No ideia just got home and everything is gone I dont even know what to say to steam support I just stressed out and asked them all over again to help me
Comment has been collapsed.
Not that I expect it to be of much help, but anything unusual in your Login History?
Comment has been collapsed.
sometimes inventory gets bugged, i hope for you thats the case. realy aweful is you lose all the things you earned hard for. i almost lost once my steam account, so i know how bad that can feel.
Comment has been collapsed.
search in the trade history, sadly i doubt steam will do anything about that.. :(
Comment has been collapsed.
If your items got traded to someone, there should be a trade hold for 15 days - unless someone had access to your authenticator.
https://help.steampowered.com/faqs/view/3B6E-B322-2400-8D24
Comment has been collapsed.
No they arent on hold they clearly had acess to my authenticator I just dont know how since I use it the same exact way for years now
Comment has been collapsed.
soooo not having it is safer because it puts them on hold no matter, with best they can do is 24 hour holds with long time friends who you regularly trade with???
Comment has been collapsed.
Yup, that's the curse of 2FA. This thing is given way more trust than it should.
Comment has been collapsed.
accounts that dont want to trade should be able to lock down trading with like a week to reset back to trading and multiple alerts and emails
Comment has been collapsed.
Some time in the past you logged in to a site (skinsite, trading, vote for a team etc) thinking you were using Steams login applet and that's when your info was copied.
It can take months or years till they finally go in for the kill.
Edit: Of course that's for 99% of the cases. That doesn't mean it was exactly what happened to you.
Comment has been collapsed.
Yes I know what you are talking about but I am 100% sure that is not the case, besides knowing that site stuff and never falling for that for years now, I left trading overall long time ago and been away from stuff like that from years, I cant even remember the last time I logged in (purely using the steam login fuction button not my details) on anything besides maybe steamgifts/trades pagywosg and some other trusted websites most of us know about.
Comment has been collapsed.
If it wasnt the Case, then they wouldnt have unrestricted Access to your Account without even needing 2FA. Somewhere down the Line you logged into a Scamsite, no matter what you tell yourself. If you havent already, revoke any API Keys that might have been generated.
Comment has been collapsed.
You still need the authenticator code to access the account. Knowing the login/email and password is not enough.
Comment has been collapsed.
So Sorry and Sad for you.Hopefully,Steam Support will fix it.
Comment has been collapsed.
Thank you but know them ill just get slapped with their policy and that's it....
Comment has been collapsed.
In all likelihood, you fell for a phishing scam that has compromised your account. Steam Support will not do much for you, but there are some steps you can take to clean up your account and prevent future issues stemming from this incident and you should do all of the following:
1) Change your Steam password. Change your password on your Steam-associated e-mail account as well.
2) Deauthorize all devices: https://store.steampowered.com/twofactor/manage
3) Revoke your API key if one has been assigned: https://steamcommunity.com/dev/apikey
4) Remove your current authenticator then assign it again.
Reasoning:
1) Changing your password will lock out any non-persistent connection.
2) Deauthorizing devices will require sign-in again; combined with password change, this means nobody but someone with your new password can connect to your account.
3) Even without direct sign-in, having access to your API key can allow some account manipulation. If you didn't create an API key, your account won't have a key at all. If there is a key and you didn't created, there's proof your account was compromised.
4) Mostly just to be safe. It's not easy to generate a shared secret file from a single auth code, but it is possible. Best to just reassign.
Comment has been collapsed.
To fell for a phishing scam I would need to have clicked a link and give my details, which I never did that and everytime I would get a message from people on steam for that (even on discord) I already knew beforehand what they were up to and would even joke around with them, and even then they wouldnt have acess to my steam authenticator for instant trades.
Already did all of that but I just removed my authenticator didnt set it up again, at least there is no way to instantly trade now, not that I have much more to lose since they cleaned it all up..
Comment has been collapsed.
