your account is compromised


Steps to take NOW:
1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

It's only "impossible" if you yourself don't enter it anywhere but where it's supposed to go.

Stop using off-steam trade sites.

You claim you 'didn't log in anywhere' and yet,

☭OOF {LINK REMOVED}caserandom.com

That's where.

So basically the auth is useless with malware installed?

The scammers got by that brick wall tout suite .. either way.. I seriously hope that the 'support' requests to valve have increased well beyond the 77thousand they were complaining about.

Still wont get a cell phone .

If a person gives their info whether to a scammer directly on Steam or through a 3rd party site, yes.

People give information they shouldn't to people or sites they shouldn't.

There is no way to protect users from themselves.

Originally posted by RedLightning:

So basically the auth is useless with malware installed?

The scammers got by that brick wall tout suite .. either way.. I seriously hope that the 'support' requests to valve have increased well beyond the 77thousand they were complaining about.

Still wont get a cell phone .

No security tool is bulletproof.

If you (as the user) still run the malware without checking the file by yourself or still run it even with all the warnings, you can basically only blame yourself.

People sharing their account credentials including the auth code to a phishing site is unfortunately a common thing on steam. Blame their greediness and gullibility.

Originally posted by Wolf Knight:

your account is compromised


Steps to take NOW:
1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Thanks dude!

Originally posted by RedLightning:

So basically the auth is useless with malware installed?

The scammers got by that brick wall tout suite .. either way.. I seriously hope that the 'support' requests to valve have increased well beyond the 77thousand they were complaining about.

Still wont get a cell phone .

All auth are not bulletproof they all follow the same issue, just that it's an extra login password that changes every 1min, or so, which yes it's time base, that's about it. Example enter your username / email, and password you use all the t ime, or often, then your auth that you get by phone / email that changes everytime you login.

Also with malware/etc affected the system, would try to override things on the system, and possibly try to get your details as you're logging in, or input things behind your back. But really this would be something that someone went out of their own way to install something they don't even know, or understand what they just install that basically giving backdoor on their system.

Originally posted by RedLightning:

So basically the auth is useless with malware installed?

It saves you if someone hacks steam or if someone has just your password.

Both are very rare cases. People who use the same password everywhere could benefit. Well.......

Originally posted by Toast:

Even with malware installed on the user's machine, the mobile auth is still not entirely useless. The worst anyone can to when gaining access to your account (because you accidentally gave them your credentials one way or another) is to

1. change your account/profile settings (this can be leveraged to trick / scam the user, and often is)
2. buy stuff with any existing wallet funds on your account (but such purchases would still be stuck to your account; see below)
3. make trade offers or market listings, neither of which will complete unless specifically authorized by the user.

You have to manually confirm it on a physically separate device whenever stuff leaves your account. That is one of the main points of the mobile authenticator. The mobile device itself is completely separate from the PC, which makes it unaffected when the PC is compromised.

However, one potential issue I have noticed is that cheaper market items (somewhere around less than one dollar?) usually do not require authentication to list on the market.

Another potential issue is when people create a fake authenticator on their host machine instead of using a separate tablet or a phone, meaning that if their PC is compromised, their fake authenticator can be rendered useless since it is not running on a different physical device.

Takeaways: when your account is compromised, it is your fault. When you verify items leaving your account, it is your fault. If you do not use the authenticator the way it was intended to be used (on a separate device), it is your fault.

I had auth on my phone all the time.

Then you gave that info away too, in that 'blocked link' in your name history. That's where your mistake was, and even if you don't THINK you've been scammed directly by them, off-steam 'trade' sites are ALL scams. They collect your info, and USE it.

Watch out for fake Steam login pages and fake browser windows, on any site that's not Steam.

All they need to do is to ask you for your username and password, then once you've entered them, they ask you for your mobile auth code.

Voila, full access to account. Can do that anywhere.

Originally posted by RedLightning:

So basically the auth is useless with malware installed?

The scammers got by that brick wall tout suite .. either way.. I seriously hope that the 'support' requests to valve have increased well beyond the 77thousand they were complaining about.

Still wont get a cell phone .

The auth works perfectry as intended - it's a separate security layer on a completely independent device. For instance, if the users PC is compromised then they still have the mobile phone to fall back on as a secondary security measure. However, some users have a habit of giving away all these credentials to scam sites including their auth code which renders the extra security layer pointless. This is the users fault. For some reason, people think the mobile app is a brick wall security addition but those people don't understand how or why it's in place hence why they get scammed so easily.

The OP here even has a vintage phishing site in their name history.

Originally posted by J4MESOX4D:

Originally posted by RedLightning:

So basically the auth is useless with malware installed?

The scammers got by that brick wall tout suite .. either way.. I seriously hope that the 'support' requests to valve have increased well beyond the 77thousand they were complaining about.

Still wont get a cell phone .

The auth works perfectry as intended - it's a separate security layer on a completely independent device. For instance, if the users PC is compromised then they still have the mobile phone to fall back on as a secondary security measure. However, some users have a habit of giving away all these credentials to scam sites including their auth code which renders the extra security layer pointless. This is the users fault. For some reason, people think the mobile app is a brick wall security addition but those people don't understand how or why it's in place hence why they get scammed so easily.

The OP here even has a vintage phishing site in their name history.

So in that instance.. its of ZERO use..

literally zero.

Sill all those 'other' people that actually are not as stupid.. get to put up with the onion layers.

sweet.

nah.

Originally posted by RedLightning:

Originally posted by J4MESOX4D:

The auth works perfectry as intended - it's a separate security layer on a completely independent device. For instance, if the users PC is compromised then they still have the mobile phone to fall back on as a secondary security measure. However, some users have a habit of giving away all these credentials to scam sites including their auth code which renders the extra security layer pointless. This is the users fault. For some reason, people think the mobile app is a brick wall security addition but those people don't understand how or why it's in place hence why they get scammed so easily.

The OP here even has a vintage phishing site in their name history.

So in that instance.. its of ZERO use..

literally zero.

Sill all those 'other' people that actually are not as stupid.. get to put up with the onion layers.

sweet.

nah.

Any security system in the world is useless if you give away all the login's to bypass it. The OP literally handed access to his account away.

Originally posted by RedLightning:

Originally posted by J4MESOX4D:

The auth works perfectry as intended - it's a separate security layer on a completely independent device. For instance, if the users PC is compromised then they still have the mobile phone to fall back on as a secondary security measure. However, some users have a habit of giving away all these credentials to scam sites including their auth code which renders the extra security layer pointless. This is the users fault. For some reason, people think the mobile app is a brick wall security addition but those people don't understand how or why it's in place hence why they get scammed so easily.

The OP here even has a vintage phishing site in their name history.

So in that instance.. its of ZERO use..

literally zero.

Sill all those 'other' people that actually are not as stupid.. get to put up with the onion layers.

sweet.

nah.

Yes because the OP gave it away along with their account name and password - both these are equally useless if they are given away just like the generated auth codes.

The mobile authenticator works as intended whereby if one device becomes compromised, the other can act as a barrier. If the users is stupid enough to compromise all their credentials then that's their fault.

It's a great security measure that has saved support a lot of hassle and a lot of users from malicious one-click phishing. Those that enter their credentials into scams sites can't be helped because they are too reckless the the countermeasures given to them.