Jerry eredeti hozzászólása:

cSg|mc-Hotsauce eredeti hozzászólása:

Not possible to use an already used code.

:skunk:

Not the code itself, but the login session. By extracting these infos, a session can be transferred. I know for sure, that it is possible to do a login through idle Master this way without entering any passwords or mobile codes. Gotta work elsewhere too.

Melody =^-^= eredeti hozzászólása:

@The Giving One
Not trying to be rude here, but you should seriously stop copy-pasta-ing, then start reasoning with your actual own brain. No, Valve's database wasn't """breached""" at all anyway, never stated that. The point is vulnerabilities are a thing, I didn't actually invent Spectre, Meltdown, Spoiler, Out-of-bounds (and so on) myself. There are actual ways to swindle/embroil a telematic system and make it do things it is not supposed to do when running a particular portion of software. The software is programmed and is supposed to act in a specific way, but then you have these exploits and these ways to trick them. You can say that a website runs well until it eventually gets hacked, and the same thing applies to client computers (aka the computers running Steam). There's no 100% mathematical way to guarantee that a system (or, more specifically, the software portion of it) will always work as it is expected to.

The Giving One eredeti hozzászólása:

Melody =^-^= eredeti hozzászólása:

@The Giving One
Not trying to be rude here, but you should seriously stop copy-pasta-ing, then start reasoning with your actual own brain. No, Valve's database wasn't """breached""" at all anyway, never stated that. The point is vulnerabilities are a thing, I didn't actually invent Spectre, Meltdown, Spoiler, Out-of-bounds (and so on) myself. There are actual ways to swindle/embroil a telematic system and make it do things it is not supposed to do when running a particular portion of software. The software is programmed and is supposed to act in a specific way, but then you have these exploits and these ways to trick them. You can say that a website runs well until it eventually gets hacked, and the same thing applies to client computers (aka the computers running Steam). There's no 100% mathematical way to guarantee that a system (or, more specifically, the software portion of it) will always work as it is expected to.

None of my posts are "copy-pasta". Not sure where you are getting that, but if you mean me linking to official Steam information, that's not "copy pasta".

Definition :

A copypasta is a block of text which gets copied and pasted across the Internet by individuals through online forums and social networking websites, to the point of becoming spam.

I will leave you will this and then kindly bow out of the thread. Just because an issue presents itself right at a particular moment, that does not mean the exact action at that particular moment was the exact cause of an issue. The account could have been compromised for months maybe in these cases, where the API key was already compromised by the user of the account.

Simply clicking a link would not be the cause of the account's actual compromise, in such cases.

It could have already been compromised before that.

Melody =^-^= eredeti hozzászólása:

In this context of discussion, it is copy-pasta because it is considered as just useless information.

The Giving One eredeti hozzászólása:

Melody =^-^= eredeti hozzászólása:

In this context of discussion, it is copy-pasta because it is considered as just useless information.

Then feel free to use the report button for such posts in the future please, as you see fit.

Jerry eredeti hozzászólása:

As I said, I am pretty sure, the login session (including mobile authentication!) is stored as a browser cookie, so in theory it might be possible to "steal" a login, if one gets hold of the session id and login code in that file. While email authentication does require the confirmation of new devices, mobile auth removes this security layer.
I don't know, if spyware or other harmful stuff is able to dig at this layer, but would not want to rule it out.

A previous infection would not explain, why this scenario happens exactly at the moment, when a website is opened, while it could take place at any given time.

As I said, I'd like to hear cases like this from people outside of the thread starters personal surrounding. This is still a too small circle for my taste. As soon as more of that kind pop up in the forum, we should worry.

Jerry eredeti hozzászólása:

Bermit eredeti hozzászólása:

But when I clicked the link of the site that someone was spamming me ,(again, I know I’m stupid for that) I got immediately disconnected [...] it could happen just by clicking a link in steam.

That is indeed unusual and concerning. Absolutely sure, you did not use a false login screen?
If this happened purely by opening the site, it might mean, that some script or malware got hold of your browser cookies... Gotta wait if more cases like that show up in the next time. Would be something to worry a lot about.

The Giving One eredeti hozzászólása:

Melody =^-^= eredeti hozzászólása:

You take everything for granted, but you actually don't have the required competences to say that a telematic system can't be hacked at all. The fact that you theoretically need 2-factor authentication actually means nothing. Then what about Spectre and Meltdown? What about CVE-2019-5786, OOB and other similar flaws that allow to get COMPLETE CONTROL of your Host system from a web browser (and even VMware and VirtualBox with the OOB!) without requiring the user to do anything? Same thing applies to the SPOILER vulnerability. There's absolutely NO WAY to have a 100% mathematical guarantee that a 2-factor authentication will keep you safe. Full stop.

So, according to you, Valve's database was breached and with millions worth of payment method bits of information, email addresses, and other personal account and personal information, the attackers just "hacked" it for this one user's account and left everything else all alone ? Don't you see how silly that is ?

It's not a "hack". People use that word way too loosely.

https://support.steampowered.com/kb_article.php?ref=1266-OAFV-8478

Account Phishing

If you receive a link from another user, especially one claiming free access to Steam content, use extreme caution! All official Steam logins are directed to the steampowered.com or steamcommunity.com domains, and official pages will include an Extended Validation SSL certificate, which most up-to-date modern browsers will identify with green text or a green highlight in the address bar with "Valve Corporation [US]" near the address. If you suspect a site asking for your login information is not an official Steam site, do not enter any information on the site and disregard it.

Things to Watch Out For

Account hijackers have several common methods of attack, most of which rely upon misinformation or deception. Your account cannot be stolen if you follow these recommendations and refrain from sharing your account.

Examples of hijacking attempts :

A list of common scams can be found here. <-----------LINK

https://www.reddit.com/r/Steam/wiki/scamtypes

Never share your account credentials, including your sign-in name and authenticator codes.

Again, by following some pretty simple and straightforward steps, your account cannot be hijacked. [/quote]
Thanks, you by far have told me the most useful stuff, not that others don’t have useful stuff to offer

The Giving One eredeti hozzászólása:

Bermit eredeti hozzászólása:

I heard of something like this but I NEVER knew that it could happen just by clicking a link in steam. I soon checked my email and soon enough, my number was removed from the mobile authenticator and my password was changed.

This suggests that your account was already compromised as well as the API key for your account. Because simply clicking a link to install malware on your PC will not get around the mobile auth.

You have to give the account credentials over or have done that already from using such shady, third party sites. If you entered auth. codes on them and Steam login information, for example.

API Key Scam Explained

https://blog.opskins.com/protect-your-steam-account-from-the-steam-api-key-scam/

After that, they can just sit on your account for as long as they want, waiting for the right time to strike.

EDIT..Or, you meant above that you clicked the link on your phone, but I did not see that in your post. If you did, I would also suggest a scan of your mobile device ASAP.