All Discussions > Steam Forums > Help and Tips > Topic Details
si rol Mar 16, 2023 @ 4:43pm
Someone sold my ALL MARKETABLE items
A few hours ago, I still have around 10 dollars in my Steam Wallet. After playing R6 Siege, I noticed that my wallet is reduced to around a few cents.

I checked my email and saw that I "successfully sold" items in my Dota 2 Account. Items got sold starting at 7:54 am. ALL Items were sold at 8:18 am. The items sold was EVERYTHING that was marketable. So basically everything besides the recent TI Immortals. They then proceeded to buy some dumb skins worth 20$ or so with the amount accumulated because of the items sold.

I was shocked by how this happened. No Email regarding log ins. I have my steam guard up so every time I log in, I need to get a code in my email. I checked my email there wasnt any email giving a code for logging in. I'm utterly confused on how someone was able list all my items.

I would guess a bot did it, because it did 89 transactions within that span of time. Now I'm wondering, how was someone able to list all my items and sell it? Considering I didnt get any emails regarding a code for logging in, I would guess no one logged it. Is my laptop being remotely accessed? I'm not sure. I recently reformatted my computer, not sure why this is happening. I had a look at my SteamLoginHistory and there werent any usage outside of my state.

I also always use my laptop. And I only play on one laptop. I have a steam deck but I rarely use it. I don't get it. How did someone list all my items? Remote access to my pc is the only thing I can think of. I also have an Antivirus if that helps.

Any thoughts or theories on this?
Last edited by si rol; Mar 16, 2023 @ 4:46pm
< >
Showing 1-14 of 14 comments
Jerry Mar 16, 2023 @ 4:50pm 
You have been hijacked after entering your login into a malicious website at some point in the past. Your stuff is gone for good, Valve does not reverse trades, even criminal ones.

Do all of these steps:

Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your password on a secure device.
Generate new back up codes. https://store.steampowered.com/twofactor/manage
Revoke the api key https://steamcommunity.com/dev/apikey
Check that the email and phone number on the steam account is still yours.

Afterwards report the accounts, that you had transactions with.

In the future, do not do Steam logins on other websites. Instead do a browser login on the website of Steam (store.steampowered - bookmark it to avoid copycats). Every website, that needs a Steam login, will recognise this and allow you to confirm your account.
If it still asks for your name and password, it is not a real Steam login.
#1
mimizukari Mar 16, 2023 @ 4:50pm 
You should secure your account, deactivate any active API keys, enable two factor authentication, scan for malware and stop clicking on suspicious links. you either got phished or gave your API key away, and you only need API keys if you're an app developer.
#2
Jerry Mar 16, 2023 @ 4:57pm 
A few words to add:
We get to see API hijackings depressingly often around here, multiple cases like yours every day since five to six years.

Someone, who sets up an API key (normally a tool to run web protocols) on your account, has a scary amount of control. On the less harmful side, they can manipulate your avatar and profile content (usually done as a scare tactic to make you think, you are about to be banned), kick your friends from your list, hide your game library from you...
The essential parts though, that have been heavily misused since the scheme first came up, are to cancel and create trades (using a sock puppet, that copies the profile of the intended trade partner) and more recently setting up low price sales (every sale under a dollar works without confirmation) and high price purchases.

Downright frustrating to read here on some days.
#3
mimizukari Mar 16, 2023 @ 5:08pm 
Originally posted by Jerry:
A few words to add:
We get to see API hijackings depressingly often around here, multiple cases like yours every day since five to six years.

Someone, who sets up an API key (normally a tool to run web protocols) on your account, has a scary amount of control. On the less harmful side, they can manipulate your avatar and profile content (usually done as a scare tactic to make you think, you are about to be banned), kick your friends from your list, hide your game library from you...
The essential parts though, that have been heavily misused since the scheme first came up, are to cancel and create trades (using a sock puppet, that copies the profile of the intended trade partner) and more recently setting up low price sales (every sale under a dollar works without confirmation) and high price purchases.

Downright frustrating to read here on some days.
APIs have valid uses and people who use them legitimately benefit greatly, especially if you develop an app to have control over your account or if you're one of those bots on trading websites that utilizes it. I'm not sure why anyone would create an API key not knowing what it does and not searching for documentation on it, it's a good lesson to learn here because if you leak your business API key you might be out of a job AND sued and much worse especially if your business API key was under a project you have an NDA on.
Last edited by mimizukari; Mar 16, 2023 @ 5:08pm
#4
si rol Mar 16, 2023 @ 6:08pm 
Originally posted by Jerry:
A few words to add:
We get to see API hijackings depressingly often around here, multiple cases like yours every day since five to six years.

Someone, who sets up an API key (normally a tool to run web protocols) on your account, has a scary amount of control. On the less harmful side, they can manipulate your avatar and profile content (usually done as a scare tactic to make you think, you are about to be banned), kick your friends from your list, hide your game library from you...
The essential parts though, that have been heavily misused since the scheme first came up, are to cancel and create trades (using a sock puppet, that copies the profile of the intended trade partner) and more recently setting up low price sales (every sale under a dollar works without confirmation) and high price purchases.

Downright frustrating to read here on some days.

Slr,.I had a look and it seems that I didnt create an API Key for my Steam account.

Did some full scans too.

Are there other ways this couldve been done?
Last edited by si rol; Mar 16, 2023 @ 6:10pm
#5
mimizukari Mar 16, 2023 @ 6:12pm 
Originally posted by si rol:
Originally posted by Jerry:
A few words to add:
We get to see API hijackings depressingly often around here, multiple cases like yours every day since five to six years.

