You exposed your login credentials:
a) Either by logging into a site that faked a Steam login and made a bot log into your account using the save password as well as the trust device feature while injecting a Steam API access into it.
b) Or by installing malware that stole your session data or injected a keylogger.
c) Or by using outdated login information that got exposed in a leak.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Ensure your email address and/or password aren't contained in any public breaches:
- Email: https://haveibeenpwned.com/
- Password: https://haveibeenpwned.com/Passwords
-- If they are contained in any public breaches ("oh no, pwned!"), change your email account's password from a secure computer before proceeding.
-- If that happens, you may want to secure other accounts than just Steam.
-- Consider using mobile two-factor authentication on your e-mail address if your e-mail provider supports it.
4. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
5. Change passwords from a clean computer
6. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
7. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)
8. Change your trade link: Profile > your inventory > trade offer > Who can send me trade offer > scroll down and make a new trade link.
9. If points were stolen within 14 days, reset your Steam password (not change, RESET using Forgot Password) to cancel pending awards.
10. Once you have done all of the above steps, edit your profile to get rid of the fake message planted by the scammer (if it exists).

Be aware that Steam Support will not restore stolen items nor stolen wallet funds.
In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account.

Did you do these yet?

1. Scan for malware https://www.malwarebytes.com/

2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage

3. Change passwords from a clean computer.

4. Generate new backup codes.
https://store.steampowered.com/twofactor/manage

5. Revoke all API keys, there should be none.
https://steamcommunity.com/dev/apikey



After done that, if your items still pending with trade hold on in trade history, you can cancel trade and get items back, but if trade hold is over then trade been finalized, and unable to get items back.

Trade hold is 14 days, but reduce to 1 day if you're friends with the person for over a year, and trade hold can be bypass if setup Steam guard app on device's, and approve trade on the spot.


The type of scams you can encounter are as follows:
- You have pending ban, or I accidentally reported you. Here what they do is try to impersonate support claiming to be such via DMs, or send you a phishing link to trick you into logging on their device.

- You won a prize, or I sent you $50 or whatever, with a scam link attached trying to trick you to login.

- Please vote for my team, or whatever same thing link to scam site to try trick you to login.

There also issues can come across like sharing account with others, logging on public devices that not yours that likely infected with virus, or back door.

There also email scams, discord scams, gambling skin sites scams using phishing attack, the list goes on, and lastly people buying accounts from others when they shouldn't because the real creator of the account can recover it easily whenever.

Even on discord there issue where can use command to change link text to spoof hyperlink to take you somewhere else when you visit the link via discord.

So please be aware of the scams that happen, 2FA is just a tool, it's not a person, it's just waiting for approval on your end to click approve, or to provide code.

Yes doing them as we speak

I’m afraid this scam was much deeper rooted theft. I’m very safe with my account and have been playing counterstrike and using steam + discord for upwards of 9 years. This was not a discord scam it was not a face it scam. This was a person who I suspect does this for a living. They were in and out of my account from 7-8 pm exactly when my computer is off because I’m in the gym. The account was logged into via email and within 8 minutes the inventory was drained. I don’t know about you but I don’t check my emails every 5 min to see if something juicy comes in. Especially because this is my personal email and not for work. I’m very sad and have accumulated a plethora of items through the years. Just wish this was handled better on steams and valves end. They’re should be limits on traded items and inventory’s should not be able to be cleared. I’m angered and frustrated and just feel stepped on. They’re should be actually responsibility held when items of various amounts were stolen. Shame on steam.

no, shame on you for not securing your second authentication factor - your e-mail address.

If i were you i would secure all other accounts and services associated to that e-mail address as well...

