Do these things, just in case.

Scan for malware. https://www.malwarebytes.com/

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key https://steamcommunity.com/dev/apikey
** If there is nothing in the API key area, that’s fine. If there IS something, remove it. Nothing should be there.**

I have all the tools to keep malware away from my comp.
There is no malware. No API.

I have tried everything and it keeps happening.

The first thing I did of course is to remove all payment methods.

Now I have some games i really like that are on offer but I cannot buy them without risking my credit card information.

That's true, mobile authenticator is constantly cycling thru new pins (every 15 seconds) and not only once you request a new login, it's like that by design.

If you would get these pins thru email, that would be a different thing, then someone probably had access to email and password.

What do you mean? Is it from "steam guard" menu, or from "confirmation" menu?

No it is not cycling new pins.

Here what happens daily. At odd hours of the day , when the app isn't even loaded at all, my only device with steam installed wasn't even turned on....
A notification suddenly appears and tells me to use this pin.
Then it stops. Until the next day that is. It seems like this person is making one attempt per 12 to 24 hours or something.

Deauthorization prompts me to remove the authentication. Would this not allow the hacker to log into my account once the authentication is removed?

Originally posted by cliffordeg:

Deauthorization prompts me to remove the authentication. Would this not allow the hacker to log into my account once the authentication is removed?

"Deauthorize all other devices" means all authorizations other than the one you're currently using are removed. Any login on such devices will then prompt another code request.

This also means it's useless for your situation, as you ARE getting codes, so these logins are obviously NOT happening on authorized devices.

This is mostly for situations where you loose control over an authorized device. Unfortunately, you can't revoke specific authorizations, but it's also a certain safety net -- if you loose your laptop, you'd have to remember to remove authorizations for the Steam client, the Firefox browser, the Chrome browser... and you might forget your ASF bot.

Thank you!

Still an unresolved problem.

I have done everything, and changed my password a few months ago. I just changed it again hopefully it will work. If not I will not use steam again. Looks like steam compromised my account info.

Probably what’s happening is

1) someone has a username similar to yours
2) they type in your username
3) they can’t log in
4) they initiate a password reset
5) you get the code request

No one else has access to any of my devices.
None of my other stuff has ever seen any security breach before.
I use the same device for all my banking transactions. No breach.
Zero issues. Only steam has this issue.

I am leaning towards Satoru's idea.

Thank you Satoru.