In the future, refrain from distributing your login details at every opportunity.

Originally posted by Tyrannosaurus Flex:

I have logged in through steam at 3rd party before and stipidly used the dame password for my steam and email.

If you have to ask this, then you've clearly made a misstep. Even the top-notch U-lock won’t save you if you're handing the "thief" bolt cutters and saying "Enjoy!"

Originally posted by Tyrannosaurus Flex:

I have logged in through steam at 3rd party before and stipidly used the dame password for my steam and email.

They have as such a steam guard authentication key to access your account.
Even if you have changed your password after ward, if you don't pull this in (authenticated devices) they don't need to reaffirm Steam Guard.

Also they can use Email Verification if they have access to your email.
People who access your email usually enable IMAP, POP3 or simply enable a forwarding script to make sure the email server sends copies to their own email or server
... so even if you pulled Steam guard, if you didn't check your email settings, your email account could have forwarded the steam guard codes.

This is why Steam advises people to use their phone auth method, which is harder to obtain without your phone.

but anyway--- look into your email account settings and email settings and see if there is a leak somewhere there.

Originally posted by Tyrannosaurus Flex:

Hey steam,

a few days ago my cs2 inventory got traded away to an account I can't even see a name of.
I did not authorize it in steam guard.

Link your Steam account to a hacker-infested Steam game server owned and operated by Valve, they said... it'll be fun, they said.

Obviously my account got hijacked. What. I wonder is if through means of malware or phishing.

Both can compromise your account, not steal it. Hijackers make more money from breaking into the Federal Reserve, not Steam user accounts that focus on FREE games.

I changed passwords and email, reset all devices, no apikey etc.
Malware scanns on phone and pc came out negative. On PC I looked at processes with security task manager aswell.

Okay, okay, checklist looks good so far...

I have logged in through steam at 3rd party before and stipidly used the dame password for my steam and email.

Now I am at a loss if I got phished or haven't found the malware.

There is no malware. You phished yourself by not authenticating the site before authenticating your account information to that site.

Can scammers get access to my steam guard without having acces to my phone?

If you give them your login credentials, you've given them access to your entire account... not just Steam Guard. They can sell your CS2 NFT swag, post content on forums that could get you permabanned, even upload images that could get the FBI involved.

YOU are responsible for YOUR Steam account, not Valve. Treat it with the same level of importance as the bank account you're using to buy CS2 NFT swag.

Originally posted by Tyrannosaurus Flex:

Hey steam,

a few days ago my cs2 inventory got traded away to an account I can't even see a name of.
I did not authorize it in steam guard.

Obviously my account got hijacked. What. I wonder is if through means of malware or phishing.

I changed passwords and email, reset all devices, no apikey etc.
Malware scanns on phone and pc came out negative. On PC I looked at processes with security task manager aswell.
I have logged in through steam at 3rd party before and stipidly used the dame password for my steam and email.

Now I am at a loss if I got phished or haven't found the malware.

Can scammers get access to my steam guard without having acces to my phone?

Phishing. Most likely phishing. Password reuse is dangerous as well, still most likely phishing. Pro tip: phishing doesn't necessarily looks like a third-party site (which is obvious once you understand phishing).

Originally posted by Elucidator:

Originally posted by Tyrannosaurus Flex:

I have logged in through steam at 3rd party before and stipidly used the dame password for my steam and email.

They have as such a steam guard authentication key to access your account.
Even if you have changed your password after ward, if you don't pull this in (authenticated devices) they don't need to reaffirm Steam Guard.

Also they can use Email Verification if they have access to your email.
People who access your email usually enable IMAP, POP3 or simply enable a forwarding script to make sure the email server sends copies to their own email or server
... so even if you pulled Steam guard, if you didn't check your email settings, your email account could have forwarded the steam guard codes.

This is why Steam advises people to use their phone auth method, which is harder to obtain without your phone.

but anyway--- look into your email account settings and email settings and see if there is a leak somewhere there.

Yeah the email thing was really stupid. But what is the head scratch is that I used my phone for 2fa the whole time. And I thought even if my account got compromised, as long as 2fa is on my phone a scammer couldn't do anything and I would be notified if they changed the 2fa

Originally posted by Tyrannosaurus Flex:

Originally posted by Elucidator:

but anyway--- look into your email account settings and email settings and see if there is a leak somewhere there.

Yeah the email thing was really stupid. But what is the head scratch is that I used my phone for 2fa the whole time. And I thought even if my account got compromised, as long as 2fa is on my phone a scammer couldn't do anything and I would be notified if they changed the 2fa

A lot of people learned that lesson the hard way last year, after believing the same thing with Microsoft's authenticator app. The problem is that all online roads lead to Google, and Google has full legal immunity to continue allowing 2FA exploits by bad actors.

Valve can recommend using their Steam Authenticator app, but it's basically the same thing as trying to log into Steam using a third-party website. Keep it simple, the less parts you have in a machine the less likely something is going to fail.