Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
How to secure your account if your account credentials have been compromised:
Scan for malware https://www.malwarebytes.com/
Deauthorize all other devices https://store.steampowered.com/twofactor/manage
Change passwords from a clean computer
Revoke the API key https://steamcommunity.com/dev/apikey
Generate new backup codes
You don't use it, it should be blank, hence why anything in there should be revoked.
If this is the first you've come back to do any of this, count on your games getting bans, if anyone else has had control over your account in the 2+ weeks since this was first posted. No items will be returned to you if they were sold or traded away.
What a security hole.
I know I've never had to use it .. so why does it exist outside of the developer realm?
The "security hole" is where it always has been......between keyboard and chair.
Here is one example of how it works :
API Key Scam Explained
https://blog.opskins.com/protect-your-steam-account-from-the-steam-api-key-scam/
EDIT...The link is dead now, so here is an explanation :
https://steamcommunity.com/discussions/forum/1/1744480967002394150/?tscn=1545720735#c1744480967003395945
"So many people are in car accidents and die! What a security hole! No one should be able to drive outside taxi drivers!"
It's a tool. It has its uses and it is abused by skanky people with scummy values.
But the people getting scammed don't know they're being scammed until it's too late. They are still the security hole, as pointed out above.
And if the API key was only OPEN for developers.. and not EVERYONE.. well that would greatly reduce this bull.. no?
Since you don't know how this process could possibly affect individual users, I'd suggest: people need to learn not to enter their creds places.
If the car was locked for everyone except... seriously, it's still the same response. It in itself is not in any way to blame for this.
It has already been asked. 'what is it needed for' and the response was that you dont need it.
It says DEVELOPER ..
SO why does the general user have access to this portion?
It should be granted to 'DEVELOPERS' that require it.
If you don't need a key, then you don't need to have an API key entered.
Yes.. but obviously its open for scammers to jilt people with.
Hey.. if I've never needed it.. and hackers use it.. and its only for developers.. why in the hell is it accessable by hackers when someone clicks a link..
really..
No real defense to this one.
Have a nice day.
They are freely going to shady third party websites, and freely entering their Steam login information on those sites. Not a problem because they have the mobile authenticator, right ?
Wrong. Because they are also entering the auth. codes and that's when the magic happens. A shell (fake) account is then copied to look almost exactly like the one they intend to trade with at that time or the next time they do a trade.
Since the API key is compromised, this gives the ability for the avatar, profile name, and other appearances of the profile of the one intended to trade with to be copied to look very much like each other. There are warnings and red flags that Steam also tells the user, but often people are not paying attention and just click to confirm the trade anyway, and then the items are sent to the fake account instead of the one they intended to trade with.
Keep in mind that this is 100% on the user for freely giving away their Steam login information and codes.
Now, according to this OP above, we can't be sure that is exactly what happened, but it could be, and doing the normal steps we post will do no harm if there is no foul, but if there is an API key that was generated when they compromised their own account, then that needs to be revoked.
So that's why the key needs to be empty with nothing there, unless you are a developer, for example, and you intend for one to be there, and if you do, then you know what that key is and what it does and what it is for. There are other posts in the forums here that explain it pretty well, at least one version of it.
There is also the fake "VAC ban threat" version of this scam, and I can send you dozens of links to cases that show those, or you can just visit the VAC discussion forum at any time, and they get posted there daily.
https://steamcommunity.com/discussions/forum/1/2572002906850009113/#c2572002906850084112
https://steamcommunity.com/discussions/forum/1/1744480967002394150/?tscn=1545720735#c1744480967003395945 <--------------- This one has the steps to take and a good explanation.
https://steamcommunity.com/discussions/forum/1/1729828401679969268/#c1729828401679990405
https://steamcommunity.com/discussions/forum/1/3315110799617311088/#c3315110799617315290