Sorry to hear that, hope you get back your account.
Thanks for sharing though. Me too, i usually using sign in using steam account without even thinking further that they could change anything on my account. Lesson learned.
Comment has been collapsed.
don't missunderstand this:
The page did not use the sign in with steam in any way.
It faked a page that looked like steam and while the user is looging in and using the authentification the same thing does a bot in background in real steam.
ALWAYS check the url of the page you are signing in.
Comment has been collapsed.
OK, I get it. Someone signed in to my Steam account using my nickname, password and the mobile code I entered. But there's still one thing missing: how could they remove my mobile authenticator without me getting a text message to my phone? It seems they redirected the authenticator to some other phone number. How? That's bothering me.
Comment has been collapsed.
there should be some sort of confirmation thingy before they remove authenticator right?
Comment has been collapsed.
That's what I expected, a validation of some kind on my phone. Well, this doesn't work the way I understood it.
Comment has been collapsed.
I guess they use some kind of bot/script. See, every login token of Your mobile auth is valid for a specific amount of time. Immediately when You enter Your steam auth token on the fake site, the bots gets it and runs couple commands in a few seconds, like changing the phone number -> there he is asked to enter a steam auth code, but since he does it all in just a few seconds, the steam auth code You entered on the fake site is still valid for all needed action.
At least this is how I think it might be done.
Comment has been collapsed.
I imagine a similar scenario. This way the hacker completely bypasses the mobile authenticator - I don’t get to confirm anything on my phone, because all confirmations are done using the one code they phished from me. If that’s actually the case, then a fix feels rather simple and obvious: make the codes valid for one action only, and voila - no more scams of this kind.
Comment has been collapsed.
Yea, thought the same thing about 1 code for 1 action. But then after u typed in the first code correctly on the fake site, it will say "code was wrong" and u will enter a second code, since u dont suspect the site to be scam and then they will use the second code to change your phone number first xD
Maybe they should add something like, if You wanna change phone number, u need to enter auth token + verify the action clicking on a link steam sends to your email. So you might be safe, if u use another password for your mail than for steam. I don't know.
In the end, best thing is just to be careful,
Comment has been collapsed.
I believe they start by changing the phone number associated with the account so you wouldn't get a text message, they would get the notification to the new number they entered.
Comment has been collapsed.
That seems to me like a pretty big flaw in the authentication process!
Comment has been collapsed.
Yes I agree, it's something they should review. Just an e-mail asking to confirm the new number would be enough to make it safer.
Comment has been collapsed.
Yeah this scam has been floating around for a few weeks (months?) and yep Valve authentication process is broken.
What's the point of having an authenticator if just anyone who gets your login info can change the phone number and bypass your authenticator in seconds?
There should be an email confirmation at least if you are changing because you lost your phone or something. It's ridiculous.
Comment has been collapsed.
I am afraid it got past the authenticator - now I don't feel safe on Steam.
Comment has been collapsed.
Yeah, that's the worst thing - apparently Steam mobile authenticator is useless now. Hopefully someone comes up with a way to secure Steam accounts better.
Comment has been collapsed.
yes, I could come up with a better thing. Global net police funded by the UN and death penalty for hacking. World is in desire for Draconian law once again instead of fighting by weirdos to make prisons like 5star hotels.
Comment has been collapsed.
The authenticator is working properly, you just have to be careful to NOT enter your authenticator code on sites that are not steams. If you want to make 100% sure that you're safe when you get asked to login from a site like that don't enter any info, go to steam's site on a different tab and make sure you're logged in to steam then just refresh the site that wanted you to login and you'll have a choice for your account instead of it asking you for password and steam guard code.
As for steam having a way to remove the authenticator after you've gained access to the account, they should really look into fixing that, it's been going on for a while now.
Comment has been collapsed.
Thanks for the tip, I didn't know that makes any difference. Still, I find it strange and disturbing, that someone is able to remove my authenticator without me confirming it. Something's clearly wrong with the security measures Steam's using.
Comment has been collapsed.
But you did confirm it, when you gave your information to the phishers.
Stop blaming Steam, they don't stand a chance as long as users willingly give their information to phishers. Doesn't matter how many checks they put in.
Comment has been collapsed.
I didn't give away my phone number. I was sure having mobile authenticator enabled would protect me; someone else couldn't access my account without an SMS sent to my phone, that was my thinking. I was painfully wrong.
