Hk Mar 27, 2023 @ 4:48pm
Help someone tried to log into my steam account
As the title says , I need help dealing with this situation , I already changed the password but I wanted to know if there is anything else I should do , and just for context what happened was that I had to format my cell phone because after i made a system update, my cell phone password didn't work anymore, so I decided to format it, but after formatting and installing all the apps when I went to log in to the steam app, I needed the authenticator, but the authenticator was on the same cell phone that I formatted, so I did the migration process from the authenticator to the cell phone, but after I was able to log in to the authenticator, a message appeared saying that someone in Santos BR was trying to log into my account and I don't even live in Santos BR, so if anyone can help me understand how the person got my information and what should I do to prevent that from happening again I will be very grateful

Something went wrong while displaying this content. Refresh

Error Reference: Community_9708323_
Loading CSS chunk 7561 failed.
(error: https://community.fastly.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
< 1 2 >
Showing 1-15 of 16 comments
TLuv Mar 27, 2023 @ 4:51pm 
as long as you have 2fa you should be fine with people trying to access your account as they would need the steam guard code
Joke Mar 27, 2023 @ 4:58pm 
Have you visited any website that asked you to use your steam account to login?
* Trading site
* Skin gambling site
* Free giveaway (games, skins, etc.)
* Someone asked you to "vote for me/my team"
* Someone asked you to join a team, with a team website.
* etc.

Or have you used your steam account on a internet cafe, computer club or any other computer you have no control over?
Hk Mar 27, 2023 @ 5:06pm 
Originally posted by tlins:
as long as you have 2fa you should be fine with people trying to access your account as they would need the steam guard code
but how did the guy got my info , i cant think of how he manage that, cause i formated my pc and my router like 2 weeks ago so there is no way my computer or my router have malware and i formated my phone today like how did he got my id and password
Hk Mar 27, 2023 @ 5:34pm 
Originally posted by Joke:
Have you visited any website that asked you to use your steam account to login?
* Trading site
* Skin gambling site
* Free giveaway (games, skins, etc.)
* Someone asked you to "vote for me/my team"
* Someone asked you to join a team, with a team website.
* etc.

Or have you used your steam account on a internet cafe, computer club or any other computer you have no control over?

no i dint visited anything remotly like that

*i never used a trading site
*i never used any type of skin site
*i dont enter in give aways
*no one asked me to vote anywhere
*no , i dint join in any team website

and i never log into my steam acc in public or friends pc , and like i just formated my pc like 2 weeks ago and i formated my router as well at the same day, so i dont understand how did that happed . and like do you think i should change my passwords for other things like my emais and stuff ?
Bee🐝 Mar 27, 2023 @ 5:42pm 
Originally posted by Hk:
Originally posted by Joke:
Have you visited any website that asked you to use your steam account to login?
* Trading site
* Skin gambling site
* Free giveaway (games, skins, etc.)
* Someone asked you to "vote for me/my team"
* Someone asked you to join a team, with a team website.
* etc.

Or have you used your steam account on a internet cafe, computer club or any other computer you have no control over?

no i dint visited anything remotly like that

*i never used a trading site
*i never used any type of skin site
*i dont enter in give aways
*no one asked me to vote anywhere
*no , i dint join in any team website

and i never log into my steam acc in public or friends pc , and like i just formated my pc like 2 weeks ago and i formated my router as well at the same day, so i dont understand how did that happed . and like do you think i should change my passwords for other things like my emais and stuff ?
Just so we’re clear, because this throws people off, it doesn’t matter when the account was compromised - hijackers can sit on accounts for months before trying to access it.

You account could’ve been shadow hijacked for ages without you knowing.
Last edited by Bee🐝; Mar 27, 2023 @ 5:43pm
Hk Mar 27, 2023 @ 6:07pm 
Originally posted by Bee🐝:
Originally posted by Hk:

no i dint visited anything remotly like that

*i never used a trading site
*i never used any type of skin site
*i dont enter in give aways
*no one asked me to vote anywhere
*no , i dint join in any team website

and i never log into my steam acc in public or friends pc , and like i just formated my pc like 2 weeks ago and i formated my router as well at the same day, so i dont understand how did that happed . and like do you think i should change my passwords for other things like my emais and stuff ?
Just so we’re clear, because this throws people off, it doesn’t matter when the account was compromised - hijackers can sit on accounts for months before trying to access it.

