All Discussions > Steam Forums > Help and Tips > Topic Details
FrazzleDazzle Aug 8, 2024 @ 10:50am
Steam account compromised.
I was playing CS2 DM earlier when the game suddenly closed and steam said "shutting down steam". After relaunching it i had a message from someone claiming to be from the "steam fraud department". I knew straight away this was a scam attempt and to just ignore their threats of deleting my account and games etc.

Anyway, they sent more messages saying they had deleted Wallpaper Engine form my library. When I checked it actually was deleted, they then proceeded to delete a couple of skins from my CS2 inventory. I also got the warning popup "Steam is trying to make changes" which i didnt do anything to prompts so i canceled. I then noticed CS2 was fully uninstalled from my library.

How the hell did they have access to the point of being able to locally uninstall CS2? Being able to delete stuff from my account was weird enough since i use steam mobile authenticator upon checking there are no devices authorized other than my own.

So, it seems this person somehow had direct access to my computer to do these things......but im not sure how. I'm very careful and never get viruses...as far as im aware at least i havnt had a virus for at least 15 years. I stay away from places where you get them, i run windows defender and that has never spotted anything.

I've just bought Kapersky premium for the year for a second opinion which is scanning now with about 30 mins left, but if that doesn't find anything then what am I to assume about how they got access enough to uninstall CS2?

I unplugged the pc and router, hooked up my old router and booted up my laptop and connected via that router. I then went to message the person and egg them into deleting something else. A game, inventory item or to uninstall CS2 again which i said I had reinstalled (but i have it installed on my laptop). I got no further response, there were no further changes to my account and then i suddenly couldn't message the person anymore with "You cannot message people who are not on your friends list". Although I could message them just fine before even though they weren't on my friends list then either. That the other question, how did they message me while not on my friends list? Unless they someone had access and were able to add themselves?

Their last message was "comply within 24 hours or have your account deleted" and they have already shown that they have the appropriate access to do so, but i need to figure out how the hell they gained that access.

Has anyone else had the same experience or know anything about this?
< >
Showing 1-13 of 13 comments
cSg|mc-Hotsauce Aug 8, 2024 @ 10:53am 
Secure your account.

All the steps, in order...

Scan for malware. https://www.malwarebytes.com/ or with whatever

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key (this should be empty) https://steamcommunity.com/dev/apikey

:nkCool:
#1
J4MESOX4D Aug 8, 2024 @ 10:55am 
Either you gave away your credentials to a phishing site or you have extremely harmful malware material on your device.
#2
FrazzleDazzle Aug 8, 2024 @ 10:56am 
Thanks, cSg|mc-Hotsauce, I've already done all that and the API key was already empty. I knew I had set one up in the past but must have cleared it at some point.

The thing that's bothering me is how were they able to uninstall CS2 from my pc? That suggests full access to my computer.
#3
J4MESOX4D Aug 8, 2024 @ 10:57am 
Originally posted by Shtonk:
Thanks, cSg|mc-Hotsauce, I've already done all that and the API key was already empty. I knew I had set one up in the past but must have cleared it at some point.

The thing that's bothering me is how were they able to uninstall CS2 from my pc? That suggests full access to my computer.
For what purpose did you have an API key before?
#4
cSg|mc-Hotsauce Aug 8, 2024 @ 11:01am 
Originally posted by Shtonk:
Thanks, cSg|mc-Hotsauce, I've already done all that and the API key was already empty. I knew I had set one up in the past but must have cleared it at some point.

The thing that's bothering me is how were they able to uninstall CS2 from my pc? That suggests full access to my computer.

That can also suggest they could have used Steam Remote Play to remote into your desktop, giving them full remote access to your PC.

It depends on the attack vector.

:nkCool:
#5
FrazzleDazzle Aug 8, 2024 @ 11:02am 
J4MESOX4D even if I had fell for a phishing scam (which I haven't) and given away my credentials, they still need to authorize their device on my phone which is locked by fingerprint, and there are no suspicious devices authorize. Just my phone, laptop and PC. There were also no shady trading attempts showing in the mobile app, nothing.

Malware is what I'm swaying towards, but I'm just baffled as to how I got it. And what am I to do if these scans show up nothing? I have terabytes of data across 4 drives, there's tons of work and projects on there. If there is in fact malware embedded somewhere that isn't being picked up then what are my options? I need those files, there's years, nay decades of work, I can't just wipe the drives.
#6
FrazzleDazzle Aug 8, 2024 @ 11:04am 
Originally posted by J4MESOX4D:
For what purpose did you have an API key before?

It was for running a CS:GO server which i never actually got round to fully setting up.
#7
FrazzleDazzle Aug 8, 2024 @ 11:06am 
Originally posted by cSg|mc-Hotsauce:
That can also suggest they could have used Steam Remote Play to remote into your desktop, giving them full remote access to your PC.

It depends on the attack vector.