And to be perfectly clear here: I'm blaming myself in the same percentage as I'm blaming Steam. Their authenticator provide me with a false sense of safety, which dimmed my thinking. I should have knowkn better, and that's a fact. But also, I'm wondering how there apparently are so many scams of that type going on and Steam isn't able to protect its users better.
Comment has been collapsed.
"they don't stand a chance as long as users willingly give their information to phishers"
Comment has been collapsed.
You blame Steam for your lack of understanding what kind of protection the authenticator can provide and what not?
Comment has been collapsed.
As I said a few times already, I blame myself for my carelessness, which was a direct cause for what happened. I could have avoided all the trouble just by using some common sense.
Also, I blame Steam for basically forcing its users to enable two-way athentication which can apparently be compromised without using the phone. Therefore, this isn't really a two-way authenticator, is it?
Comment has been collapsed.
It is a two-way authenticator, because it only works if you have the account info, and the code from your phone. It's your responsibility not to send your info for people you shouldn't ( and by ignoring this, nothing is safe if you go around yelling your passwords and combinations, simple as that)
You are the weakest link between your phone and PC, so if something needs to be improved, that is you at the first place :P
Comment has been collapsed.
There are several methods to minimize fishing success. And Steam does none of them. A simple e-mail verification would stop a lot (most sites require e-mail verification to change your password, why Steam doesn't require it for removing the authentificator?). IP checks can also help (especially if the e-mail doesn't just show the IP but also the geolocalization). Or a confirmation sent to the authntificator itself like when you sell stuff in the market.
Comment has been collapsed.
The code should just be a one time use
Then they could log in, but nothing else, as they would need it again, to change mail or deactivate the 2 factor
Comment has been collapsed.
They don't already? Then what the hell are the recovery codes that they give you when you first link your authenticator and they tell you to write them down and they won't show them again.
I find it strange really, just reading through the steam FAQ to me it seems like all that's needed is for steam to have some kind of confirmation or even just a minute delay on removing the linked phone number as removing 2FA is not (or at least it should not be imo) possible without recovery codes which you can't get without an SMS to your linked phone number. However it would seem that you can unlink the phone number with the same guard code used to login if you do it fast enough since the code changes once a minute which means a new phone number can be linked or something
Comment has been collapsed.
It seems to me that you're right about how authentication codes work. The hacker must have used the same code twice - first to gain access to my account, and then to change the phone number associated with Steam.
At least now that's the only plausible explanation I see.
Comment has been collapsed.
Exactly why I am afraid - every Auth code is 1 TIME use ONLY. The hackers got around the defences. Wake up people.
Comment has been collapsed.
If you lost access to your 2FA app.
And lost access to the phone number you used to setup the 2FA.
Steam will ask for your R-Code as a last resort.
If you don't have that, you will have to contact support, and they will ask you for a receipt or something.
That's what the R-Code is for.
Comment has been collapsed.
The recovery code is actually the first one you get as a choice if you go to the "remove authenticator > I've lost my authenticator" page, to do it with a phone number you have to go a page further to "I lost my recovery code"
I'm not exactly sure where the whole problem lies but I believe it might be the ability to change the linked phone number without any of that, I didn't try to go in any deeper in the support page but I went through "I don't have my authenticator > i don't have my recovery code > I don't have the phone number > I don't have the email" and after that it asked me for steam password and I didn't bother, don't want to accidentally end up unlinking mine and getting trade locked for half a month.
Comment has been collapsed.
Steam has to be incredibly incompetent with shit security if their authenticator doesn't even work correctly.
Comment has been collapsed.
Sure, it must be Steam's fault when people willingly give away their password and 2FA code to phishers... People not being able to handle their own passwords properly is why we are bothered with 2FA in the first place (and soon with biometrical crap, too)
Comment has been collapsed.
Actually it would be Steam's fault when a mobile authenticator can be removed that easily. Especially with an IP that's 3000 miles away from the last log in.
Comment has been collapsed.
I agree that Steam's security is poorly designed in some areas and particularly around 2FA. Notably by making their 2FA application basically mandatory (otherwise you're punished with a 15 days trade hold, and I'm not even sure you can use the market), by making people feel as if they are 100% safe as long as they have 2FA (and 100% unsafe if they don't), and by giving 100% trust to anyone providing a 2FA code no matter how far their IP is from the usual account IP(s) and how sensitive the actions they perform (like changing credentials or suddenly trading away all their inventory).