That's not the only way. There are a lot of "legitimate" sites that will also skim your information. If you've ever participated on any third-party skin sites, you've played with fire.
Comment has been collapsed.
No as I said I have been away from any kind of thing related to skins/trading for years now basicly all the items I had were gaining value from years ago when trading was more viable, even so that wouldnt explain how they acessed my authenticator
Comment has been collapsed.
No it couldnt, he either logged into a Scamsite that generated an API Access Key for his Account, or his shared Secret was linked, which is pretty much impossible untill he has some kind of Virus on his Phone, or has it accessed and shared it himself sometime in the past, for example trough Desktop Authenticator etc.
Comment has been collapsed.
it should either be in your market history or trade history
Comment has been collapsed.
All on trade history, nothing sold on market or else they wouldnt be able to get money out of the items
Comment has been collapsed.
Yes but the value lost here was around 10k probably much more steam would ban my account from gifting after a few hundred, they tend to to that, besides I had a few euros in my steam wallet and they are untouched, the hacker or wtv the guy is clearly knew what he was doing has everything seems super squeaky clean.
Comment has been collapsed.
all info in trade history - you know to whom its traded - and valve would know to whom its traded from account to acccount to account - easy for valve to track down your skins - and send them back to you - or does valve not believe you that you would make these crazy trades?
plz update what happens - i am very interested
(this is so fkn crazy! authenticator on your mobile gives no security -wtf?)
Comment has been collapsed.
i heard about very rare skins which are duped - because stolen and from valve copied for the previous owner - some people lost a fortune because there were 2 skins (e.g. stattrak doppler karambit FN) and after stolen got duped/copied for previous owner like 23 times it no longer just 2 of a kind ... now 25 of this skin... famous story. I allways ask myself why? why would they not bring the skin back to the account it was stolen from. its ez to where was it traded from account to acc to acc
these accounts are thiefs - why not ban these accounts and just return the skin? because valve knows it was stolen thats why they copy the skin for the victim. i dont get it
Comment has been collapsed.
Steam already replied , they clearly acknowledged that my account somehow got compromised and can clearly see how the latest trades were completly done with bots but can't do anything about the items as they state it's their policy.
Has you said they had a system where they would dupe items instead of rerolling the trades back, why the hell they do that I dont know, people very quickly understood this method and used it to dupe items. Obviously that makes them lose money (because a item that is worth 10k$ when it gets duped it loses value more and more, so people would waste less of their money on those skins) so if they are losing money obviously they do something about it which means no help to actual people that get fucked over and since they dont lose money from people losing their items they dont do anything about it
Comment has been collapsed.
hopefully you reply back with how its a federal crime to steal over $1,000. and ask steam support to raise your ticket to a higher up in the company. because $10,000+ is a breach in united states laws which over power company policies. companies cant help break federal laws by yelling out "sorry company policy cant help you" which would open themselves into lawsuit issues
Comment has been collapsed.
They already closed my ticket I wouldnt know how to contest to what you are saying nor I think they would give two shits as typical
Comment has been collapsed.
No, posting identifying information is not allowed. We don't want to have here witch hunts as it's impossible to know 100% it was scammer. It could be very well another account that was hacked and used as a middle man.
Comment has been collapsed.
Even if I would want to I wouldnt know as there are many accounts in which my trades were sent to, initially I was suspecting the hacker was directly sending to people ( and trough selling websites while putting money on his credits or something ) but from the investigation I did all the websites I saw he used there was no info on a second account or that he left any type of information, besides an IP adress I got from one of the website staff that is probably a vpn adress
Comment has been collapsed.
How you were able to get IP address from website staff?
Comment has been collapsed.
I saw that the hacker did transactions on their website and I explained them what happened and the person I was talking to gave me an IP adress and said that was all they had
Comment has been collapsed.
