As I already wrote,
You think I care about it? -.-
Comment has been collapsed.
So. What was it though? Was it just some site spoofing the Steam Login page?
Comment has been collapsed.
Why should somebody hack a level 6 account? -.- Whats the true story? I never hear something like "I clicked on a link and lost my account" -.-
ps.: If you account was hacked and password was changed, what accoutn is this here on steamgifts? You shouldnt be able to login if your password would be changed.
Comment has been collapsed.
He put his login credentials into a non-steam window. That crap is bound to happen :/
Hack probably isn't the proper term, they just used the information that LonletMoon gave to them.
Comment has been collapsed.
But he should get a message at the steam authentificator. If he also used this code then its not hacking.
Comment has been collapsed.
Yea, that's what I said, hacking is not the correct term. I just assumed he stuck in his authentication code when the fake prompt came up.
Comment has been collapsed.
Yup, My term is wrong, it is not hacking,ExpuedWaffle said the right things
Comment has been collapsed.
But the code expires within seconds. I don't think that the scammer was right behind the computer waiting for someone to fall for it.
Comment has been collapsed.
This. Whenever I see someone say they got "hacked" it never makes sense. There is always more to it.
Comment has been collapsed.
Funny to read that when Steam refused to use HTTPS until really not long ago ^^
(but yeah, I agree)
Comment has been collapsed.
Steam used https on login page since ages, I don't remember if there even existed one point at a time when it didn't - maybe in 2003, but definitely not when I was starting having fun with the platform, and that was good 6 years ago at the very least. I also don't remember if things were different when I was joining the platform 10 years ago, I'm pretty sure https on login page already existed back then.
No, using https everywhere is not always required or possible. The general tip from PurpleAshe stands and is universal across all platforms and all services you can interact with - if you're inputting sensitive details, always ensure that site is not only https, but also signed with trusted SSL certificate that confirms authority.
Comment has been collapsed.
Login in on HTTPS only to then use that session cookie over an unsecure connection is almost useless. A year ago it was still a nightmare to try and force HTTPS everywhere on steam community: https://github.com/EFForg/https-everywhere/issues/12477
Comment has been collapsed.
Under normal circumstances no third-party site will be able to fetch Steam cookies, and if you're talking about OS breach then you don't even need to go that deep, since your machine is already compromised and you have full access to everything, including his session in Steam client. You never talk about security if you assume that attacker has physical access to protected files.
Moreover, session token is verified against IP (and also UserAgent IIRC), so even if you somehow sniffed it through insecure traffic (next to impossible if you're not a LAN attacker), it'd be useless for you. You'd need to spoof entire network communication, and since session token is used only for TCP-based http(s) services, you'd never get past initial SYN/ACK reply. Unless somehow you'd be in charge of doing man-in-the-middle attack in addition to sniffing traffic, but then it's the same case as physical access to protected files. You'd also need a lot of effort for that, but that's irrelevant.
So no, from all the shit that Steam does and everything I have to go through, this one nifty detail with securing only login window wasn't irrational. It worked and wasn't flawed. Extending that secure connection to everything else, while clearly beneficial, was not a requirement to make things secure. The objective was to secure transmission of sensitive login details, since those actually could be sniffed and made use of. MITM attack is possible even with fully encrypted channel, so it's not really beneficial to go this route.
Comment has been collapsed.
My secondary FB account got hacked because FB forced me to add a phone number in the past and I used a temporary phone number. Thanks FB for forcing me to lower my account security :x (no, no way in Hell I'm giving my real phone number to Suckerberg)
Gladly, I noticed promptly and recovered my account in a few seconds from my e-mail.
Comment has been collapsed.
What mistake? FB doesn't have to require my phone number, it will actually soon be made illegal by GDPR to force people to hand over personal data which are not technically required.
Steam is a different story, they're not even close to being as Big Brother-ish so I don't mind too much giving my real phone number (plus they don't require a phone number, so when I don't want to give it I just don't give it, no need for a phony one ^^).
Comment has been collapsed.
This mistake that you luckily avoided, but not because of logic or knowledge, but pure blind luck.
No, Valve would not reverse that ban, regardless of your reasoning. If you did what you claimed with both services, you'd regret it and blame your stupidity for the rest of your Steam life.
NEVER use publicly accessible phone number for anything security-related. It's better to not use 2FA at all, rather than using something as shitty as that.
Comment has been collapsed.
So... it would be a mistake to do this on Steam. Doesn't make it a mistake to do this on a secondary FB account π
I love your commitment to privacy, too
NEVER use publicly accessible phone number for anything security-related. It's better to not use 2FA at all
It wasn't for anything security-related, it was just because Suckerberg forced me to enter a phone number.
Comment has been collapsed.