But still, there's only so much a company can do to protect you when people are both reckless with their credentials and unwilling to experience any "complicated" process (like getting e-mail confirmation links or waiting a day) that could improve their account's security a lot more than just a crappy 2FA app that requires a phone number and either a smartphone or a workaround.
Comment has been collapsed.
We'd need DNA samples to keep some people from being phished.
Comment has been collapsed.
I'm sure many companies are thinking about it already 🤔 (and that some like Google are even dreaming about it)
Comment has been collapsed.
I think you no longer need that anymore as long as the transaction is under $1. They should automatically block them if they see a log in completely different from the last place that was logged in. Google does it for gmail.
Comment has been collapsed.
Google keeps locking me out of my work account in order to ransom me for my phone number. Not a reference.
But yeah, other companies send you an e-mail in such cases, sometimes it's just a notification (one of my hosting providers comes to mind), sometimes it's a code that you need to enter in order to continue (Indiegala and Fanatical protects keys like that). There are many options, they just need to implement a few... and give users a choice about them.
That being said, something that I missed initially is that OP was able to lock their account as soon as it was "hacked", so the system in place actually kind of works already, even though there's room for improvement.
Comment has been collapsed.
It would be probably be enough to make each Code one time use only
Comment has been collapsed.
Yeah. And the weird thing is that the code they send via e-mail (when authenticator is disabled and you set up the "cheap" 2FA via e-mail) is one-time use itself (last time I tried, that was a while ago)... I don't get why they don't do that with the authenticator too.
Comment has been collapsed.
Sorry to hear that. To everyone, remember these simple steps to avoid being hacked:
- Log on Steam using your browser.
- Go to the site that requires you to log in (if the page is not already open).
- Refresh the page.
If the site still asks your to log in, it's a scam.
Comment has been collapsed.
I am using the desktop client - wouldn't it be just as safe?
Comment has been collapsed.
But you can't use it to browse sites outside of Steam.
Comment has been collapsed.
Yes, you can. You get inside a game and use the Steam overlay (which yses Google Chrome).
Comment has been collapsed.
Didn't know that. However before visiting any potentially dangerous site, it wouldn't hurt to visit the main Steam site.
Comment has been collapsed.
That's a good tip, but clicking on a site before researching it will get your account hijacked.
The best tip for this type of scams is to write back to your friend - if he has his account hijacked with the JavaScript code hidden in the link, he/she won't respond to your message.
Comment has been collapsed.
That's a good tip, but clicking on a site before researching it will get your account hijacked
What you mean by that?
Comment has been collapsed.
Well the user above me said that you need to sorta double check if you are on the official Steam channels, but I am speaking in general that some users actually click on the link to check it out regardless, and while some links ask you for your credentials, others automatically hijack your account via a script, just from clicking on the link.
Comment has been collapsed.
Automatic script. As you can see the Steam codes have been re-used, which we thought of impossible until now.
Comment has been collapsed.
Yeah, I get that there is a script running, but if I just open that link, they don’t have any data from me
Comment has been collapsed.
If a Trojan horse is downloaded via the script, a hacker might exploit a vulnerability and do all kinds of things - there is already such a Trojan in existence and trust me, your Steam credentials will be the least of your worries...
Comment has been collapsed.
But how can anything be downloaded (and executed) without my consent
Comment has been collapsed.
Well there are very nasty scripts with auto-downloading - some browsers can be bypassed, even if you selected the option to ask you about every download. Hackers find ways. Although - this particular Steam account hijacking has like 4 variants (known) - only 1 of them involves a Trojan horse. And while it doesn't seem to be that common or sophisticated yet, hackers keep pushing and I fear that it won't be long until they buy SSL certificates to spoof the official Valve one and do something more severe.
Comment has been collapsed.
you only need to check this to know your info goes to steam, not to a random site
Comment has been collapsed.
sometimes you cannot see this and certificates like this can be spoofed and cost 20 dollars...
Comment has been collapsed.
if you can't see it, then something's wrong and you shouldn't log in.
just like it happens in this keysmagic site. instead of an info-box with the certificate, you get a png.
Comment has been collapsed.
