Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
The author of this topic has marked a post as the answer to their question.
Discussions Rules and Guidelines
Report this post
Do all the below to secure the account.
Scan for Malware/virus https://www.malwarebytes.com/mwb-download/
Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your Account password on a secure device, mobile phone for example.
Generate new back up codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey
You were phished
Because all that has nothing to do with the Api key. They can't generate an API without having access to the account. They are already inside your account hence why I said to do 4 other things besides revoking the API key.
Why would you?
They need access through your code exactly once. As soon as they got the API key installed, they can work remotely. Lately I've been suggesting, that there should be an external confirmation through mail or phone required when setting up an API, but I got my doubt, that this is the kind of thing, Steam would do.
From what we have witnessed here so far over the years, there's a bunch of things.
Manipulations to push you into making a mistake:
- Editing profile text, avatar and name
- Removing friends
- Hiding games
- Closing Support requests (they might remove this part eventually, as we have been able to rescue users, before they were harmed, by spotting this giveaway sign)
Pulling the hook in by:
- Canceling your trades, setting up new trades immediately
Or the simple bruteforced way:
- Setting up market sells and buys to empty your inventory and wallet in exchange for a single trash item (requires no user cooperation, but has a much higher risk to lead to account suspension before being able to cash out)
Finally, my favourite piece of advice, that I leave in every such thread:
Do never enter your Steam login details on other websites again. Instead, when a website (even if it seems to be a Steam profile or trade) asks for your Steam login, leave it, go to the main page of Steam (store.steampowered) and log in there. Then go back to the other website. A legitimate website now will show your account on the login page and will allow you to confirm it. A phishing page, that wants to put an API key on your account, will keep asking for your name and password.
Follow this bit, and you will avoid all API hijackings and at least 75% of all potential frauds in general on Steam.
My doubt would be even if Steam implemented that the phishers would just update their site to get it. Sites update could inform users to expect that confirmation, that is required to trade/gamble on the site, and users would simply provide the extra code making it worthless
That's WAAAAAAAAAAAAAAAAAAAAAAAYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY more off than confirming twice (once to log in, once to generate the key) and yet people were happily jumping onto phishers' knives!
You're putting too much faith into fools' ability to question what they're doing.
Not if you share a LIVE Guard code with a third party.