It's a security flaw regardless how you look at it and regardless how much you don't care about the account you've just set up. Only because you don't care doesn't make it right to set it up like you did, you can only relate to how much that mistake will cost you, from "I couldn't care less" to "I'd be very happy to find out all my bank funds in a bank of China". The mistake is there, and should be corrected, because it's a security flaw that basically makes your account accessible to anybody having access to that phone number, without even your login details, as phone number is considered one of many authentication methods, especially for account recovery, and it's even stronger than e-mail.
Even using one-time sim card worth 5$ tops would be more secure than this.
Comment has been collapsed.
and it's even stronger than e-mail
It shouldn't be, particularly as FB allows the use of PGP-encrypted e-mails.
Anyway, it turned out great: I had no trouble recovering the account, and was able to delete the phone number without setting a new one. As a bonus I got to pin the (real) phone number of my hacker on my wall π All-in-all, a pretty fun adventure that would never have happened had I caved in and given my real number in the first place π
Comment has been collapsed.
Wow. I mean, those "hackers" should have asked for credit card number & cvv instead.
Comment has been collapsed.
same thing happpened to me in 2009 just show them ur payment screenshot when they will ask and they will change the pass dont worry steam support will retrieve your account.
Comment has been collapsed.
They would have had to enter it once to log in, again for the password change, and again to disable SteamGuard. Those could all happen in quick succession, with the website saying that the previous attempt didn't work and prompting them for the code again, but does seem strange.
Comment has been collapsed.
If you slightly switch the order and disable SG (SteamGuard) first, then you no longer need it for changing the password, effectively making it 2 tries total.
And chances are, OP didn't even notice when site prompted him to try again. We tend to notice something is out of order once it doesn't work for the second time, not the first one.
Moreover, I'm pretty sure there is a way to do it in one-go without even wasting initial token for logging in, but I'd need to verify that first and I'm too lazy for that. So 2 SG codes are definitely enough, perhaps even 1 when used specific reset option, if Steam permits.
Comment has been collapsed.
Well. the least you can do before logging in to a third-party website is to make sure it has a https:// extension.
Comment has been collapsed.
https:// websites are encrypted by TLS or SSL and thus prevent MITM attacks. This is ofcourse a case of MITM/Phishing.
Comment has been collapsed.
Only you can protect yourself from a phishing attack because it isn't active hacking, it's social engineering.
Comment has been collapsed.
https:// websites are encrypted by TLS or SSL and thus prevent MITM attacks.
Yes
This is ofcourse a case of MITM/Phishing.
No it isn't. MITM and phishing are two separate things. Encryption doesn't prevent phishing.
If you wan't to prevent phishing, you need to make sure that the site's certificate is actually from Valve.
Comment has been collapsed.
SSL prevents MITM. It indeed doesn't prevent Phishing though but it's difficult to get an SSL certificate for a phishing site. At the very best, you'd use Comodo to get an extension because they're lazy AF. The thing is SSL can protect your connection, the mobile authenticator too has a harmful website alert feature.
Comment has been collapsed.
Eh no, with letsencrypt around you can get free SSL certs for any amount of domains you own. Everybody can get valid, free, safe and trusted certificate today, hence most common DV (domain validation) certificates do not prove anything, but secure connection between you and the server, and that's everything. However, EV (extended validation) certs actually do, since they're much harder to get and always involve name of the company being visible next to green lock.
https://steamcommunity.com will say "Valve Corp. [US]
https://asf.justarchi.net/STM won't say anything, since it's not EV certificate
Comment has been collapsed.
Yeah, LetsEncrypt and Comodo both provide free SSL certifications.
Comment has been collapsed.
11 Comments - Last post 21 minutes ago by PoeticKatana
154 Comments - Last post 23 minutes ago by LeLecherousLeech
64 Comments - Last post 38 minutes ago by ZPE
349 Comments - Last post 40 minutes ago by Vasharal
48 Comments - Last post 50 minutes ago by Kyog
213 Comments - Last post 1 hour ago by possom2009
27 Comments - Last post 2 hours ago by pizzahut
92 Comments - Last post 11 seconds ago by coleypollockfilet
23 Comments - Last post 1 minute ago by Tucs
2,204 Comments - Last post 4 minutes ago by Ignition365
12 Comments - Last post 8 minutes ago by lext
6,340 Comments - Last post 14 minutes ago by arafijb
211 Comments - Last post 34 minutes ago by ShroudOfLethe
39 Comments - Last post 44 minutes ago by herbesdeprovence
I just got my Steam Account phishing, becausse my friend just send me the link,after I login my account on this website my steam guard was unlocked, and my password has been change, I think my friend account also hacked by hacker, because my other friend also receive the same letter from my account after I was hacked.Now I was pass the case to the steam support and wait their recive letter, hopefully I can take back my account, and I think write it here is don't want other people make a stupid mistake like me.
PS:After I check the coding of the website, I find that it is a simple html format,sh........
Comment has been collapsed.