True, but I am saying that in the future, the authors of these scripts might actually buy a certificate and make it legitimate. CHecking the URLs is also a good tip, but sometimes they can be spoofed as well. If you are not tech savvy and believe that you will get a free game and that a friend sent you the link, you are likely to fall for it. There is a Trojan horse now that steals Steam credentials along other things. A person should be very careful either way.
Comment has been collapsed.
that's the problem with phishing. it relies on people being careful/knowing what to do, so it usually works. it's way more reliable than plain old hacking. 🤷
Comment has been collapsed.
Yeah, sadly, the social engineering behind it all, makes it effective.
Comment has been collapsed.
Where can I buy an EV certificates for $20? And also let me use "Valve Corp" or similar for the name?
Comment has been collapsed.
I am not sure about the name, but there are SSL certificates making a site from http to https for $20. That was 1 year ago, so I am certain there should still be similar prices. I don't know about the name, but maybe it can be spoofed, too.
Comment has been collapsed.
If you just want HTTPS, you can get certificates for free, but it won't show "Valve Corp". For that you need an EV certificate that costs more than $20 and involves verification of the company.
Comment has been collapsed.
Thank you for schooling me and for providing this knowledge to the community. I did not know that. Do you work for a certificate agency?
Comment has been collapsed.
I am just running a server and have looked up about certificates.
Comment has been collapsed.
Also never click links you are not expecting...
If you hover over the line you can see the address at the bottom of your browser.
Comment has been collapsed.
These links come from Steam chat and that "friend" might already be sending you links to giveaways.
Comment has been collapsed.
Good luck to you in getting your acc back and thx for warning
Comment has been collapsed.
Steam could fix this issue. If you have Steam's mobile authenticator enabled, they should make it so that you can only disable it by clicking a button inside of the authenticator app. Allowing you to disable it through the site means that a fake site just needs to trick you into thinking it is real and entering the authenticator code and then they can log into your account, disable everything, and change the contact info and password to hijack your account and lock you out.
Comment has been collapsed.
they could also work like blizzard's authenticator which needs confirmation from itself, instead of letting you paste a code in a potentially random site.
user tries to log in >
authenticator receives a login attempt >
site tells you to check your auth >
auth pops up a login confirmation >
you confirm >
no way to cheat this, since a random site won't be able to contact blizzard servers to tell your authenticator to show a login attempt.
Comment has been collapsed.
I'm not sure I am understanding how that works because it seems easy to bypass. When you give the fake site your Steam username and password, wouldn't a bot try to sign into Steam with your account right when you give it to the fake site and then the authenticator has you click a button to approve it because you are trying to sign in?
Comment has been collapsed.
Yes, which would lead to the same problem the only difference being it's possible to show what device is trying to login, but anyone who's gonna fall for this won't pay attention to the device name anyway and it's possible they figure out to fake it and give the info of the browser you're using so there's that.
Comment has been collapsed.
but you would get a confirmation that your account is trying to being accessed from X country, IP, browser, OS, etc.
unless the site is made to collect all that info before you log in, you would notice something's off.
anyway, disabling the auth from the app itself isn't viable, because people that lose access to it (ie: phone lost) don't have any other way to disable it.
Comment has been collapsed.
Most people don't know this type of hack exists which is why so many people fall for it. 99% of people will never check that info on the app. They click a button to log into Steam and then almost immediately get a notification on their phone to click the button to approve the login like they have done so many times in the past, so they will just click it. Also, if anyone did bother to check, that info is easily accessible to the fake site, so I would imagine they would use it.
You say that you can't allow only being able to disable 2 factor from within the authentication app because if someone loses their phone, they wouldn't be able to disable it, but isn't that the point of 2 factor? If you can disable 2 factor without having access to the 2nd factor, then 2 factor is useless.
Comment has been collapsed.
It doesn't matter if a real user or a bot makes a login attempt. The authenticator will prompt you either way.
Comment has been collapsed.
My thoughts exactly. There are more restrictive, safer ways to login than Steam authenticator. It was an obvious brainfart on my side to allow some shady site access to my Steam, but I believe it could have been prevented with better security solutions.
Comment has been collapsed.
If you have Steam's mobile authenticator enabled, they should make it so that you can only disable it by clicking a button inside of the authenticator app
What happens if you lose your phone? How are you gonna setup a new authenticator?
Comment has been collapsed.
