全スレッド > Steam 掲示板 > Help and Tips > トピックの詳細
Kanin 2024年1月4日 3時17分
My account was logged into via mobile authenticator
I know how this forum tends to go, so let me get this out of the way:

  • I did not accept any friend requests
  • I did not log in to any suspicious external site
  • I'm well familiar with standard cyber security practices and procedures, and they've all been taken on my PC, and my mobile device.

With that being said... I obviously ♥♥♥♥♥♥ up somewhere, but where and how? The email just says "Authorized by: Steam Mobile Authenticator code" which is really surprising to me, I assume it would say something different if they didn't login via any other means, right? So they managed to get my password, and somehow my 2 factor, which is on a new device that isn't associated with anything other than password securing, this is a security device. How does this happen?

While they were in my account they traded $800 worth of skins over to a loot.farm (which I've never used, for the record) bot, they got $800 worth of Rust items in the trade, and then traded those to an obvious private middle man account.

What amazes me is that both loot.farm, and steam, have absolutely horrible support for seeing who's in your account and what they're doing. I obviously logged my steam account out from everywhere, but they don't even show you where you're currently logged in at, and even if you go check your log in history, it updates once a day and only shows actions that happened over 24 hours ago. They had to buy premium on loot.farm to auction all of my skins, but I can't see my billing history or anything similar. This just really amazes me to see in 2024.

At the end of the day, I don't really expect to get my skins back, I mean it really sucks but it is what it is. I just want some answers. What happened, how did it happen, and how can I prevent it from happening in the future.
< >
1-15 / 32 のコメントを表示
Nx Machina 2024年1月4日 3時26分 
Accounts are PHISHED not hacked because the end user gave away all their account details. The account name, the password and the KEY to the door, the Steam Guard Mobile code giving them access to your account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.


As for preventing it:

Do all the following NOW to secure your account.

1. Scan for malware https://www.malwarebytes.com/

2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage

3. Change passwords from a clean computer

4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage

5. Revoke the API key at https://steamcommunity.com/dev/apikey (there should be NOTHING in the APIKEY)


"Only trade on Steam".


As a sidenote no advertising in your profile name.
最近の変更はNx Machinaが行いました; 2024年1月4日 3時26分
#1
Kanin 2024年1月4日 3時36分 
Nx Machina の投稿を引用:
Accounts are PHISHED not hacked because the end user gave away all their account details. The account name, the password and the KEY to the door, the Steam Guard Mobile code giving them access to your account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on discord, free knife click the link etc.

Right, but I take a lot of security measures to make sure this doesn't happen. I know what links to not click, I know what phishing sites look like (I haven't logged in via user/pass anywhere anyways), etc. So how? Also, with the mobile authenticator code rotating, wouldn't they have had to get it when they logged in? Not before hand when I supposedly did one of these actions? The log in was seconds before the trade, they had not been in my account. There is no APIKEY, new backup codes are generated often, and so is password.

Nx Machina の投稿を引用:
As a sidenote no advertising in your profile name.
Uh sure I can change it, but is this a rule somewhere?
#2
Nx Machina 2024年1月4日 3時45分 
Kanin の投稿を引用:
Right, but I take a lot of security measures to make sure this doesn't happen. I know what links to not click, I know what phishing sites look like (I haven't logged in via user/pass anywhere anyways), etc. So how? Also, with the mobile authenticator code rotating, wouldn't they have had to get it when they logged in? Not before hand when I supposedly did one of these actions? The log in was seconds before the trade, they had not been in my account. There is no APIKEY, new backup codes are generated often, and so is password.

Because as stated YOU gave away all your account details or please explain how in 19+ years on Steam i have never lost access to my account, nor have i ever lost access to my Ubisoft, EA, GOG, Blizzard, Bank, Credit Card nor any other account.

Kanin の投稿を引用:
Uh sure I can change it, but is this a rule somewhere?

https://help.steampowered.com/en/faqs/view/6862-8119-C23E-EA7B

You are "advertising" Twitch in your profile name as Twitch is a business.
#3
Kanin 2024年1月4日 3時48分 
Nx Machina の投稿を引用:
Kanin の投稿を引用:
Right, but I take a lot of security measures to make sure this doesn't happen. I know what links to not click, I know what phishing sites look like (I haven't logged in via user/pass anywhere anyways), etc. So how? Also, with the mobile authenticator code rotating, wouldn't they have had to get it when they logged in? Not before hand when I supposedly did one of these actions? The log in was seconds before the trade, they had not been in my account. There is no APIKEY, new backup codes are generated often, and so is password.

Because as stated YOU gave away all your account details or please explain how in 19+ years on Steam i have never lost access to my account, nor have i ever lost access to my Ubisoft, EA, GOG, Blizzard, Bank, Credit Card nor any other account.

Right, I'm asking how I did this, and how they used it to log in while I was sleeping at 3am. How did I give up my mobile authenticator code that expires in 30 seconds. For the record, I also have never lost access to any of my accounts, this is a first. Without even accepting a friend request, let alone clicking any links or logging in anywhere, how did I give up current, recently updated, account info?

