How trade hold works.

- By default without Steam mobile guard app, trade hold are 15 days long.

- When you add Steam mobile guard app to account, you need to wait 7 days exactly down to the last second. Then you can confirm trades, please note when trading items between two parties, both need the Steam mobile guard app, to confirm trade, but if you're gifting items, only you need to confirm the trade.

- When you cancel trade, you get a Trade cooldown for exactly 7 days down to the last second, it literally explain this to you when you click cancel trade.



Now, if you been visiting third parties sites, and logging into Steam from those sites, then chances are they're probably a phishing site, if don't know what phishing means, means people that make fake website page that look like the real website, and they collect your login details that you enter on the page, and gain access to your account, either they inject a bot that using API key on your account which they steal your items when you make a trade, as it will cancel your trade you make with someone, and automatically redo trade, but you're gifting all your items to the hijacker bot account which they copy the person you're trying to trade with display name, and display picture, or they straight up try to take over your account, and just do whatever to your account, like target your friends to do things to also get their account stolen as well, or worse.

If you believe you have someone on your account, follow these steps to secure your account, don't skip any.
1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Most common reason people get accounts hijack for any service really are as followed.
- Sharing account infomation with others. <--- Very common with impersonators, pretending to be Steam admin / support.
- Logging in on phishing sites. <--- Very common with skin gambling sites.
- Downloading / Installing Virus / Keylogger on your system.
- Using public devices that has keyloggers, such as cyber cafe, school computers, and etc...
- Storing your login credentials on a unsecured service that others has access to view.
- Using same login credentials for all your things, or using same login credentials on another service that had a data leak. Yes it does matter because even if it not related to Steam, if using same login credentials, hijackers will try to use those credentials to see what services you use with those credentials. https://haveibeenpwned.com/