Someone, who sets up an API key (normally a tool to run web protocols) on your account, has a scary amount of control. On the less harmful side, they can manipulate your avatar and profile content (usually done as a scare tactic to make you think, you are about to be banned), kick your friends from your list, hide your game library from you...
The essential parts though, that have been heavily misused since the scheme first came up, are to cancel and create trades (using a sock puppet, that copies the profile of the intended trade partner) and more recently setting up low price sales (every sale under a dollar works without confirmation) and high price purchases.

Downright frustrating to read here on some days.

Slr,.I had a look and it seems that I didnt create an API Key for my Steam account.

Did some full scans too.

Are there other ways this couldve been done?
you got phished by logging into a fake website that emulated the look of Steam.
#6
si rol Mar 16, 2023 @ 6:30pm 
Originally posted by ロザリンド:
Originally posted by si rol:

Slr,.I had a look and it seems that I didnt create an API Key for my Steam account.

Did some full scans too.

Are there other ways this couldve been done?
you got phished by logging into a fake website that emulated the look of Steam.

That would mean for them to log it in, they would have to get a code though from my email.
There werent any such emails before the transaction activity.
Last edited by si rol; Mar 16, 2023 @ 6:31pm
#7
Teksura Mar 16, 2023 @ 6:33pm 
Originally posted by si rol:
Originally posted by ロザリンド:
you got phished by logging into a fake website that emulated the look of Steam.

That would mean for them to log it in, they would have to get a code though from my email
And you provided them with that code when you went to log in through their fake website.
#8
Bee🐝 Mar 16, 2023 @ 6:57pm 
OP, it’s important to know that if you have EVER used ANY third-party trade or gambling site, you placed you account at risk. Note when does not matter - hijackings are delayed - sometimes for months. It’s done to remove suspicion from the guilty party.

And it doesn’t matter if a Steamer, YouTuber or influencer promoted a site, they’re dodgy as hell and usually paid off by scam sites to knowingly advertise their scummy product.

Along with what everyone else have mentioned, there’s also a possibility that you were asked to “vote” for someone’s team. You would’ve logged into a dummy Steam page and they would’ve captured all your login data.

Note, it’s impossible for someone to hack Steam or guess your randomly generated, extremely time-sensitive code.
Last edited by Bee🐝; Mar 16, 2023 @ 7:00pm
#9
𝓶𝓲𝓴𝓮𝔂 Mar 16, 2023 @ 8:17pm 
Originally posted by ロザリンド:
Originally posted by si rol:

Slr,.I had a look and it seems that I didnt create an API Key for my Steam account.

Did some full scans too.

Are there other ways this couldve been done?
you got phished by logging into a fake website that emulated the look of Steam.


So its impossible to get back the money that i have lost without me even approving it to sell in the market? i had 109 transactions and lost all my money inside
#10
mimizukari Mar 16, 2023 @ 8:47pm 
Originally posted by 𝓶𝓲𝓴𝓮𝔂:
Originally posted by ロザリンド:
you got phished by logging into a fake website that emulated the look of Steam.


So its impossible to get back the money that i have lost without me even approving it to sell in the market? i had 109 transactions and lost all my money inside
if you got scammed too, then yes its' impossible to get your money/items back as you're supposed to secure your account against threats.
#11
Muppet among Puppets Mar 16, 2023 @ 8:54pm 
As you use email auth, the cases where you needed a code from email should be rare.
Thats why you can help us in the forum, finding if there is anything out of the expected.

Remember back, thoroughly, did you use a code from email for anything that was not "got to by you and your bookmarks"?

Your steam programm first login, 1 code. Done.
Maybe with browser the steam homepage, you got to ON YOUR OWN, without any link or button.
Thats it.

OR
Was there anything that does not fit this? Remember back. This can be important information. As i have seen this appearing a little bit too often lately. It is important that you make sure what you say is definitely the reality.
#12
Teksura Mar 16, 2023 @ 9:01pm 
You and only you are solely responsible for your account and what happens on it. When you give someone else access to your account, you are essentially authorizing them to do whatever they like with that access. It is your responsibility to not give other people access to your account. It is your responsibility to not post your secure login info to these shady third party scam sites. No site should ever need your login info.

If any website ever asks you to log in through Steam and then asks for a password, do the following:

1: Close that tab.
2: Open a new tab.
3: Head to Google, and search for Steam. Use that to visit the real Steam website. Optionally, use a bookmark you've previously saved, or type in Steam's web address https://store.steampowered.com
4: Are you already logged in? If not, log in and proceed to step 5. If you are already logged in, proceed to step
5: Return to the website that wanted you to log in through Steam.
6: After clicking their button, have a look and see if it asks for a password now.
7: If it does not, congratulations, you can log in using the big green button.
8: If it you have confirmed that the legitimate Steam website knows you are logged in and yet the page you are looking at is unaware of this thing that Steam knows, that is not Steam asking for to provide your login information. Leave that shady website and never look back.
#13
Muppet among Puppets Mar 16, 2023 @ 9:06pm 
Its more difficult to hand over an email code. You get told where its "from", and that a new device gets confirmed.
And its not an all day situation.
It makes you think when using the code.

So
a) the user doesnt care
or
b) there is something wrong.
#14
< >
Showing 1-14 of 14 comments
Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details
Date Posted: Mar 16, 2023 @ 4:43pm
Posts: 14
Start a New Discussion

Discussions Rules and Guidelines