Nx Machina の投稿を引用:
Kanin の投稿を引用:
Uh sure I can change it, but is this a rule somewhere?

https://help.steampowered.com/en/faqs/view/6862-8119-C23E-EA7B

You are "advertising" Twitch in your profile name as Twitch is a business.

So this technically applies to every part of the profile? Or all "user generated content"?
#4
Lilim 2024年1月4日 3時49分 
Kanin の投稿を引用:
...but where and how?

  • Have you been asked to vote for a team/tournament/pixel art?
  • Have you been asked to register for a tournament?
  • Have you used any third-party site for gambling or trading?
  • Have you logged in on a public device?
  • Have you entered any giveaways/giveaway groups?
  • Have you tried to claim any "free 50$ gift cards"?
  • Have you talked to an "admin" after being "accidentally reported"?
  • Does someone else use your PC or your account?
最近の変更はLilimが行いました; 2024年1月4日 3時54分
#5
Lilim 2024年1月4日 3時50分 
Kanin の投稿を引用:
So this technically applies to every part of the profile? Or all "user generated content"?

You can put your twitch link on your profile.

Just don't put it in your name or post it on the forum.
#6
Kanin 2024年1月4日 3時54分 
Lilim の投稿を引用:
Kanin の投稿を引用:
...but where and how?

  • Have you been asked to vote for a team/tournament/pixel art?
  • Have you been asked to register for a tournament?
  • Have you used any third-party site for gambling or trading?
  • Have you logged in on a public device?
  • Have you entered any giveaways/giveaway groups?
  • Have you tried to claim any "free 50$ gift cards"?
  • Have you talked to an "admin" after being "accidentally reported"?
  • Does someond else use your PC or your account?

  • No
  • No
  • Yes I sold my knife on a well known marketplace, but login there is via oauth, surely they can't get mobile authenticator codes via oauth login right? That seems like a huge security vulnerability. Genuinely asking here.
  • No
  • No
  • No
  • No
  • No
#7
Kanin 2024年1月4日 3時55分 
Lilim の投稿を引用:
Kanin の投稿を引用:
So this technically applies to every part of the profile? Or all "user generated content"?

You can put your twitch link on your profile.

Just don't put it in your name or post it on the forum.
Gotcha, thanks
#8
J4MESOX4D 2024年1月4日 3時55分 
Kanin の投稿を引用:
What amazes me is that both loot.farm...
So much for the 'I did not log in to any suspicious site'. That one is bloody notorious and could be a culprit. Somewhere along the lines you leaked your credentials and the scammers struck whilst there was a payoff to be had. You could've been hijacked for months.

Use third party sites at your own risk and just because you've been using one for a while doesn't mean it's safe. We've already seen one person this year rinsed of $3,500 worth of items because a site he was using for 6 months finally stopped baiting and went in for the kill.

Do the steps provided in #1 and then only use your Steam credentials on Steam.
#9
Cathulhu 2024年1月4日 3時56分 
No, if they actually use OAuth it is fine.
If they faked using OAuth, you exposed your credentials to a hijacker.
#10
Kanin 2024年1月4日 3時58分 
J4MESOX4D の投稿を引用:
Kanin の投稿を引用:
What amazes me is that both loot.farm...
So much for the 'I did not log in to any suspicious site'. That one is bloody notorious and could be a culprit. Somewhere along the lines you leaked your credentials and the scammers struck whilst there was a payoff to be had. You could've been hijacked for months.
As I said, I've never used that site, that's just the site the person used to sell my skins. They logged into my account seconds before selling my skins on that site, and authenticated via mobile authenticator, could my account have been hijacked for months? How do they login with an old mobile authenticator code?
#11
Bibo1 2024年1月4日 3時59分 
Kanin の投稿を引用:

  • Yes I sold my knife on a well known marketplace, but login there is via oauth, surely they can't get mobile authenticator codes via oauth login right? That seems like a huge security vulnerability. Genuinely asking here.

And that's how you gave away your login info.
最近の変更はBibo1が行いました; 2024年1月4日 3時59分
#12
Kanin 2024年1月4日 4時00分 
Cathulhu の投稿を引用:
No, if they actually use OAuth it is fine.
If they faked using OAuth, you exposed your credentials to a hijacker.
I always verify it's real, for every site i use. As I said I have never put my steam username/pass anywhere other than steams verified domain.
#13
Kanin 2024年1月4日 4時00分 
Bibo1 の投稿を引用:
Kanin の投稿を引用:

  • Yes I sold my knife on a well known marketplace, but login there is via oauth, surely they can't get mobile authenticator codes via oauth login right? That seems like a huge security vulnerability. Genuinely asking here.

And that's how you gave away your login info.
Explain, how do they get my login info via steam oauth.
#14
Cathulhu 2024年1月4日 4時01分 
How do you verify that?
#15
< >
1-15 / 32 のコメントを表示
ページ毎: 1530 50

全スレッド > Steam 掲示板 > Help and Tips > トピックの詳細
投稿日: 2024年1月4日 3時17分
投稿数: 32
新しいスレッドを作成

ルールとガイドライン