You got phished, yes. That gave the hijackers access to the account.

Have you secured your account? Do these steps to be sure:
- Scan for malware. https://www.malwarebytes.com/
- Deauthorize all devices https://store.steampowered.com/twofactor/manage
- Change your password on a secure device.
- Generate new back up codes. https://store.steampowered.com/twofactor/manage
- Revoke the api key https://steamcommunity.com/dev/apikey

Your account didn't get "hacked" it was hijacked. Somewhere you were phished by entering all your account information into a scam website. These are usually 3rd party trading sites. This is in no way Steams fault, the blame is 100% on you.

What happens is that scammers create a fake Steam login page, and then lures people to the page.
When the user then enters their username/password, the scammer simply uses them to login themselves.

What every steam user needs to learn is to NEVER use their account to login anywhere other that the actual steam client (or web site).

Typical methods for luring you to a fake steam login:

* Setup a website, and offer users free stuff. User logs in and loses their account.

* A "friend" sends a message asking you to vote for their team in some tournament, usually CSGO, DOTA2 or other popular games, via a link. User logs in and loses their account.

* Someone leaves a comment on your profile, saying how you should join their CSGO team by following a link. User logs in and loses account.

I learned something new today. It turned out I still have Steam Guard turned on but instead of a Mobile authenticator, I am using an email authenticator instead.

My Google Account is as secure as f*ck with 2FA turned on. Logging into it on a new device will have to go through my 2FA code. I've also deauthorized all devices and I remember it saying "there were no devices that were deauthorized"

In regards to @wizardhermit comment, I can call myself computer literate. Ive been using a computer since 5 years old. Can fix Hardware/Software issues and I also have taken an IT course though I am an undergraduate

I know what a phishing is.

To further elaborate on what I said on #5

-> I never inputted my username and password. and hypothetically, even if I did, whoever got my credentials would go through the Steam Guard (email) and my Gmail (2 Factor authenticated)

I remember it has a sign in button and when I clicked it, there was a sign in option via steam. I did that and it redirect me through a legitimate Valve Website asking me to authorize my steam sign in. But afaik (Sign in via steam) does not collect credentials? Correct?

I then made an effort to back track. My items were sold on Feb 28 and there were no indications on my gmail about any sign in attempts on my steam account before that that shows a diff location from where I live.

The only sign in attempts that I saw was around Early March which shows that they somehow got my logins for some reason but couldnt since I had my email steam guard on. Ive checked my Gmail's device history and didnt find unusual so how did they get the code to get into my account? And why there werent suspicious sign in attempts before my items were sold?

So, you did enter your login credentials on a fake website showing you a fake login window.
And you gave them your account name, your password and the SteamGuard code. All they needed to enter your account.

Originally posted by Franz:

To further elaborate on what I said on #5

-> I never inputted my username and password. and hypothetically, even if I did, whoever got my credentials would go through the Steam Guard (email) and my Gmail (2 Factor authenticated)

I remember it has a sign in button and when I clicked it, there was a sign in option via steam. I did that and it redirect me through a legitimate Valve Website asking me to authorize my steam sign in. But afaik (Sign in via steam) does not collect credentials? Correct?

You're directly contradicting yourself here.

Yes, you did input your username and password on a website. Let me guess, the totally legitimate Valve page looked like this[i.imgur.com]?

Congrats, you just gave away your log-in credentials to some unknown third party.

Originally posted by Franz:

I can call myself computer literate. Ive been using a computer since 5 years old. Can fix Hardware/Software issues and I also have taken an IT course though I am an undergraduate

I know what a phishing is.

Apparently not well enough though. Chalk it down as a learning experience.

Originally posted by Cathulhu:

And you gave them your account name, your password and the SteamGuard code.

Like the user said, there is no Steam Guard code. The account is email-protected. This means, every login from a new computer should require an active email confirmation and be trade-restricted on that device for the following week. Also market transactions over a dollar of value and/or significantly outside the usual price window should not be possible without email confirmation and 15 days hold.

This could mean, that the PC is infected in a way, that gives the attacker control over the email inbox, or that there is a new exploit in regards of market features. At least, there were suspiciously more cases of unwanted sales/purchases in the last weeks, so it might be worth taking a closer look into the situation.

I can tell you that the exact same thing happened to me and I have installed all the possible defenses: Steam Authenticator, bitdefender internet security, vpn and my pc is only for gamming, I don't use the internet or emails.) Despite all this, this hacker entered my account and posted everything selling almost 130 dollars and then buying himself something for the same amount. How do you support this? there was no phishing. This is entirely Valve's fault. And they said "they're not responsible". No mail, no alert.. nothing.

Originally posted by Banshee:

I can tell you that the exact same thing happened to me and I have installed all the possible defenses: Steam Authenticator, bitdefender internet security, vpn and my pc is only for gamming, I don't use the internet or emails.) Despite all this, this hacker entered my account and posted everything selling almost 130 dollars and then buying himself something for the same amount. How do you support this? there was no phishing. This is entirely Valve's fault. And they said "they're not responsible". No mail, no alert.. nothing.

