You should be safe after you did what you did
Did you make sure it was your real friend that sent the message (they could have already been compromised and it was the hijacker that messaged you)

I dont know what file that should be,
but he just needed a file from steam to repair something. Not from soneone else.

So this doesnt make sense. And looks very suspicious.

What was the path in the steam folder of that file?

I see that is how they get your account name from loginusers.vdf

Originally posted by Muppet among Puppets:

What was the path in the steam folder of that file?

\Steam\config

Originally posted by Wynters:

I see that is how they get your account name from loginusers.vdf

All account names.

-
I suggest to be carefull in the future to not give anything away anymore, nothing. Could be a follow up that in combination would do more than the single thing it appears to be.
And not trust emails even if they contain account name.

I would report your friend's account as compromised. If it's an IRL friend, confront them directly to see if it was actually them.

There is nothing in config.vdf that would help with the issue described. Config.vdf contains the following potentially sensitive information:

• The filename and location of the sentry files for all Steam accounts used on your client
  
• The account names for all accounts used on your client
  
• The decryption keys for the installers of every game you've ever downloaded (I can't believe these are plaintext, even on a local file)
  
• And a number of other sundry configuration keys

The first two could be used in the future as an attempt to scam you, via appearing like someone communicating with you has private information about your account and PC (technically, now, they do). The third can be used to decrypt Steam game installers. The fourth includes a ton of normally innocuous fields, but could give a scammer an edge in acting like they know about your account and PC.

Going forward, be extra wary of anybody contacting you via Steam, Discord, or any method other than via Steam Support's ticket system; Valve will never contact you outside of official e-mails and the ticket system, and you should even be extra sure of any e-mails as now scammers can tailor extra-realistic fakes for you and e-mail addresses aren't exactly private. There's nothing in the file (aside from the decryption keys) that they can actively use against you, but they CAN try to appear extra legit in future scam attempts and they CAN use your account name to login-bomb you (keep attempting to log in to try to lock you out of login attempts).

Never give away a Steam .vdf file.

Originally posted by Carlos100:

You should be safe after you did what you did
Did you make sure it was your real friend that sent the message (they could have already been compromised and it was the hijacker that messaged you)

I mean I’m from Europe, and that friend was writing in my language, in his usual speaking manner, so I didn’t notice anything suspicious. Maybe his account was compromised. Thanks!

Originally posted by Muppet among Puppets:

Originally posted by Wynters:

I see that is how they get your account name from loginusers.vdf

All account names.

-
I suggest to be carefull in the future to not give anything away anymore, nothing. Could be a follow up that in combination would do more than the single thing it appears to be.
And not trust emails even if they contain account name.

Yeah, since now if I’m going to do something related to sending a file, i’m going to scan the entirety of it. I can’t imagine how I could get phished. Things happen

Originally posted by Azure Fang:

I would report your friend's account as compromised. If it's an IRL friend, confront them directly to see if it was actually them.

There is nothing in config.vdf that would help with the issue described. Config.vdf contains the following potentially sensitive information:

• The filename and location of the sentry files for all Steam accounts used on your client
  
• The account names for all accounts used on your client
  
• The decryption keys for the installers of every game you've ever downloaded (I can't believe these are plaintext, even on a local file)
  
• And a number of other sundry configuration keys

The first two could be used in the future as an attempt to scam you, via appearing like someone communicating with you has private information about your account and PC (technically, now, they do). The third can be used to decrypt Steam game installers. The fourth includes a ton of normally innocuous fields, but could give a scammer an edge in acting like they know about your account and PC.

Going forward, be extra wary of anybody contacting you via Steam, Discord, or any method other than via Steam Support's ticket system; Valve will never contact you outside of official e-mails and the ticket system, and you should even be extra sure of any e-mails as now scammers can tailor extra-realistic fakes for you and e-mail addresses aren't exactly private. There's nothing in the file (aside from the decryption keys) that they can actively use against you, but they CAN try to appear extra legit in future scam attempts and they CAN use your account name to login-bomb you (keep attempting to log in to try to lock you out of login attempts).

Never give away a Steam .vdf file.

I myself was surprised to see decryption keys in that file, but I mean those files are supposed to be not touched. Yeah, valve could care a bit more, but if you don’t ♥♥♥♥ around, you don’t find out.