I have never had to do it so I don't know what the process is, but I would imagine you would have to go through the same process that the OP is probably going through right now. You would have to contact Steam directly and prove to them that you are the owner of the account. I think Steam will have you send them copies of receipts for games or keys you have purchased in the past that are activated on your account.
Edit: It looks like Steam doesn't accept a key purchase as proof of ownership of the account which means the following is not possible.
Oh, that just gave me a really evil thought. If Steam uses screenshots of receipts or keys to prove that you have purchased games that are on the account, I wonder how much proof they require, would one game be enough? I think I remember someone saying that if you activated keys, you could just send them a screenshot of the key from a site like Humble Bundle. If someone hacked your account, they can't see the keys for the game, so showing Steam a key that is on your account from your order on Humble would be proof that you bought a game and activated it back when you had access to your account and you are the owner.
Now, if a hacker really wanted to plan an attack, they could give keys to people and they would have the receipt, they would just need to keep track of what user got what key. You would still need to convince Steam that the account was hacked first though. A hacked account will probably show a recent login from a new IP and changed password and 2 factor. So, it may be more difficult to make the account look like it was hacked. Hopefully Steam will require a bit more info than that though.
Comment has been collapsed.
According to Steam's FAQ, only keys from physical retail games can be used to prove ownership. These days I guess a lot of people don't have any physical game on their account, though.
Comment has been collapsed.
That's what I did after my phone was stolen.
I made a photo of my Deus Ex: Mankind Divided physical retail game with the key inside and send that to them. But I concede being part the minority of gamers who still purchases some (~ 5 per year) retail games.
Comment has been collapsed.
That's what the recovery code is for. If you don't have that, Valve will ask you some info to check you're the real owner.
Comment has been collapsed.
You still need a way to move to a new authenticator without access to your old one (for example if you lost or broke your phone).
Comment has been collapsed.
If you lose your phone, you should have to contact Steam directly and prove that you own the account to unlock it, just like the OP had to do in this situation. Like I have asked others here, if you can disable 2 factor without having access to the 2nd factor, then what is the point of 2 factor, it is useless and does not protect you.
Comment has been collapsed.
In this case, if your phone is stolen - the thief has immediate and unobstructed access to your Steam account.
While you need to wait until Valve support representative handles your case.
Wouldn't you want the ability to immediately disable your authenticator in case of theft?
Comment has been collapsed.
Not if it makes 2 factor security worthless and compromises every Steam account. Maybe Steam should implement a better support system. They have enough money to hire some people to take phone calls just for security issues. They can have all normal customer service go through emails if they want and just have an emergency number that you can call if your account was compromised and you need to lock it. You call the number and they ask you some questions to prove you are the real owner, then they lock the account and start the automated recovery process which can be done off the phone.
Is it possible right now to disable 2 factor without having access to your phone? Isn't the only way to access your account to enter the code that is sent to your phone? If you lose your phone right now, how do you enter your account and disable or change 2 factor settings?
Edit: Also, if your phone is stolen, how does the thief get access to your Steam account? He should only have access to 1 of the 2 factors, he would also need to know your password.
Comment has been collapsed.
They have enough money to hire some people to take phone calls just for security issues. They can have all normal customer service go through emails if they want and just have an emergency number that you can call if your account was compromised and you need to lock it. You call the number and they ask you some questions to prove you are the real owner, then they lock the account and start the automated recovery process which can be done off the phone.
First of all, this won't work as they would have very little traffic day-to-day, but 1000% spikes when a new scam site appears and thousands of people are scammed at once. No call center can support such traffic spikes.
Secondly, Steam is not an American platform. It's an international platform that supports many countries & nationalities. So a person only speaking Russian (for example) would need a Russian speaking call center representative answering the calls. Which makes it much more complex.
Is it possible right now to disable 2 factor without having access to your phone? Isn't the only way to access your account to enter the code that is sent to your phone? If you lose your phone right now, how do you enter your account and disable or change 2 factor settings?
I had a phone break down on me a few months ago and I lost access to my existing Steam app I had installed (including the authenticator).
So I used this - https://support.steampowered.com/kb_article.php?ref=8625-wrah-9030#transfer
IIRC it authenticates using your mail address.
Edit: Also, if your phone is stolen, how does the thief get access to your Steam account? He should only have access to 1 of the 2 factors, he would also need to know your password.
If you have a Steam app installed on your phone, you're permanently logged in.
The thief doesn't need your password anymore...
Comment has been collapsed.