First off, hijacking someone elses thread is rude.
Second, if you logged into ANY 3rd party sites with your Steam account, you gave your login info away that way.

Valve straight up tells us that the security of our accounts is our responsibility, so they cannot be blamed when when a user fails to follow basic internet safty.

It doesn't matter how secure your account is, if you give the keys to your house to a burglar, don't get upset you get robbed.
No security on the planet can ever stop that.
Not even NSA level.

Originally posted by Banshee:

I can tell you that the exact same thing happened to me and I have installed all the possible defenses: Steam Authenticator, bitdefender internet security, vpn and my pc is only for gamming, I don't use the internet or emails.) Despite all this, this hacker entered my account and posted everything selling almost 130 dollars and then buying himself something for the same amount. How do you support this? there was no phishing. This is entirely Valve's fault. And they said "they're not responsible". No mail, no alert.. nothing.

Where did you use the combination of username, password and guard code?
Because thats what the hijacker needed.

Originally posted by Banshee:

I can tell you that the exact same thing happened to me and I have installed all the possible defenses: Steam Authenticator, bitdefender internet security, vpn and my pc is only for gamming, I don't use the internet or emails.) Despite all this, this hacker entered my account and posted everything selling almost 130 dollars and then buying himself something for the same amount. How do you support this? there was no phishing. This is entirely Valve's fault. And they said "they're not responsible". No mail, no alert.. nothing.

Doesn't matter how much 'defences' you have on your PC - if you allow your credentials to be phished, you will get hijacked (NOT hacked)

To date, not one single account on this platform has ever been 'hacked' and only people oblivious to what's happened use this terminology. It is not good going forward because not understanding will just mean it'll happen again and you probably wont even to adequately secure your account.

It doesn't matter how strong the locks are to your house or how many alarm codes you have, you give away the keys, you're gonna get burgled.

Originally posted by nullable:

Users love the idea that some l33t h4x0r got them and they were helpless, so it's not their fault.

It's a shame really. But ego is a hell of a drug.

You poor, poor soul. You really have no idea, do you? Allow me to illuminate you as to what is really going on behind the scenes.

It was quiet. And it was dark. A single ray of sunshine that crept through the small chasm below the door was the only source of light in the otherwise dark basement.

Well, that, and our aspiring hacker's monitors. They numbered in the dozens, all strategically mounted on the wall above his state-of-the-art desk, keyboards and mouses. They emitted just enough light for their user's determined figure to be barely distinguishable.

Our hacker, who for safety reasons shall be nicknamed l33t h4x0r knew it was time. He had been studying. He had been learning. He had been preparing for months . Nay, he had spent his whole life preparing for this.

This would be the day that he would hack Franz and Banshee.

With a growl of determination, he assaulted his expensive mechanical keyboard and started typing away, attempting every possible trick in his vast hacking arsenal to infiltrate Valve's servers. And not too soon... against all logic - against all reason - against ALL expectations, he was in! After a scant few minutes he had discovered a vulnerability that allowed him unfettered access to the innards of Valve's database. He shivered as he allowed his mind go astray with a momentary fantasy: after he was done with this he would report this vulnerability to hackerone and Valve would give him a bounty. Which in essence meant that he would get paid for hacking those pesky users. He cackled loudly at the thought.

So, in no time at all he had left in pursuit of the elusive data of those two users he had in his sights. It mattered not that all the data was stored as hashes. He employed his cleverly developed reverse engineering algorithm, which, along with the employ of the array of 3090s that he had stockpiled and the clever use of some basic AI scripts allowed him the unparalleled computing power to uncover hundreds of usernames -- real usernames! He immediately used his superpower (Ctrl + F) to find his two victims amongst the sea of innocent users.

And suddenly, just like that, they were within his grasp.Their data were within his grasp. Their very souls were within his grasp!

He now had their usernames, passwords, email, and 2fa secret keys. With determination even he did not know he had, he donned his V mask and cracked his fingers. It was time to get to work.

Originally posted by MagicMight:

MegaBullshit...

That would be funny if not so sad. I hope you don't actually believe that "B" movie script?

Originally posted by Silicon Vampire:

Originally posted by MagicMight:

MegaBullshit...

That would be funny if not so sad. I hope you don't actually believe that "B" movie script?

I am pretty sure he was joking.
Or trying for comedy.
But I could be wrong.

Nonono. Guys, I promise. This is what goes on in the background every time someone is hacked here. And the hacker responsible for this calamity is always in a basement, or at the very least a subterranean structure. Otherwise it makes no sense.

Originally posted by Silicon Vampire:

I hope you don't actually believe that "B" movie script?

...And how do you get off calling that a B rated script? It is at the very least an A- . Shame on you.