no, all purchases on the Steam Marketplace are final.

Also, 2FA won't help you if you give a bot your login info including the current 2FA code, because the bot will use 'remember me' and keep the session token for the hacker to use.

Same can happen if you have 'remember me' enabled on your system and malware stole your session token.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
6. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Originally posted by Ettanin:

no, all purchases on the Steam Marketplace are final.

Also, 2FA won't help you if you give a bot your login info including the current 2FA code, because the bot will use 'remember me' and keep the session token for the hacker to use.

Same can happen if you have 'remember me' enabled on your system and malware stole your session token.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
6. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

ok, so here's what I know. I know that he NEVER gave his login info to ANYONE, not even to me.

1. It can't be malware since it happened DURING work, his computer wasn't even on, and he hasn't downloaded anything malicious even if it was on.
2. Nothing has changed EXCEPT the purchase(s) made.
3. He deauthorized all other devices the moment he saw the email about the purchase(s).
4. He changed his password and enabled 2FA for the first time.
5. He didn't have 2FA or Steam Guard on Mobile enabled at the time.
6. I don't think he knows how to do that.(edit, he doesn't have his own website, so there's no need for this option.)

There are a number of ways he could have given away his credentials and it doesn't have to be something he did recently. Some of these hijackers will sit on an account for days, months or even years, waiting for the account to have some value before they act.

Here is more info on how different types of scams work
https://steamcommunity.com/sharedfiles/filedetails/?id=784477482

Accounts are PHISHED because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

There are only 3 ways for others to get into your account:

1. You either got infected and had malware steal your active session, which means steam thinks it is your own doing. (Or you logged in on another infected machine)

2. You entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

3. Someone else has/had physical access to your devices. (Or you forgot to logout after being in an internet café etc.)

The API key thing is listed, because you wouldn't have one as a normal user. IF there is an API key, he needs to revoke it, or the other person will be able to keep doing things to his account.

Originally posted by Bastet:

"does he have 2FA enabled?" He didn't at the time but does now.

No 2FA enabled means scammers just need the basic credential set and then they can perform unlimited actions through their phished access. That's like not having locks on your front door and then crying when a burglar robs the house.

Originally posted by Bastet:

1. It can't be malware since it happened DURING work, his computer wasn't even on, and he hasn't downloaded anything malicious even if it was on.
2. Nothing has changed EXCEPT the purchase(s) made.
3. He deauthorized all other devices the moment he saw the email about the purchase(s).
4. He changed his password and enabled 2FA for the first time.
5. He didn't have 2FA or Steam Guard on Mobile enabled at the time.
6. I don't think he knows how to do that.(edit, he doesn't have his own website, so there's no need for this option.)

1. Scammers don't strike instantly - they can at any time once an account is phished and has not two factored security.
2. That's all the scammers were after. Nothing else.
3. Has to be done.
4. Has to be done and should've been done.
5. Monumental mistake.
6. Likely no API key required because the account was wide open and scammers only wanted something that doesn't require API facilitation.

Originally posted by Nx Machina:

Accounts are PHISHED because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

1. He NEVER logged into sites that require his steam account name OR password, meaning he NEVER gave away his account credentials!
2. He NEVER downloads anything sketchy, it happened once before where his computer had a virus so he doesn't do that anymore
3. He didn't HAVE Steam Guard until recently!
Also, you clearly don't understand Data Breaches... Data Breaches can happen at any moment, and ANY information on accounts related to that website are leaked. Which means that account names, passwords and other sensitive information is leaked, and those who caused the breach will have ALL that information, they can see which accounts are secured by 2FA and Mobile Guard and which ones aren't... So he's now going to test something, he put a small amount in his account again. He forcefully logged out all other devices using his account. He enabled Steam Guard and 2FA. If he gets another email about someone spending money on HIS account, with every account detail, aside from the username, changed, then it becomes a security risk for EVERYONE on Steam! Also, because he didn't have Steam Guard, the QR code is out of the question, because you NEED Mobile Steam Guard, which he didn't have until now, to even be able to USE that feature!

Did he at least have email authentication enabled?

To be fair, not having Steam Guard enabled is pretty bad at this day and age. If he really did nothing wrong there, it would have prevented anyone from getting into his account and its kind of his own fault, cuz he actively chose not to use the keys to lock his door.

Anyone else would be safe, as it is 100% impossible to get into anothers account using Steam Guard, unless the user leaks their data on his own.