It happened to me last week this chinese fucker somehow logged into my account and bought something cheap with my steam wallet hopefuly he only stole like 110 dollars
https://steamcommunity.com/profiles/76561199184220507
this is his only friend so it might be his main account:
https://steamcommunity.com/profiles/76561198098924975
https://steamcommunity.com/profiles/76561198082933695
Jesus Valve im going to start thinking it is you who steal from your clients just like the guy above me says
This is a huge red flag to stop wasting my time in this Steam shit
Comment has been collapsed.
steam will just ban whoever got the traded items and will not return anything. sorry they are gone
Comment has been collapsed.
You are giving out zero details. There is nothing anyone here can do to help anyway.
But I just don't understand how they got around your Steam Authenticator. I know that if you only use an email authenticator, a third party can steal your session id and trade away your stuff, but I wouldn't know how they would do it if the codes are remotely stored on your phone and not the affected computer. Unless of course, your phone is the device that got compromised.
I fell for a scam a few years ago before the app authenticator was a thing. Valve at that time returned everything I lost including my knives, etc, and about $470 in my wallet. I don't think they do that anymore though. But that is also what taught me that its silly to keep that much value in an online game. Unless money is no object, or you are trading to make more money, its simply not worth it.
If I were you, I would focus more on how they got the access and codes, and then on the money lost. If there is some malware still present on your devices, your banks, crypto, etc are still at risk. So sort that out while you are trying to reclaim your inventory.
Edit: Here is my experience from 8 years ago. https://www.steamgifts.com/discussion/Htz8U/steam-account-hacked-experiences
Comment has been collapsed.
And they don't do it anymore unless it was error on their side. Example:
https://www.youtube.com/watch?v=YOb5qGBdP_I
The only way you could bypass Steam Authenticator on phone is to have one for "deskop" or "server" which could be easily hijacked. But you would also need to steal session token or phish username and password.
Comment has been collapsed.
Even if you provide all details of what happened, as Steam says, "protecting your account is your responsability". A nice way to get away in these cases. Sadly there's no way you'll get those items returned.
Of course, knowing what happened will prevent you to commit the same mistake in the future, but you know, I say a lot "we learn more from errors than from success". I'm sorry for your loss but I hope it never happens again.
Comment has been collapsed.
If what you're saying is true and you never logged in on some weird website recently, it could be the case of sim card cloning where the person just recovered your steam guard without you even realizing. In some countries there are black market services that use mobile carrier workers to do this for all sort of scams, steam included
Comment has been collapsed.
Sounds like you might have malware on your mobile device.
What protection do you have on your mobile device? If you do have protection, have you scanned it?
Comment has been collapsed.
yeah, I'm curious if the phone in question is rooted?
2FA TOTP relies on two parameters, a shared secret and the current time, so if a malicious app managed to extract that secret key (which should only be possible on rooted phones), the attacker would be able to basically generate authentication codes at will
Normally this is used when for example you need to export your steam authenticator from your phone to a third party authenticator app:
which on a rooted phone, you could just pull the relevant files using adb which contains the secret (/data/data/com.valvesoftware.android.steam.community/files/SteamGuard-*)
Comment has been collapsed.
Here's an article from a few years back that talks about malware being able to get Google Authenticator's 2FA codes.
https://www.tomsguide.com/news/scary-android-malware-can-steal-your-2fa-codes-and-swipe-patterns
This is the blog from the mobile security firm who discovered it and explains how it works. You might want to just skip the first article since you have some knowledge about things like this.
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
Comment has been collapsed.
Actually, it's not that easy to get shared secret from latest steam app even with root. Something is not right here. Either OP don't tell us everything, or this is some 0-day exploit and we will face a massive wave of stolen inventories in the nearest time.
Comment has been collapsed.
Actually, it's not that easy to get shared secret from latest steam app even with root
It seems you're right, the process described before was specific to the 2.x version of the authenticator app, which changed with the new 3.x app
https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Two-factor-authentication#android-phone
from what I understand, the old app still works, and one can downgrade by installing the old apk and pull the secret that way
Comment has been collapsed.