All those options to transfer Steam guard to a new phone or use your email instead seem fine because they all require you to have access to the original phone number. In order to transfer to a new phone or use Steam guard through email, you have to get a text message on the phone number that is on your account.
None of that matters though because I didn't know the authenticator app had full access to your account. I never went through all the options, I only thought it was used to provide you with the Steam guard code and to approve listing items in the market.
The fact that you can change all settings from the app is a security risk. I thought you would have to log in on a browser with your password and the Steam guard code to change anything. So there is no security at all on the app, anyone that picks up your phone has full access. It would be much safer if you couldn't make any changes to the account through the app or if it required you to enter your password before being able to make any changes. Then even if someone gets your phone, they can't change anything unless they also have your password. I guess you could also have your password saved on your phone, but that would be your fault because having both factors available on a single device turns it into a single factor and is no longer secure.
You can also leave yourself logged into your account in a browser and then anyone that uses that device has access if you don't log out. The way to fix this is to require you to enter your password again before being able to make any changes to the account like more secure sites do.
Comment has been collapsed.
Yes, it was. However, I feel quite dumb to have made such an obvoius mistake being 35 years old :/
Comment has been collapsed.
don't worry, valve support has a bad reputation but they always fix these issues pretty fast.
Comment has been collapsed.
I hope so. I hereby announce a train incoming shortly after my account is brought back - to celebrate the triumph of Steam support over a Russian hacker. I haven't created a train in quite a while, that would be a fine occasion.
Comment has been collapsed.
How can you be sure he/she was a Russian hacker? I am sorry but there are criminals in every single country, just like hackers, they aren't better or worse just like because they are Russian. American, European, etc hackers stealing the money of innocents too.
Comment has been collapsed.
"The thing is, it requested to sign in through my Steam account" ---> 100% scam.
Comment has been collapsed.
In order to use Steamgifts I need to sign in through my Steam account, too. Is it true what they say, that Steamgifts is a scam? ;)
My problem was definitely that I felt too safe with the mobile authenticator enabled. My faith in it was way too deep. That's the lesson to be learned from my story - to never let mechanisms or algorithms give you a sense of full safety. My common sense should have warned me, but it didn't.
Comment has been collapsed.
Nope. If I remember correctly...
You don't have to put your login and password to get to SG.
You just need to be logged on Steam and click connect by steam and then it jumps to steam site and you just click Login and you are logged in.
You don't have to put your password anywhere.
If any site tells you to manually put Steam login and password to login to that site it is just one of many sites stealling Steam accounts.
Comment has been collapsed.
You don't have to put your login and password to get to SG.
Steam's website regularly disconnects me (like, once every other week or so). So, I regularly have to enter my credentials (which on a side note is damn annoying), including the bloody 2FA code. And the worst part is, it can happen at any time, ie a very, very short inactivity time is enough (which is a horrible way to handle a session that's supposed to last over a week). And the other worst part is, there are actually 2 separate sessions (one for the store and one for steamcommunity, if I remember well), which means you can be logged in as far as the shop is concerned but logged out as far as steamcommunity is concerned. Yuck! What a mess.
So no, it's not a guaranteed scam when you have to log back into Steam (and we have Steam's crappy session system to thank for that confusing thing). But yes, it's a red flag and you should always check the URL you're on, and the HTTPS, and the EV certificate (it should show "Valve Corp (US)" next to the HTTPS lock icon). And if in doubt, just type the URL manually
TL;DR: whenever you're asked to log in by "Steam's website", close the tab, go to Steam's website manually, and log in there
Comment has been collapsed.
Do you have third part cookies blocked? Cause that sounds like the reason that you get logged out from the store but not the community.
And getting logged out every one and then is probably changing IPs.
Comment has been collapsed.
Do you have third part cookies blocked? Cause that sounds like the reason that you get logged out from the store but not the community.
Hm, I get locked out of both, usually at the same time (I think). It's when I log back in that I need to log into both separately. I don't block third-party cookies, but I use anti-tracking / anti-ad stuff (uBlock and Ghostery). They shouldn't block third-party cookies everywhere, as they're based on domain names and patterns only, but maybe they break things.
And getting logged out every one and then is probably changing IPs.
Nope, it crossed my mind, but I have a fixed IP in my browser (I use a server of mine as a proxy, IP only changes like every 2 years when I change server). And actually, sometimes I do change IP on purpose and it doesn't necessarily disconnect me.