:nkCool:

How would they have gained access that way? And how can i make sure it doesn't happen again? Wouldn't they need access to another machine on my network in order to pull that off? All of which were turned off (laptop which was closed and locked on the sign in screen, and steam deck which battery hasn't even been changed for about a month so wont even turn on)
Last edited by FrazzleDazzle; Aug 8, 2024 @ 11:08am
#8
J4MESOX4D Aug 8, 2024 @ 11:07am 
Originally posted by Shtonk:
J4MESOX4D even if I had fell for a phishing scam (which I haven't) and given away my credentials, they still need to authorize their device on my phone which is locked by fingerprint, and there are no suspicious devices authorize. Just my phone, laptop and PC. There were also no shady trading attempts showing in the mobile app, nothing.

Malware is what I'm swaying towards, but I'm just baffled as to how I got it. And what am I to do if these scans show up nothing? I have terabytes of data across 4 drives, there's tons of work and projects on there. If there is in fact malware embedded somewhere that isn't being picked up then what are my options? I need those files, there's years, nay decades of work, I can't just wipe the drives.
Tens of thousands of users fall for tailored phishing scams every single day and many are shadow-hijacked without their knowledge and have been for a very long time. I see about 20 threads a day just glancing the forums whereby a user is compromised by confirming a contaminated login stemming from a 3rd party source so it's perfectly possible.

I do think here it is a case of a targeted RAT-type access and it's clearly a scammer after your Steam rather than a general attack targeting your device.
#9
FrazzleDazzle Aug 8, 2024 @ 11:20am 
Originally posted by J4MESOX4D:
Tens of thousands of users fall for tailored phishing scams every single day and many are shadow-hijacked without their knowledge and have been for a very long time. I see about 20 threads a day just glancing the forums whereby a user is compromised by confirming a contaminated login stemming from a 3rd party source so it's perfectly possible.

I do think here it is a case of a targeted RAT-type access and it's clearly a scammer after your Steam rather than a general attack targeting your device.

I know it's possible, but i do not answer or even acknowledge any message, email, whatever form of communication from anyone I'm not expecting communication from. This definitely isn't the result of a phishing scam.

However, I WAS stupid enough to click through on a reddit ad about 3 months ago and install what I assumed was some legit AI software which I QUICKLY had second thoughts about right after i installed it and realized what a joke of a piece of software it was. I forget what it was called...something like janet or juno or something. Almost certain it started with a J. I immediately researched (I know I should have done that first, but not being a massive reddit user or up so much on reddit I had a false sense of security that surely reddit wouldn't allow malicious ads on their platform would they?) and found some people calling it out as malware. I immediately, and fully reformatted my PC and reinstalled windows (not a restore or backup, a full reinstall from external media created on another machine, partitions deleted, everything wiped) so unless its embedded itself on one of my other drives and can creep back then I wouldn't have thought it was down to that.
#10
Satoru Aug 8, 2024 @ 11:22am 
Originally posted by Shtonk:
I know it's possible, but i do not answer or even acknowledge any message, email, whatever form of communication from anyone I'm not expecting communication from. This definitely isn't the result of a phishing scam.

However, I WAS stupid enough to click through on a reddit ad about 3 months ago and install what I assumed was some legit AI software which I QUICKLY had second thoughts about right after i installed it and realized what a joke of a piece of software it was.

Note you cannot simultaneously say you 'will not' fall for something, then immediately tell a story of how you absolutely fell for something
#11
FrazzleDazzle Aug 8, 2024 @ 11:28am 
Originally posted by Satoru:
Note you cannot simultaneously say you 'will not' fall for something, then immediately tell a story of how you absolutely fell for something

I knew that was coming:P

I said I certainly didn't fall for a phishing scam. What I did fall for wasn't a phishing scam.

And as i said, I cleared that up immediately. The question now is are there remnants of that malware on one of my other drives and if so what are my options considering I need the data on those drives and i need those drives connected.
Last edited by FrazzleDazzle; Aug 8, 2024 @ 11:35am
#12
Lonederanger Aug 8, 2024 @ 1:57pm 
I actually faced something similar yesterday.
My account has bin compromised even though there is no trace how it's bin done.
I use 2FA... Steam Support claims that I have entered my credentials on a phishing site but I have not bin following any links on any E-mails.
The weirdest thing is that my computer was online from hongkong, even though it was turned off and is located in germany...
I think somehow the auth-token had bin leaked or cracked, because my machine is totally clean I've bin scanning for any kind of virus on my computer and it makes totally no sense...
Someone traded over 30 items over my account... I mean I don't care about items in my collection but it is a weird feeling that someone is using your account that you have secured with Steam Guard....

For the moment the only thing you can do is to force a log out of all your steam devices, change your password, disable Steam Guard, reenable it and do all the log in again... this will help at least for a while
Last edited by Lonederanger; Aug 8, 2024 @ 2:05pm
#13
< >
Showing 1-13 of 13 comments
Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details
Date Posted: Aug 8, 2024 @ 10:50am
Posts: 13
Start a New Discussion

Discussions Rules and Guidelines