You account could’ve been shadow hijacked for ages without you knowing.
but how did he hijacked my acc , every two months i format my pc and the router, i never download anything that isn't 100% safe and i have authenticators for my gmail , my main email and my steam acc, and i never recived any notification that someone tryed to acces my emails or steam acc, this is the first time this happened to me and i dont use any underground sketchy sites , what do you think i should do? do i change my emails passwords , they aparently are safe and stuff but after this steam hijack attempt i am a little bit paranoid
Bee🐝 Mar 27, 2023 @ 6:26pm 
Originally posted by Hk:
Originally posted by Bee🐝:
Just so we’re clear, because this throws people off, it doesn’t matter when the account was compromised - hijackers can sit on accounts for months before trying to access it.

You account could’ve been shadow hijacked for ages without you knowing.
but how did he hijacked my acc , every two months i format my pc and the router, i never download anything that isn't 100% safe and i have authenticators for my gmail , my main email and my steam acc, and i never recived any notification that someone tryed to acces my emails or steam acc, this is the first time this happened to me and i dont use any underground sketchy sites , what do you think i should do? do i change my emails passwords , they aparently are safe and stuff but after this steam hijack attempt i am a little bit paranoid
There’s so many ways to be phished, it’s difficult to say.

For example, a lot of “legit” sites advertised by popular YouTubers, Streamers and Influencers are total scams - those people knowingly take money from scammers who feed on their fan base.

Anyway, for now? Do the basics, change passwords, generate new 2FA backup codes, revoke all devices, virus scan and revoke any Steam API key.
Last edited by Bee🐝; Mar 27, 2023 @ 6:27pm
Hk Mar 27, 2023 @ 6:27pm 
Originally posted by Joke:
Have you visited any website that asked you to use your steam account to login?
* Trading site
* Skin gambling site
* Free giveaway (games, skins, etc.)
* Someone asked you to "vote for me/my team"
* Someone asked you to join a team, with a team website.
* etc.

Or have you used your steam account on a internet cafe, computer club or any other computer you have no control over?
but like can this situation happen just by someone visiting a bad site, like just by you accessing a site , someone could get your id and passwords ?
Hk Mar 27, 2023 @ 6:40pm 
Originally posted by Bee🐝:
Originally posted by Hk:
but how did he hijacked my acc , every two months i format my pc and the router, i never download anything that isn't 100% safe and i have authenticators for my gmail , my main email and my steam acc, and i never recived any notification that someone tryed to acces my emails or steam acc, this is the first time this happened to me and i dont use any underground sketchy sites , what do you think i should do? do i change my emails passwords , they aparently are safe and stuff but after this steam hijack attempt i am a little bit paranoid
There’s so many ways to be phished, it’s difficult to say.

For example, a lot of “legit” sites advertised by popular YouTubers, Streamers and Influencers are total scams - those people knowingly take money from scammers who feed on their fan base.

Anyway, for now? Do the basics, change passwords, generate new 2FA backup codes, revoke all devices, virus scan and revoke any Steam API key.
but can i get hijacked like that just by accessing a site ? so i change all my email passwords and generate new 2fa back up codes and after that will my accs be safe?
Last edited by Hk; Mar 27, 2023 @ 6:45pm
Havok Mar 27, 2023 @ 7:06pm 
Originally posted by Hk:
Originally posted by Bee🐝:
There’s so many ways to be phished, it’s difficult to say.

For example, a lot of “legit” sites advertised by popular YouTubers, Streamers and Influencers are total scams - those people knowingly take money from scammers who feed on their fan base.

Anyway, for now? Do the basics, change passwords, generate new 2FA backup codes, revoke all devices, virus scan and revoke any Steam API key.
but can i get hijacked like that just by accessing a site ? so i change all my email passwords and generate new 2fa back up codes and after that will my accs be safe?

You get hijacked by logging into their site and supplying your credentials. The “sign into steam” is not actually a redirect to the steam login page, so you sign in, and poof you gave them your credentials.

Whether they sit on it or not doesn’t matter. They could immediately get your account, load money and buy dirt cheap stuff for super high to their account, whatever.

Unless it is the steam main page, don’t enter your credentials anywhere.

If you email isn’t compromised, change password from a clean computer, generate new backup codes, make sure your MFA is up to date and avoid shady links.