From what I understand - just downgrade won't help, one need to disable 2fa, downgrade, enable 2fa again, get secret key (root is needed), and then upgrade app. Obviously this won't help if someone is trying to steal 2fa, because it would lead to temporary trade block, and will be noticed.
Comment has been collapsed.
I see
still even the new app has got to store the secret somewhere on the phone, it might not be in plain text anymore, but it has to be stored somewhere even if encrypted, and the full TOTP process still has to work offline, so in theory it should still be possible to "extract" it on a rooted phone..
someone motivated could decompile and peak into the official APK to figure out where exactly ;)
EDIT: there seems to be some progress over here:
https://github.com/JustArchiNET/ArchiSteamFarm/discussions/2786
Comment has been collapsed.
In theory - yes, but we still don't have anyone motivated enough. This may actually help many users who want to use 2fa in both steam app and ASF at the same time. It's still possible, but with going through many loops, so simple and direct method would be appreciated.
Comment has been collapsed.
+1 This can't just happen out of the blue, and i know some people can get crazy but why on earth would someone maintain 10k of CS GO stuff in the first place? To what reason?
Comment has been collapsed.
whats the problem? he can put his money in anything he wants.
Comment has been collapsed.
Well, maintaining a huge inventory is believable, people love to hoard. But stealing inventory with 2fa enabled, without "help" from user's side (phishing) and without direct access do devices? That's strange at the very least. And why only two inventories were stolen, and the rest left intact?
Comment has been collapsed.
Even if they had the codes, they can only get access to the account. They will need access to the app to do the actual trade confirmation. Im not sure if the codes alone will allow them to move the app to a new device.
Comment has been collapsed.
I'm sorry you had to experience such a dramatic loss because you trusted the wrong people. No, I don't mean the scammers who phished your account data most likely but the so-called security experts preaching year in, year out how much safer Steam's 2FA is.
In practice, any system where there's no built-in time delay giving the user a chance to discover a security breach and hopefully recover from it before suffering any damage is fundamentally flawed. That's why the only secure method to use Steam is to not enable 2FA and have to wait 14 days.
Comment has been collapsed.
That app is so bad that they're the ones responsible for his loss, because his virtual money and digital goods were with them and they're responsible of security breaches on Steam App, It's like having money in the bank but they're not a bank and even banks don't want to take responsibility when It comes to their own apps when phising is a thing here in México.
There's this guy that lost 8 millions without having access to an app, he claims he didn't have a token so he managed his bank account the old school way (going to the bank and check everything there) but still he lost his money and he claims there's high rank bank people there involved. This happened with HSBC and my older brother tells me that they're been at money laundering scandals in Europe.
The 8 million guy sued them, a judge gave the sentence to his favor and HSBC still looking ways to not pay.
It's the same thing with Steam, they just wrote on paper they're not responsible of anything, and that is bullshit.
Comment has been collapsed.
Man that sucks. You had 2FA but still got scammed? Did you use a rooted Phone and connected it to your PC?
Comment has been collapsed.
I wouldnt call scammed because that would mean I would have fell for something I didnt, I literally got home yesterday and everything was traded of in the 1h or 2 I was out of home.
Comment has been collapsed.
Im not a native english speaker, maybe scam was wrong but theft is more fitting. Im just curious how these scumbags managed this. I've always thought that 2FA is super safe, heck I even have a mobile phone w/o sim only for the Steam App! Thats how paranoid I am lol
Comment has been collapsed.
I always had super careful with everything security related
Stupid question.. But is there anybody else with access to your phone/PC. Maybe co-worker stole your stuff when you left your phone on charger and steam opened with clicker heroes running on work PC while you went to the toilet xD
Comment has been collapsed.
No I am actually super paranoid when it comes to login in anything outside my home even hotmail/gmail I always have a step back and make sure everything is OK
I barely ever logged in with my steam account in PCs other then my home PC which I use for years.