An IP change usually does disconnect me in the client, though.
Comment has been collapsed.
Ghostery should only block third-party tracking cookies. It's probably why steam forces you to log in to the store and the community separately.
I have third-party cookies disabled, but somehow when I log out from the store or the community I get logged out of the other. But I have to log in to them separately.
And yeah, I kept changing IPs hoping steam would log me out, but it only logged me out from the client.
Comment has been collapsed.
you will most likely recover your account with a VAC , feeling sorry for you .
Comment has been collapsed.
The best way how to avoid being hacked/scammed:
If someone telling you will get something valuable for free (even if a friend does) especially if it include any kind of link or trying to direct you to somewhere, then it is a scam/hack attempt to avoid it.
So simple, nothing is free.
But GL to get it back, you will. Hopefully, you not lost valuable inventory or huge steam wallet.
Comment has been collapsed.
Yeah, so glad I ignored all those messages from my friend about "The Witness" and "Oxenfree" being free, I mean why would Epic give away these good games for free?
;-)
Comment has been collapsed.
This is weird . Seem like Steam policies affecting regular users like me , when I cudnt get my cards becoz I changed something in my account and steam placed me on a 2 week hold on . But your story says , these policies don't affect the hackers but regular users .
U cant trade a card but can loose 1000 games just being hacked
Comment has been collapsed.
The thing is, it requested to sign in through my Steam account, which I carelessly did
You are not the first, and not the last. And once again - never enter passwords from steam anywhere but steam. Even if site opens pop-up that looks like steam, don't. Open steamcommunity.com in another tab, login, and then go back to that site. And if you see that you're already logged in on steamcommunity.com - you know it was a scam attempt. It's safe to login using steam, but it's unsafe to enter password (and authenticator data) everywhere.
And, by the way, old-style steam guard with mail was much safer. Because it didn't asked for code everywhere, just on new device, so if some site asks for it - you know it's a scam. But with 2fa authenticator using phone app, steam asks for code every time, so many people fall for this type of scam. Too bad Valve made everything to prevent people from using mail guard.
Comment has been collapsed.
You can still "remember this device", so you still only need to enter 2fa-code on new devices - which is why the phisher asks for it. If a site asks for 2fa, it's a scam. (or your Steam token ran out; but this just confirms that you should check the URL.)
Comment has been collapsed.
Ah, you're talking about this... it's "remember password" thingie, not "remember device". With email steam guard you need only to enter code on first login, but next time steam cookies got rotten, and you need to login again, you don't need a new code. But with authenticator you need to enter codes every time you login, and steam forgets your password very often, so you are getting used to enter code every time. So, when scam site asks for code again - you are not surprised and not suspicious.
Comment has been collapsed.
I'm not sure what you mean; I don't need to log in or provide code every time I go to Steam website, or when I go to a new site like SteamTrades and click Sign in with Steam... If a site asks me to log in, I know something's up. If you don't, that's really not Steam's fault.
Comment has been collapsed.
But it IS Steam's fault. I'm not saying you have to login every time you visit steam website, but it still forgets your login quite often. Please, don't tell me you entered your login credentials only once - I won't trust you. I'm sure steam sometimes forgets about your login, be it once a month or once a year... Otherwise you are only one man like this in the world.
Comment has been collapsed.
I said in my first post that it does happen.
You say it happens "very often" so you're "not surprised and not suspicious".
It's your fault for not checking where you put in your account information.
Comment has been collapsed.
Well, I'm not saying it affects me - I always check where I enter this information. I'm saying about people, who are less paranoid. For them, email steam guard is more safe. And, for people like me - there is no difference. So, overall, 2fa greatly reduces security.
Comment has been collapsed.
Thanks for warning, i though we are safe since autenthicator exist. Once I've lost my account as well but back than there was no mobile autenthicator yet. The thief saw that im global elite in csgo, so after taking all of my inventory he also played in matchmaking too.
That made me very bad feelings because even after getting my staff back i've been thinking about what if he was cheating in that game... but fortunately he didnt.
Comment has been collapsed.
By the way, is the account recapture procedure completed?
https://help.steampowered.com/
I can not sign in! help me!
next
It has been stolen!
"There is only a note on what to do when stolen."
Select Account Name, I forgot my password.
next
Enter the email address you used
You will probably get an error if it does not exist.