Literally the only place you want to sign into steam is on steam. I get it, people want to sell their skins for liquid cash, but guess what, it isn’t worth it.
Hk Mar 27, 2023 @ 7:33pm 
Originally posted by Havok:
Originally posted by Hk:
but can i get hijacked like that just by accessing a site ? so i change all my email passwords and generate new 2fa back up codes and after that will my accs be safe?

You get hijacked by logging into their site and supplying your credentials. The “sign into steam” is not actually a redirect to the steam login page, so you sign in, and poof you gave them your credentials.

Whether they sit on it or not doesn’t matter. They could immediately get your account, load money and buy dirt cheap stuff for super high to their account, whatever.

Unless it is the steam main page, don’t enter your credentials anywhere.

If you email isn’t compromised, change password from a clean computer, generate new backup codes, make sure your MFA is up to date and avoid shady links.

Literally the only place you want to sign into steam is on steam. I get it, people want to sell their skins for liquid cash, but guess what, it isn’t worth it.
but i never bought anything outside steam and i never log in any shady sites neither gave any type of credentials . so the best course of action is changing all my emails passwords and generating new backup codes ? and what is a MFA? and i got a bit paranoid do you think i should format my pc again, cause like i formated it 2 w ago and the only things that i have downloaded are steam, avast one antivirus , krita , gforce exprirence and some google drive files , but those google drive files are just photoshop drawings that i did
Last edited by Hk; Mar 27, 2023 @ 7:34pm
Havok Mar 27, 2023 @ 7:52pm 
Originally posted by Hk:
Originally posted by Havok:

You get hijacked by logging into their site and supplying your credentials. The “sign into steam” is not actually a redirect to the steam login page, so you sign in, and poof you gave them your credentials.

Whether they sit on it or not doesn’t matter. They could immediately get your account, load money and buy dirt cheap stuff for super high to their account, whatever.

Unless it is the steam main page, don’t enter your credentials anywhere.

If you email isn’t compromised, change password from a clean computer, generate new backup codes, make sure your MFA is up to date and avoid shady links.

Literally the only place you want to sign into steam is on steam. I get it, people want to sell their skins for liquid cash, but guess what, it isn’t worth it.
but i never bought anything outside steam and i never log in any shady sites neither gave any type of credentials . so the best course of action is changing all my emails passwords and generating new backup codes , and what is a MFA? and i got a bit paranoid do you think i should format my pc again, cause like i formated it 2 w ago and the only things that i have downloaded are steam, avast one antivirus , krita , gforce exprirence and some google drive files , but those google drive files are just photoshop drawings that i did

No, you don’t need to format it again.

MFA - Multi Factor Authentication (steam guard)

As for how, there are only a few ways I can think of that this occurred.

1 being they brute forced their way in. If they have your password somehow, via password cracker, it won’t do them any good without your guard code. Change pass, and you’re set. Though that would only happen if somehow you gave away your login id.

1 being you downloaded something, anything and you got a keylogger. Could be from a friend sending you a file, torrented game, suspicious executable or other file downloaded from a shady place. It’s not unheard of for servers to host malware. FiveM has a few of those servers, conan exiles has those servers. If you have malware bytes up on trial and load conan server browser, a few RTPs come back as Trojans, and their IPs are super high risk on IP lookups as they are known malshare ips.

1 being you got phished for your account somewhere along the lines and don’t remember it.

Anyway,

Change your password from a device that isn’t your pc if you can. Formatting a drive doesn’t always remove malware. I remember years ago I downloaded something and had no idea what I was doing with internet safety at like 10 years old. The PC got RAT’d. Formatted drive, and what do you know, it was still there. Had to trash the drive and get a new one.

So, if this happens again after the change from a clean device, your pc is still infected. If that is the case, I recommend the following courses of action.

1. Download RKill
https://www.bleepingcomputer.com/download/rkill/


RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

RKill will show as a virus, have no fears, it will stop known malware processes.

2. Download SuperAntiSpyware
https://www.superantispyware.com/free-edition.html

And run a “Maximum Boost Rescue Scan” then “High Boost Critical Point Scan” then “High boost full system scan” and make sure any malware is done.

3. Download CCleaner
https://www.ccleaner.com/

And clean up your system a bit, not like it will find much, since you just did a reset. But good tool for removing trackers.