Comment has been collapsed.
Then my only guess is that your account was targetted because of valuable inventory. How they did it though?
maybe it's not just steam, but your whole PC/mobile were compromised.
Comment has been collapsed.
Just curious - how would Clicker Heroes in specific have anything to do with that?
Comment has been collapsed.
That could be any other game if you use steam and play at work xD Used clicker heroes as example because it was running in the background for quite a long time in my case xD I mean - I have 1600h in this one xD
Comment has been collapsed.
You greenhorn 😉
I have 7266,6 hours in it but eventually stopped in June 2019 - or even before that. I might have started the game on accided back then in 2019. Pretty sure I stopped a few years before that already.
But yeah - it's a terrible time eating game.
Comment has been collapsed.
Nice. I was lucky enough to fight off the addiction earlier :)
Comment has been collapsed.
One of my Steam friends also recently got hacked and sent fishy links to all his friends. He recovered his account in less than a day but also has no idea how it happened. He said he has two factor auth on and didn't fall for anything weird recently, so he has no idea how they did it. He's not "computer dumb" so I don't doubt him.
Comment has been collapsed.
You might also shared your Steam Web API key to someone or installed malicious extension browser which have read it if you are logged in in browser via Steam. Also, check your trading and market history.
Comment has been collapsed.
And what version of Android your phone have and what is the month of latest security updates?
Comment has been collapsed.
I don't think the Steam Web API key has that much power. As far as I understood, it can just be used to read some data https://steamcommunity.com/dev/
Comment has been collapsed.
It has much more power than shown on that page.
https://partner.steamgames.com/doc/webapi
https://game-enthusiast.com/2022/08/30/how-to-avoid-getting-hacked-through-steam-api-keys/
And ASF create one by default.
Comment has been collapsed.
This list is indeed quite longer than the one I had.
But even there I find nothing that would allow, for instance, sending a trade with the API key. The page related to trading is here, and it's all GETs except for methods that require a publisher API key (but even those POSTs don't look quite risky)
Comment has been collapsed.
You can't do it directly and you need help from additional software and you need to have Steam Web API key. ASF trade bots as well as other trade bots operate using that API key. That's why people asked OP to check trade history (but we don't have answer of it)
Comment has been collapsed.
you cant send trades using the official Steam Web API, those tools (ASF and trade bots) directly use the same backends that are used if you were directly using a browser, which first require logging in with your password to grab whatever token is returned to authenticate the user (i.e whatever is stored in your browser cookies)
Comment has been collapsed.
you can bypass 2fa by having access to the accounts: steamLoginSecure stored in someone's cookies
Steam Web API key can alter people's trades. so can be used for theft also.
Sometimes over the years you have messed up or been tricked into giving away these credentials. or a "trusted site has also been compromised, you never know what site has had a data leak and that's all it takes
Comment has been collapsed.
does this code (steamLoginSecure) change or it's the same every time you log in? And OP you used to farm cards?
Comment has been collapsed.
it's a session cookie, without which sites would ask you to re-login every time you visit a page
Comment has been collapsed.
Check for malware on your phone or PC, most likely phone since trades would have to be confirmed from the authenticator app. I had no idea there was such a thing as a Steam API key, but it looks like it's worth checking too if you ever made one.
Comment has been collapsed.
Uhm...No idea about the API key? Maria you've started drinking? You use it to login even here :D C'mon you know this.
Comment has been collapsed.
On an unrelated note, I just found about 10k in my CSGO inventory.
Comment has been collapsed.
saw this article and thought of you - https://kotaku.com/counter-strike-global-offensive-skins-trade-steam-ban-1850324075
Comment has been collapsed.
Im sorry ik this probably isnt the right place for this but i dont have another way to cope right now, I came home to find out all my csgo inventory and tf2 and whatever valuable I had was stolen, over the years I always had super careful with everything security related and this happened today, I dont know what to do I am sorry for this post....
Comment has been collapsed.