It's a minority. The only way your Steam account can be compromised is if you give away your login details or download malware to your PC. The few that are affected by this have no regard for their online security and don't have the necessary protection on their PC. Don't click on random links is the main moral of this story.

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

Originally posted by evirat1o:

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

Not possible whatsoever. There are many different ways phishers operate in the way malcious material is presented but the end-result is always the same - malware/keylog.

If you honestly believe inventories can be hijacked out of thin air; your own online security and competence has to be called into question.

Originally posted by Darth Illic:

(This might be in the wrong place, sorry if it is)

I've noticed alot of people saying their accounts have been hacked, is this just a vocal minority or is it actually this to get hacked?

• you use some "free system" (rules don't allow me to be more accurate) to fake your country and you log in using it
  
• you install a trojan, which could be a game (I heard of trojans in Greenlight: to verify), a cards idling software, a fun software, ...
  
• you click a malicious link
  
• you write your data on a fake Steam website / form (phishing)
  
• you don't activate Steam Guard and some software finds your password by brute force or with a keylogger
  
• a worm finds a breach in your system
  
• the hijacker is a friend, or a sybling, and knows the password
  
• and this is just the beginning

If it's any consolation, you are very unlikely to get hacked.

Because your library consists of free-to-play games and you have little to no funds.

Frankly, a hacker wouldn't want your account even if you paid him.

Originally posted by Darth Illic:

(This might be in the wrong place, sorry if it is)

I've noticed alot of people saying their accounts have been hacked, is this just a vocal minority or is it actually this to get hacked?

Think twice before clicking something. If you are going to download something (a mod, Steam skin, etc) then do a background research about the download. Perhaps there's a safer website to download a mod or people who downloaded something warn others on a board discussion not to download a said file for safety reasons.

I just like to add that nobody is hacked. For some reason people can't tell the difference between a hacker, a scammer and a phisher.

Nobody is hacked, the time and effort to hack one person for little gain really wouldn't be worth it.
Most people are phished because they click on dodgy links.

It's pretty hard to be phished if you have common sense.

Originally posted by Hydra:

you use some "free system" (rules don't allow me to be more accurate) to fake your country and you log in using it

First I do not think VPNs are not allowed to be talked abut
There not allowed to be used on Steam by the SSA but no reason to it talk abut them
That is preety true over all but it's more likely if you use an unsafe one

Originally posted by Hydra:

you install a trojan, which could be a game (I heard of trojans in Greenlight: to verify), a cards idling software, a fun software, ...

Greenlight never had viruses, they only had links to sites that you download malware from there

Originally posted by Hydra:

you write your data on a fake Steam website / form (phishing)

These only work if you have Steam Guard off

Originally posted by Hydra:

the hijacker is a friend, or a sybling, and knows the password

Then he can just get on your PC, so or so your friends are not suppose to know your passwords

Originally posted by evirat1o:

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

I've heard that some accounts with big inventories got VAC banned without using any cheat.

People lie.

Originally posted by evirat1o:

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

Yes, if you disabled steam guard and published your account name or associated email address
there was a exploit once.

https://xkcd.com/538/

https://imgs.xkcd.com/comics/security.png

Use KeePass2 and GENERATE your LONG random passwords.

Strong security is more than a strong password, it is also something you know, something you have and so on.

Also turn on SteamGuard and all the security features to enable notification and multi-confirmation security for every devices. At least this way you get notified of anything.

All this linking Facebook and other linkage is just bad. Convience at the cost of security. I recommend isolating every account as best you can.

Also, don't trust internet strangers, especially if there is sometihng for them to gain. Trust is earned, not given.

99% of the time common sense is good security.

Ofcourse, it is hard to defend against the "evil maid" attack BUT.. you can,, by moving authentication off the machine and also boot capability OFF the machine. Don't share passwords across services and don't use normal words (learn elvish - but then I may learn it too).

And don't make your steam account details PUBLIC and if it's friends only, be sure you can trust them with knowing what you have (Also disable trade requests in games, its bloody annoying).

There is a reason your email is separate from your account name, also keep your player name separate from your account name. It's all about information about you and your account. Isolate what you can, separate what you can. Reducing the knowledge.

If you pay for something or something has value, you want to use a bigger key :) Isolate isolate isolate. Reduce reduce reduce. It is all about "mitigation".