4. Ensure your Windows Security Updates are good and you have the latest KB

5. Download Malwarebytes
https://www.malwarebytes.com/

And get rid of avast.

Optional:
6. Use the MS Safety Scanner:
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide

7. Get process explorer:
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

And familiarize yourself with what processes are running on your computer and regularly check them against Virustotal

Advanced:

8. Get autoruns
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

And understand exactly what is launching on your computer behind the scenes when you boot.
Hk Mar 27, 2023 @ 8:07pm 
Originally posted by Havok:
Originally posted by Hk:
but i never bought anything outside steam and i never log in any shady sites neither gave any type of credentials . so the best course of action is changing all my emails passwords and generating new backup codes , and what is a MFA? and i got a bit paranoid do you think i should format my pc again, cause like i formated it 2 w ago and the only things that i have downloaded are steam, avast one antivirus , krita , gforce exprirence and some google drive files , but those google drive files are just photoshop drawings that i did

No, you don’t need to format it again.

MFA - Multi Factor Authentication (steam guard)

As for how, there are only a few ways I can think of that this occurred.

1 being they brute forced their way in. If they have your password somehow, via password cracker, it won’t do them any good without your guard code. Change pass, and you’re set. Though that would only happen if somehow you gave away your login id.

1 being you downloaded something, anything and you got a keylogger. Could be from a friend sending you a file, torrented game, suspicious executable or other file downloaded from a shady place. It’s not unheard of for servers to host malware. FiveM has a few of those servers, conan exiles has those servers. If you have malware bytes up on trial and load conan server browser, a few RTPs come back as Trojans, and their IPs are super high risk on IP lookups as they are known malshare ips.

1 being you got phished for your account somewhere along the lines and don’t remember it.

Anyway,

Change your password from a device that isn’t your pc if you can. Formatting a drive doesn’t always remove malware. I remember years ago I downloaded something and had no idea what I was doing with internet safety at like 10 years old. The PC got RAT’d. Formatted drive, and what do you know, it was still there. Had to trash the drive and get a new one.

So, if this happens again after the change from a clean device, your pc is still infected. If that is the case, I recommend the following courses of action.

1. Download RKill
https://www.bleepingcomputer.com/download/rkill/


RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

RKill will show as a virus, have no fears, it will stop known malware processes.

2. Download SuperAntiSpyware
https://www.superantispyware.com/free-edition.html

And run a “Maximum Boost Rescue Scan” then “High Boost Critical Point Scan” then “High boost full system scan” and make sure any malware is done.

3. Download CCleaner
https://www.ccleaner.com/

And clean up your system a bit, not like it will find much, since you just did a reset. But good tool for removing trackers.

4. Ensure your Windows Security Updates are good and you have the latest KB

5. Download Malwarebytes
https://www.malwarebytes.com/

And get rid of avast.

Optional:
6. Use the MS Safety Scanner:
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide

7. Get process explorer:
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

And familiarize yourself with what processes are running on your computer and regularly check them against Virustotal

Advanced:

8. Get autoruns
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

And understand exactly what is launching on your computer behind the scenes when you boot.
thank you so much for the help i will begin doing what you said, you saved my ass tahnks alot. and if i change my passwords through my phone is a good idea or not? cause i dont have a seccond pc avalible righ now ? but tomorrow i could use some one else pc to do that
Last edited by Hk; Mar 27, 2023 @ 8:13pm
Havok Mar 27, 2023 @ 8:16pm 
Originally posted by Hk:
Originally posted by Havok:

No, you don’t need to format it again.

MFA - Multi Factor Authentication (steam guard)

As for how, there are only a few ways I can think of that this occurred.

1 being they brute forced their way in. If they have your password somehow, via password cracker, it won’t do them any good without your guard code. Change pass, and you’re set. Though that would only happen if somehow you gave away your login id.

1 being you downloaded something, anything and you got a keylogger. Could be from a friend sending you a file, torrented game, suspicious executable or other file downloaded from a shady place. It’s not unheard of for servers to host malware. FiveM has a few of those servers, conan exiles has those servers. If you have malware bytes up on trial and load conan server browser, a few RTPs come back as Trojans, and their IPs are super high risk on IP lookups as they are known malshare ips.

1 being you got phished for your account somewhere along the lines and don’t remember it.