At that time, there is a button to contact SteamSupport.
Choose it.
Process of being hacked
Credit information
Undamaged email address required for restoration
Attach information or images of suspicious sites that lead to the hacked process
Send and wait half a day.
If you are lucky you will receive a reply.
Comment has been collapsed.
Thanks for the info, that's the first thing I've done. I used the recovery procedure a few minutes after I realized what's going on. I don't know if my quick reaction helps me in any way, now all I can do is wait for the reply, change all my vital passwords, warn others and hope for the case to be solved soon.
Comment has been collapsed.
Congratulations on the resurgence of your account so much faster than you thought! good for you!
Comment has been collapsed.
thankfully i have no friends (real life friend) in my list
wait a minute....
Comment has been collapsed.
Lock your account. The option should be in the email you got about the email/phone number/password change. https://support.steampowered.com/kb_article.php?ref=6416-FHVM-3982
Comment has been collapsed.
Thanks, I already did it. Locking the account may be a way to protect some of my inventory. Time will tell.
Comment has been collapsed.
In this kind of situation, have you considered that your API key was spoofed which is another possibiljty since every sign in or OATH, your data carries along.
Comment has been collapsed.
Thanks for the heads up. Good luck with getting your account back.
Comment has been collapsed.
Here's an update on the situation:
Hooray, the crisis is over! Steam support has sorted out the hijacking issue succesfully. I've got my account back faster than I could expect. I know they're getting a lot of bad rep, but honestly I've never had any kind of problem with support's work. A big, shiny thank you to Steam staff for their immediate reaction.
Also, nothing is missing: my Steam wallet and inventory are just as I left them. This might be because I blocked the account right away, mere minutes after I got hacked. No damage done, but still, the lesson is learned: I will never again pass my Steam login so easily to any third party.
Finally, thank you all for your comments, advice, support and discussion.
And as promised, a little celebration train to finish the story on a positive note. Enojy!
http://sgtools.info/giveaways/d13c83b2-68e9-11e9-84e3-fa163e96784d
Comment has been collapsed.
Well hot damn, that certainly was a fast account recovery.
Congrats on getting your account back.
Comment has been collapsed.
All is well when it ends well :)
Glad to know you managed to fix the situation, with the help of Support (have never had complaints about their work either). Also, no reason for pride lost, it can happen to anyone! What matters is that your account is back and you are now wiser and thus safer ^^
Comment has been collapsed.
HTTPS by itself doesn't mean anything. You can get SSL certificates for free.
Comment has been collapsed.
But you can see who get cert, for ex:
http://prntscr.com/nikuve
PS. And basically I was joking because the author dont know basics of security.
Comment has been collapsed.
You can get HTTPS for free and it won't show whose is it. HTTPS by itself isn't enough guarantee that it isn't a scam.
You need to check if the certificate is from Valve i.e. it says "Valve Corp" near the lock.
Comment has been collapsed.
Grats on getting your account back. Feels good to know that steam support is on the ball with this since it's been happening more aggressively in the past few months.
Comment has been collapsed.
Despite my long experience with Steamgifts, this is the first thread in the forums I've created.
Just about half an hour ago I got my Steam account hacked. Someone from my friendlist sent me a link. I opened it and it seemed to be just another free giveaway site, like hundreds I had visisted before. The thing is, it requested to sign in through my Steam account, which I carelessly did. Even though I was using mobile authenticator, someone took over all my Steam data. I received a series of emails, informing me that my telephone number associated with Steam got changed, my authenticator removed, my email address connected with Steam changed as well, and my main password reset. I contacted Steam right away and I hope to get my access back - there's over a thousand games I've lost, many of which I haven't even played yet (including the Witcher 3, goddamn it!).
This message is a warning to all of you. The link used by the hacker was keysmagic.fun. Don' enter this link, if anyone sends it to you - remove from the friendlist mercilessly. The IP address of the computer used for the hack is based in Russia. Whoever did this, I hope you can never again get an erection, and your organism evolves taste buds in your anus, you f**k. To all other Steam users - keep safe, this may happen to you as well. Think before you act, just as I didn't.
EDIT: Account recovered, nothing's lost except some of my pride. Have a train to celebrate: http://sgtools.info/giveaways/d13c83b2-68e9-11e9-84e3-fa163e96784d
Comment has been collapsed.