Wolf Knight eredeti hozzászólása:

Steps to take NOW to secure the account:
1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Here's our usual "laundry list". Getting rid of the API key is the most important part about it, the rest is just to make sure, they don't set up a new one.

Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your password on a secure device.
Generate new back up codes. https://store.steampowered.com/twofactor/manage
Revoke the api key https://steamcommunity.com/dev/apikey
Check that the email and phone number on the steam account is still yours.

An antivirus scan won't hurt either.


Your money and items are gone for good, sorry about that. You're in a long, long line of hijacking victims.
You logged into a phishing website some time ago, that placed a bot into your account. Today it turned active.


My usual advice:
Do never enter your Steam login details directly on other websites again. Instead, when a website (even if it seems to be a Steam profile or trade) asks for your Steam login, leave it, go to the main page of Steam (store.steampowered, maybe best to bookmark it too, so you don't fall for false main pages) and log in there. Then go back to the other website. A legitimate website now will show your account on the login page and will allow you to confirm it. A phishing page, that wants to do bad things to your account, will keep asking for your name and password.

your wallet funds gone there is noway you can get it back sadly, but you leaked your data somehow by signing in some shady websites or downloading some unknown apps.

ْSmoke™ eredeti hozzászólása:

your wallet funds gone there is noway you can get it back sadly, but you leaked your data somehow by signing in some shady websites or downloading some unknown apps.

Well as I said I didn't put any data from my steam anywhere. I am always very careful with these things.
Also, I won't download any app and I have a good anti-virus.
Do they get the hacker's account and ban it? It's obvious what account did it...
My money bought about 3 items from 2 accounts. The account names were just some random numbers...

Also, how can I trust Steam again when I didn't do anything wrong? :|

Although you are one of the very few who correctly identified a hijacker at work here rather than one of those so-called hackers who "prey on pitiful users", you have still chosen your own fate.

Steam Guard is powerless if you're generously distributing your login credentials and carelessly sharing your 2FA code like others might offer a bag of gummy bears. "Anyone who wants a piece, help yourself!"

Yet, you insist on calling this individual a hacker later in your OP.

No. Hacking isn't required for this. A little manipulation of naive, overly trusting souls, and the game begins.

And no, you won't see a penny of your money returned.

Aryana0631 eredeti hozzászólása:

Well as I said I didn't put any data from my steam anywhere. I am always very careful with these things.

"Vote for my team/artwork"
"I'm quitting Steam and giving away my inventory"
"Comment on my profile for a 50 dollar gift card"

Just a few of the more common ones, but there's many more like that out there. Experience says, that chances are very high, it was a login into a fraudulent website, that got you exposed. If you are able to identify any different source than that, we'd be happy if you share it with us; always good to be informed about new approaches, criminals are taking. Until then, we have to assume, it's the usual pattern.

A trade+market ban on the accounts, that drained you, is quite possible. Let's hope, they made enough noise for the Steam scripts to have noticed. Won't get you your stuff back, but if things go well, the thief won't benefit from it either.

Aryana0631 eredeti hozzászólása:

ْSmoke™ eredeti hozzászólása:

your wallet funds gone there is noway you can get it back sadly, but you leaked your data somehow by signing in some shady websites or downloading some unknown apps.

Well as I said I didn't put any data from my steam anywhere. I am always very careful with these things.
Also, I won't download any app and I have a good anti-virus.
Do they get the hacker's account and ban it? It's obvious what account did it...
My money bought about 3 items from 2 accounts. The account names were just some random numbers...

Accounts are phished not hacked.

You gave away all your account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Aryana0631 eredeti hozzászólása:

Also, how can I trust Steam again when I didn't do anything wrong? :|

Steam isn't the issue, you are whether you realise it or not. You leaked or allowed your credentials to be captured somewhere along the lines. You're already party of one iffy group.

Guys, I'm telling you I am 100% sure I didn't put my Steam guard or credentials anywhere. I'm experienced and don't make mistakes like this.

But let's forget the past. The money is gone. I changed my password and got new codes for Steam Guard. Also, have no API. Am I safe now?
Is it possible the hacker logged in a long time ago and now drained my wallet? Cause I have no new recent login...
This scares me a little that I have no recent logins...
Also, is there any way to make mobile or steam guard confirmation mandatory for every transaction on Steam including buying games and items from the market?
I'm mostly here to prevent this from happening in the future.

And we are 100 % sure you did.

Aryana0631 eredeti hozzászólása:

I'm experienced and don't make mistakes like this.

Well, this is your second mistake ...

𝙸𝚁𝚄𝙻▲𝙽 eredeti hozzászólása:

And we are 100 % sure you did.

Aryana0631 eredeti hozzászólása:

I'm experienced and don't make mistakes like this.

Well, this is your second mistake ...

I didn't log in with my Steam account anywhere recently and didn't connect it to any website either.
And why would I lie I didn't enter my Guard if I did?
I'm looking for the cause here and I'm telling you I didn't put my steam guard anywhere beside the steam app. I always check my login location too.
But let's say even if I did which I didn't. Is that possible that the hijacker logged in a long time ago? Cause as I said I checked my recent logins and no one entered my steam recently also didn't use my steam guard at all. This concerns me that there is no new login...

Yeah, totally possible.

It's because you handed out your data like cookies ages ago. Guess it's coming back to bite you now ...

𝙸𝚁𝚄𝙻▲𝙽 eredeti hozzászólása:

Yeah, totally possible.

It's because you handed out your data like cookies ages ago. Guess it's coming back to bite you now ...

So now if I change my password generate a new steam guard code and log out all devices I should be 100% safe? ( I did all of these )

I lost the 35$ but there is a lesson to not hold that much money in the account anymore unless I want to buy something right away...

magicISO Sweden eredeti hozzászólása:

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Unlikely, and currently without hints towards it, but far from impossible.
All it takes is access to the account database and a stubborn script to either decript the stored passwords or run through possible passwords in an offline environment. And for the verification codes, those on phones do follow a preset and ultimately predictable pattern, as they need to be kept available even without internet.
I can assure you, that such things as hacking and website vulnerabilities do indeed exist. Had to secure my Yahoo mail account more than once over the years.