, so I feel I worked it out for nothing.

maybe someone changed nickname

I have it via app. But it asked me for a code. It failed to connect so, if you saw in my second message, I told him that the browser might be the issue or something. I didn't bother to check that my Steam guard on my phone was removed and I couldn't use it anymore. No e-mail notifications to let me know sudden changes were made, and no password changes... No notifications I was gifting the scammer... nothing.