Originally posted by evirat1o:

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

That's what the owners of the account say. But of course how many times tdo people fudge the details of something for fear the truth would make them look like idiots. Ask anyone who works in PC repairs and they'kll say no that no one ever knows how all those taskbars and the ♥♥♥♥♥♥♥ screensaver got on their computer. :p

The truth is Hacking is not something that happens frequently if at all.

As for password. Just don't reuse passwords really. No one bruteforces passwords these days. It's just not done anymore. EVery service is on gaurd for such. After 3-5 failed login attempts with wrong passwords most services will basically prevent any access to the account and attempt to contact the owner via phone or secondary email.

So yeah Buruteforcing. Not done. WHat more likely happens is keyloggers get installed By the user and they simply wait for you to login.

Or they put a backdoor on your computer that allows them to simply piggyback you.

Again this happens because of the user installing something. In short. The weakest link in security, is between the keyboard and the chair.

Originally posted by Start_Running:

Originally posted by evirat1o:

Nah. I've heard that some accounts with big inventories got hacked without downloading anything.

That's what the owners of the account say. But of course how many times tdo people fudge the details of something for fear the truth would make them look like idiots. Ask anyone who works in PC repairs and they'kll say no that no one ever knows how all those taskbars and the ♥♥♥♥♥♥♥ screensaver got on their computer. :p

The truth is Hacking is not something that happens frequently if at all.

As for password. Just don't reuse passwords really. No one bruteforces passwords these days. It's just not done anymore. EVery service is on gaurd for such. After 3-5 failed login attempts with wrong passwords most services will basically prevent any access to the account and attempt to contact the owner via phone or secondary email.

So yeah Buruteforcing. Not done. WHat more likely happens is keyloggers get installed By the user and they simply wait for you to login.

Or they put a backdoor on your computer that allows them to simply piggyback you.

Again this happens because of the user installing something. In short. The weakest link in security, is between the keyboard and the chair.

http://kotaku.com/steam-accounts-hijacked-following-security-lapse-1720288836

http://www.theguardian.com/technology/2014/may/30/steam-valve-password-hack-stolen-botnet-malware

http://dualpixels.com/2015/07/26/steam-hacked-accounts-compromised-community-offline/

http://www.pcgamer.com/steam-database-hacked-encrypted-credit-card-information-and-passwords-compromised/

They only need to get lucky once, in this case, they got lucky TWICE. 2011 and 2015, and countless other smaller cases directed at specific users.

Don't forget security defences can also be turned into an attack, disabling accounts by forcing resets. Kind of a weak targeted denial of service on accounts.

Not that in the latter they only got encryoted data. I'm wagering STeam uses at the very least 48-bit encryption. And that's the sort of thing you don't brute force. The time it takes to break the encryption would be longer than the time ittakes for news to get out and for people to simply change their passwords.


In the first case this happened on the user end. I.e the collected the keylogged passwords they'd gathered. from careless users.

Originally posted by Start_Running:

Not that in the latter they only got encryoted data. I'm wagering STeam uses at the very least 48-bit encryption. And that's the sort of thing you don't brute force. The time it takes to break the encryption would be longer than the time ittakes for news to get out and for people to simply change their passwords.


In the first case this happened on the user end. I.e the collected the keylogged passwords they'd gathered. from careless users.

I hope they used a salt on those hashes :)

You also use precomputed hashes (rainbow attack) and take advantage of hash collisions (don't use a weak hash).

This is why it is important at the very least, force an automatic password reset as soon as you detect an attack and then ban historical passwords, even force them to be stronger.

KeePass2 will solve many of your problems on weak passwords and remove password sharing.

https://en.wikipedia.org/wiki/40-bit_encryption

"A typical home computer in 2004 could brute-force a 40-bit key in a little under two weeks"

"With dedicated hardware, a 40-bit key can be broken in seconds"

"All 40-bit and 56-bit encryption algorithms are obsolete, because they are vulnerable to brute force attacks, and therefore cannot be regarded as secure"

"As a general rule, modern symmetric encryption algorithms such as AES use key lengths of 128, 192 and 256 bits."

Stick it onto an FPGA and you can brute force keys easily. Imagine a farm of FPGAs. This is why we use them for BitCoin Mining. Low power, faster than a GPU and programmable. And this is without using heuristics to get to the key faster by applying knowledge or common transformations (substitutions and permutations) on the candidate keys.

If you want to be secure, AIR GAP, SEALED ROOM, Robotron from Fallout at the door. This may impact your Steam gaming availability though.

In otherwords, do not become a target, be an unknown, low profile.