How does someone get your API key?

All Discussions > Steam Forums > Help and Tips > Topic Details

This topic has been locked

Sigurd Roos May 4, 2020 @ 10:43am

How does someone get your API key?

Hey guys,
I recently got scammed for all my skins, through an API scam. A user contacted me about a giveaway bla bla bla all that stuff. And I was well aware that it was a scam, but me and my friend were curious about how the guy actually was planning on scamming me. He told me that the winner must be poor and suggested that I gift the skins I have to a friend. I did the trade offer and this is where the scam happened (obviously). I thought that as long as I don't put in my password on any third party websites or any of that stuff, I should be fine. Anyways, I am wondering how the hell this guy got my API key, as I haven't entered my credentials anywhere (and I am 100% sure of that :)). So if anybody knows how these scammers get people's API keys, please share. It is also worth noting that the guy did send me link that I checked on several link scanners that all said that the link was in the clear. The link was an obvious scam picture, that had my profile picture ect. and said that I had won a giveaway ect. Again, I didnt enter my password or anything it was merely a picture. I didn't even click on anything in there. P.S. I don't want any comments about how dumb I am and how stupid it was of me to accept the offer so on so on, as I know that this is 100% my fault, and I am already in deep regret. Thanks!

The author of this topic has marked a post as the answer to their question.
Click here to jump to that post.

Originally posted by JPMcMillen:

Originally posted by pr0phet:
Hi everyone! Thanks for the comments, I don't think I was clear enough... I am 100% sure that I didn't enter my steam password and username anywhere, I haven't entered those in weeks...

That's the ONLY way it happens. You, or someone using your account, entered your information to a 3rd party site. There is no other way.

< >

Showing 1-13 of 13 comments

Cathulhu May 4, 2020 @ 10:45am

Usually by the user entering their account on a fake website, giving someone access to your account enabling such shenanigans.

Sigurd Roos May 4, 2020 @ 10:47am

Originally posted by Cathulhu:
Usually by the user entering their account on a fake website, giving someone access to your account enabling such shenanigans.

Thanks, but as I said in my post, I haven't done any of that. Do you know any other ways that people can get your API key?

аdvicebanana May 4, 2020 @ 10:48am

There are phishing sites that look just like regular 3rd party sites at first glance. You enter your password => criminal scum get your API key.

Never say never. Read https://forums.steamrep.com/pages/hijacking/

JPMcMillen May 4, 2020 @ 10:49am

Originally posted by pr0phet:
Originally posted by Cathulhu:
Usually by the user entering their account on a fake website, giving someone access to your account enabling such shenanigans.
Thanks, but as I said in my post, I haven't done any of that. Do you know any other ways that people can get your API key?

You get led to a fake Steam login page. It looks just like the real thing.

Sigurd Roos May 4, 2020 @ 11:02am

Hi everyone! Thanks for the comments, I don't think I was clear enough... I am 100% sure that I didn't enter my steam password and username anywhere, I haven't entered those in weeks...

The author of this thread has indicated that this post answers the original topic.

JPMcMillen May 4, 2020 @ 11:04am

Originally posted by pr0phet:
Hi everyone! Thanks for the comments, I don't think I was clear enough... I am 100% sure that I didn't enter my steam password and username anywhere, I haven't entered those in weeks...

That's the ONLY way it happens. You, or someone using your account, entered your information to a 3rd party site. There is no other way.

JPMcMillen May 4, 2020 @ 11:05am

And it may not have been recent either. Sometimes scammers try with information they phished ages ago. Once they have the credentials, they can always try to get back in later.

Sigurd Roos May 4, 2020 @ 11:07am

Originally posted by JPMcMillen:
And it may not have been recent either. Sometimes scammers try with information they phished ages ago. Once they have the credentials, they can always try to get back in later.

Yes, but wouldn't it be weird if he already had my password and stuff, and still contacted me about the fake giveaway and stuff? I was with my friend when I got scammed and he confirms that I didn't enter anything in the moment...

JPMcMillen May 4, 2020 @ 11:11am

Originally posted by pr0phet:
Originally posted by JPMcMillen:
And it may not have been recent either. Sometimes scammers try with information they phished ages ago. Once they have the credentials, they can always try to get back in later.
Yes, but wouldn't it be weird if he already had my password and stuff, and still contacted me about the fake giveaway and stuff? I was with my friend when I got scammed and he confirms that I didn't enter anything in the moment...

They need you to confirm the trade with the mobile authenticator to make it work. That's the part they trick you into doing. When you made the trade, they canceled it and created a new one to a look-alike account that had the same profile name and avatar as the original recipient. What they count on is that you'll click the conformation without looking too close at the trade.

JPMcMillen May 4, 2020 @ 11:12am

And if you haven't done so already:

How to secure your account if your account credentials have been compromised:

Scan for malware https://www.malwarebytes.com/

Deauthorize all other devices https://store.steampowered.com/twofactor/manage

Change passwords from a clean computer

Revoke the API key https://steamcommunity.com/dev/apikey

Generate new backup codes

#10

Sigurd Roos May 4, 2020 @ 11:20am

Originally posted by JPMcMillen:
And if you haven't done so already:

How to secure your account if your account credentials have been compromised:

Scan for malware https://www.malwarebytes.com/

Deauthorize all other devices https://store.steampowered.com/twofactor/manage

Change passwords from a clean computer

Revoke the API key https://steamcommunity.com/dev/apikey

Generate new backup codes

Allright, thanks. I must've entered my password several weeks ago then. Well, ♥♥♥♥.

#11

arTTTTTTTTTTTTTTTTTTTTT Feb 18, 2023 @ 10:14am

Originally posted by sigurdroos:
Hey guys,
I recently got scammed for all my skins, through an API scam. A user contacted me about a giveaway bla bla bla all that stuff. And I was well aware that it was a scam, but me and my friend were curious about how the guy actually was planning on scamming me. He told me that the winner must be poor and suggested that I gift the skins I have to a friend. I did the trade offer and this is where the scam happened (obviously). I thought that as long as I don't put in my password on any third party websites or any of that stuff, I should be fine. Anyways, I am wondering how the hell this guy got my API key, as I haven't entered my credentials anywhere (and I am 100% sure of that :)). So if anybody knows how these scammers get people's API keys, please share. It is also worth noting that the guy did send me link that I checked on several link scanners that all said that the link was in the clear. The link was an obvious scam picture, that had my profile picture ect. and said that I had won a giveaway ect. Again, I didnt enter my password or anything it was merely a picture. I didn't even click on anything in there. P.S. I don't want any comments about how dumb I am and how stupid it was of me to accept the offer so on so on, as I know that this is 100% my fault, and I am already in deep regret. Thanks!

Same like me they scammed my ak47 asiimov

#12