Originally posted by Mo:

I’m afraid this scam was much deeper rooted theft. I’m very safe with my account and have been playing counterstrike and using steam + discord for upwards of 9 years. This was not a discord scam it was not a face it scam. This was a person who I suspect does this for a living. They were in and out of my account from 7-8 pm exactly when my computer is off because I’m in the gym. The account was logged into via email and within 8 minutes the inventory was drained. I don’t know about you but I don’t check my emails every 5 min to see if something juicy comes in. Especially because this is my personal email and not for work. I’m very sad and have accumulated a plethora of items through the years. Just wish this was handled better on steams and valves end. They’re should be limits on traded items and inventory’s should not be able to be cleared. I’m angered and frustrated and just feel stepped on. They’re should be actually responsibility held when items of various amounts were stolen. Shame on steam.

So you're saying they know your email login, and did account recovery?

At that point you got more work, make sure change password for all accounts that uses same password, as well hopefully you had change your email password by now.

I changed every password related to every account. This person hit a lose link in the chain. This was to easy and very preventable on steams end. This computer has never been in California and steam should be able to tell that. Especially cause it was only signed into for 8 minutes total. They could just not allow the trade. Maybe flag it, or even trade ban it. I didn’t do anything unusual with my email account. Credit cards and banks have a very good idea on fraud protection. I’m not saying steam is 100% responsible, they could have just helped.

Originally posted by Mo:

I changed every password related to every account. This person hit a lose link in the chain. This was to easy and very preventable on steams end. This computer has never been in California and steam should be able to tell that. Especially cause it was only signed into for 8 minutes total. They could just not allow the trade. Maybe flag it, or even trade ban it. I didn’t do anything unusual with my email account. Credit cards and banks have a very good idea on fraud protection. I’m not saying steam is 100% responsible, they could have just helped.

There number of things to point out.

1. Geo location is not perfect, and can be way off depending where you live, as you could appear living in another state, or country.

2. People may use VPN/proxy.

3. Some people have dynamic IP address, or request changes IP address by their provider.

4. People do travel, but this is a system not a person so it can't tell.

5. People do things when they know they shouldn't such as sharing accounts.

Now you understand why Steam just don't bark at everyone just because you're not using exact device, exact IP address, or at exact location.


The problem still ultimately comes back on the end user needing to be responsible, and aware of the problem so user can try avoid repeating same mistake in the future so doesn't happen again.

:(

I was just scammed. I have all the security Steam offers and there was just a trade made without my concent? What can be done, its a hour ago? All my TF2 items, including a €280 piece. Also all my Rust skins are gone. What can be done Steam?

Originally posted by DisT&L:

I was just scammed. I have all the security Steam offers and there was just a trade made without my concent? What can be done, its a hour ago? All my TF2 items, including a €280 piece. Also all my Rust skins are gone. What can be done Steam?

You already have your own thread.

The names that are involved are not in my steam friends list..? Its abour 15 years of items i earned :-/

If there's one thing I've learned over the decades, is that your email account should have a password that is completely unique and no other account uses one even remotely close to it.

Or use a completely randomly generated ones that most browsers can now generate. Of course you need a secure way to save it so you don't forget it.

Originally posted by Mo:

Credit cards and banks have a very good idea on fraud protection. I’m not saying steam is 100% responsible, they could have just helped.

Steam uses the exact same two factor mechanisms. If you are defrauded with your bank and you allow phishers to bypass any 2FA layers, you wont be compensated either.

Somewhere along the lines previous, you allowed your credentials to be phished and your account to be shadow-hijacked.

It’s a scary feeling being taken advantage of. Also the feeling of helplessness is floating around this issue. I’ve reported the account and want nothing more than for steam to not allow this account to trade my guns away. I would be happy at this point if they were erased from the market in total. I’m sorry to those that this has happened to and I feel your pain. I would say for the future treat your steam as if it’s your bank account. Don’t open google chrome while your playing or your logs might show up on a hackers stolen log books. I’ve spoken with a few folks that used to be scumbags and do this for a living. They advised me that this person either played with me in game or used/stole my IP address to access the accounts information. All because I was playing music on YouTube while I grinded some elo over the week. $400 beans gone!