Semua Diskusi > Forum Steam > Steam Discussions > Rincian Topik
Zebirdman 6 Jul 2023 @ 8:28pm
Account Comprised and API key used to ♥♥♥ other accounts
Ok so in my defense I have been pretty tired lately due to new baby and late one night after a glass of wine I was silly enough to respond to old 'hey can you vote for my friends CSGO team scam'.

Interesting thing is though that although my account was comprimised I did not lose control as I use steam guard. I did some playing around and near as I can see it the reason for this is as follows.
- Although I entered all my creds and a code into the malicious site, that code can only be used once.
- You cannot change passwords or move authenticator app without generating a new code which they cannot do (or not able to in this case, perhaps they are not as good as others).

In my case the impact was they generated a API key and were using that to ♥♥♥ other users for the same scam. Im guessing they are hoping to hook someone who isnt using steam guard and then its game over for them. No other actions happened on my account, no purchases could be made as I dont store payment deets on my account and they can only see last two digits on my phone number and my gmail email name (good luck to them comprimising that). All my games are still there, cheers as its around 10k AU in games!

I did however see a bunch of malicious login and logout actions from russion locations and some island somewhere which is a bit weird. Im still not sure what that is or how it is possible, perhaps they are piggy backing of my local session somehow or is using the API key counted as a login / logout?

Anyway I have purged all login sessions, purged all browser data, reset password and revoked the API key. Im thinking as a general precaution I might go full scorched earth on my digital life, reinstall OS, rotate all passwords and replace my current password manager (its had some problems and probably a good time as any to migrate to google who are probably alot better at their job).

The key questions are though

1) why does steam require you to gen a new code to reset password and auth app but not to gen a API key? This seems like a easy problem to solve and a bit of a flaw unless im missing something?

2) How is it possible that the login history would show consecutive login and logouts post comprimise of that 1 time code? Near as I can see they should have been 1 and done (unless the API key usage counts as login logout).

And yeah I get it the old 'well you shouldnt be stupid enough to do that thing' argument. But perhaps when YOU havent slept properly for four weeks are tired and worn out you will be? My digital life is obviously secured enough to prevent disaster in my case and unless im missing something the API key not needing another code is a flaw in otherwise a really good system?
< >
Menampilkan 1-2 dari 2 komentar
SLG 6 Jul 2023 @ 9:14pm 
You should not be online when you are so tired.
#1
76561198407601200 6 Jul 2023 @ 10:31pm 
Diposting pertama kali oleh Zebirdman:
Ok so in my defense I have been pretty tired lately due to new baby and late one night after a glass of wine I was silly enough to respond to old 'hey can you vote for my friends CSGO team scam'.

Interesting thing is though that although my account was comprimised I did not lose control as I use steam guard. I did some playing around and near as I can see it the reason for this is as follows.
- Although I entered all my creds and a code into the malicious site, that code can only be used once.
- You cannot change passwords or move authenticator app without generating a new code which they cannot do (or not able to in this case, perhaps they are not as good as others).

In my case the impact was they generated a API key and were using that to ♥♥♥ other users for the same scam. Im guessing they are hoping to hook someone who isnt using steam guard and then its game over for them. No other actions happened on my account, no purchases could be made as I dont store payment deets on my account and they can only see last two digits on my phone number and my gmail email name (good luck to them comprimising that). All my games are still there, cheers as its around 10k AU in games!

I did however see a bunch of malicious login and logout actions from russion locations and some island somewhere which is a bit weird. Im still not sure what that is or how it is possible, perhaps they are piggy backing of my local session somehow or is using the API key counted as a login / logout?

Anyway I have purged all login sessions, purged all browser data, reset password and revoked the API key. Im thinking as a general precaution I might go full scorched earth on my digital life, reinstall OS, rotate all passwords and replace my current password manager (its had some problems and probably a good time as any to migrate to google who are probably alot better at their job).

The key questions are though

1) why does steam require you to gen a new code to reset password and auth app but not to gen a API key? This seems like a easy problem to solve and a bit of a flaw unless im missing something?

2) How is it possible that the login history would show consecutive login and logouts post comprimise of that 1 time code? Near as I can see they should have been 1 and done (unless the API key usage counts as login logout).

And yeah I get it the old 'well you shouldnt be stupid enough to do that thing' argument. But perhaps when YOU havent slept properly for four weeks are tired and worn out you will be? My digital life is obviously secured enough to prevent disaster in my case and unless im missing something the API key not needing another code is a flaw in otherwise a really good system?
The key question is why allow your account to be compromised with a simple scam? That is after all the root of the problem.
#2
< >
Menampilkan 1-2 dari 2 komentar
Per halaman: 1530 50

Semua Diskusi > Forum Steam > Steam Discussions > Rincian Topik
Tanggal Diposting: 6 Jul 2023 @ 8:28pm
Postingan: 2
Buat Diskusi Baru

Pedoman dan Aturan Diskusi