Anyway,

Change your password from a device that isn’t your pc if you can. Formatting a drive doesn’t always remove malware. I remember years ago I downloaded something and had no idea what I was doing with internet safety at like 10 years old. The PC got RAT’d. Formatted drive, and what do you know, it was still there. Had to trash the drive and get a new one.

So, if this happens again after the change from a clean device, your pc is still infected. If that is the case, I recommend the following courses of action.

1. Download RKill
https://www.bleepingcomputer.com/download/rkill/


RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

RKill will show as a virus, have no fears, it will stop known malware processes.

2. Download SuperAntiSpyware
https://www.superantispyware.com/free-edition.html

And run a “Maximum Boost Rescue Scan” then “High Boost Critical Point Scan” then “High boost full system scan” and make sure any malware is done.

3. Download CCleaner
https://www.ccleaner.com/

And clean up your system a bit, not like it will find much, since you just did a reset. But good tool for removing trackers.

4. Ensure your Windows Security Updates are good and you have the latest KB

5. Download Malwarebytes
https://www.malwarebytes.com/

And get rid of avast.

Optional:
6. Use the MS Safety Scanner:
https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide

7. Get process explorer:
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

And familiarize yourself with what processes are running on your computer and regularly check them against Virustotal

Advanced:

8. Get autoruns
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

And understand exactly what is launching on your computer behind the scenes when you boot.
thank you so much for the help i will begin doing what you said, you saved my ass tahnks alot

Keep in mind, all of that is like, a bazooka to kill a fly. And that’s only if you think you’re still compromised and can only trace it back to the pc being infected. RKill and SAS if you are infected, should clear you safely if you are infected.

Even if it’s not, probably good to know how to use those.

I run a superantispyware run every day or every few days, look at autoruns every few days, and load process explorer when I login, after a few hours, and before I shut down, JUST TO CHECK. With process explorer, false flags do occur. Garboware across the globe picks it up. Give it a few hours if you see 1/70 on legitimate processes.

But all in all, changing password is the first step. If you change, enter it on your pc, and you still find these logon attempts, go step 1-5, and do 6 for your first time.

Past that, a healthy checkup on running processes, regular SAS and MBAM scans and you’re all set.

Edit: yea, change on phone is fine, make sure you do the proper steps to change password, login on pc with new pass and monitor. No more attempts, you’re safe. More attempts, run steps 1-7 and change password once you’re done, then you’re safe.

Forgot to mention this, surprised no one did.

Deauthorize all other devices https://store.steampowered.com/twofactor/manage

Generate new backup codes for your mobile app https://store.steampowered.com/twofactor/manage

Revoke the API key if you see any over there https://steamcommunity.com/dev/apikey
Last edited by Havok; Mar 27, 2023 @ 8:27pm
Hk Mar 27, 2023 @ 8:38pm 
Originally posted by Havok:
Originally posted by Hk:
thank you so much for the help i will begin doing what you said, you saved my ass tahnks alot

Keep in mind, all of that is like, a bazooka to kill a fly. And that’s only if you think you’re still compromised and can only trace it back to the pc being infected. RKill and SAS if you are infected, should clear you safely if you are infected.

Even if it’s not, probably good to know how to use those.

I run a superantispyware run every day or every few days, look at autoruns every few days, and load process explorer when I login, after a few hours, and before I shut down, JUST TO CHECK. With process explorer, false flags do occur. Garboware across the globe picks it up. Give it a few hours if you see 1/70 on legitimate processes.

But all in all, changing password is the first step. If you change, enter it on your pc, and you still find these logon attempts, go step 1-5, and do 6 for your first time.

Past that, a healthy checkup on running processes, regular SAS and MBAM scans and you’re all set.

Edit: yea, change on phone is fine, make sure you do the proper steps to change password, login on pc with new pass and monitor. No more attempts, you’re safe. More attempts, run steps 1-7 and change password once you’re done, then you’re safe.

Forgot to mention this, surprised no one did.

Deauthorize all other devices https://store.steampowered.com/twofactor/manage

Generate new backup codes for your mobile app https://store.steampowered.com/twofactor/manage

Revoke the API key if you see any over there https://steamcommunity.com/dev/apikey
thanks alot ,you reaaally helped me out i will begin right away
< 1 2 >
Showing 1-15 of 16 comments
Per page: 1530 50

Date Posted: Mar 27, 2023 @ 4:48pm
Posts: 16