Originally posted by Bastet:

1. He NEVER logged into sites that require his steam account name OR password, meaning he NEVER gave away his account credentials!
2. He NEVER downloads anything sketchy, it happened once before where his computer had a virus so he doesn't do that anymore
3. He didn't HAVE Steam Guard until recently!
Also, you clearly don't understand Data Breaches... Data Breaches can happen at any moment, and ANY information on accounts related to that website are leaked. Which means that account names, passwords and other sensitive information is leaked, and those who caused the breach will have ALL that information, they can see which accounts are secured by 2FA and Mobile Guard and which ones aren't... So he's now going to test something, he put a small amount in his account again. He forcefully logged out all other devices using his account. He enabled Steam Guard and 2FA. If he gets another email about someone spending money on HIS account, with every account detail, aside from the username, changed, then it becomes a security risk for EVERYONE on Steam! Also, because he didn't have Steam Guard, the QR code is out of the question, because you NEED Mobile Steam Guard, which he didn't have until now, to even be able to USE that feature!

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Or please explain how in 20 years of using Steam I have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile.


Let's do a GUESS test on your account:

Account name: Blue Horizon, Yellow Sunset, Mango 765249, Xyz567kkop, etc.

Password: 5hufdetg, not really my password, Drowssap, 3568hugdrb,

How close am i?

And this is without the KEY to unlock the account.

And finally if there had being a data breach everyone would be complaining their account was compromised.

Originally posted by Nx Machina:

Originally posted by Bastet:

1. He NEVER logged into sites that require his steam account name OR password, meaning he NEVER gave away his account credentials!
2. He NEVER downloads anything sketchy, it happened once before where his computer had a virus so he doesn't do that anymore
3. He didn't HAVE Steam Guard until recently!
Also, you clearly don't understand Data Breaches... Data Breaches can happen at any moment, and ANY information on accounts related to that website are leaked. Which means that account names, passwords and other sensitive information is leaked, and those who caused the breach will have ALL that information, they can see which accounts are secured by 2FA and Mobile Guard and which ones aren't... So he's now going to test something, he put a small amount in his account again. He forcefully logged out all other devices using his account. He enabled Steam Guard and 2FA. If he gets another email about someone spending money on HIS account, with every account detail, aside from the username, changed, then it becomes a security risk for EVERYONE on Steam! Also, because he didn't have Steam Guard, the QR code is out of the question, because you NEED Mobile Steam Guard, which he didn't have until now, to even be able to USE that feature!

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Or please explain how in 20 years of using Steam I have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile.


Let's do a GUESS test on your account:

Account name: Blue Horizon, Yellow Sunset, Mango 765249, Xyz567kkop, etc.

Password: 5hufdetg, not really my password, Drowssap, 3568hugdrb,

How close am i?

And this is without the KEY to unlock the account.

And finally if there had being a data breach everyone would be complaining their account was compromised.

Again, you don't understand how a DATA BREACH works! When a Data Breach occurs, the ones who performed it get access to EVERYTHING on that site, be it login account names, passwords, how many items a person has even if their inventory is private, how much money is in their steam wallet.

We understand how a data breach works, but that is not the problem, the problem is by your own admission that he didn't have authentication enabled - that means his account was much less secure than one that does. And again I ask, did he at least have email authentication enabled? Because if he didn't, then that is even WORSE because that means someone could login as long as they had his password and would need absolutely nothing else. Even more so if he reuses his password for multiple sites because if another site he used that actually did suffer a data breach had passwords leaked, it's very easy for a malicious actor to try his password on different accounts across websites

If there was a data breach for Steam we'd definitely be hearing about it by now (since it's been 18 hours since the thread was posted) all over news sites and anything tech related

Originally posted by Bastet:

1. It can't be malware since it happened DURING work, his computer wasn't even on, and he hasn't downloaded anything malicious even if it was on.

....

1. You can never be so sure.

Originally posted by Bastet:

1. He NEVER logged into sites that require his steam account name OR password, meaning he NEVER gave away his account credentials!
2. He NEVER downloads anything sketchy, it happened once before where his computer had a virus so he doesn't do that anymore
3. He didn't HAVE Steam Guard until recently!
...

1. You can never be so sure.
2. You can never be so sure.
3. Perfect.

It honestly baffles me, where did you get all that confidence? Whoops, sorry. I'm confusing confidence with naivety.

Originally posted by Bastet:

Again, you don't understand how a DATA BREACH works! When a Data Breach occurs, ...

You said that steam had a data breach. Pffftt..

Some kind of hacker with black gloves, mask, and supercomputer HACKED steam's database and for some reason, they only took your brother's account, when there are MILLIONS of other accounts that are worth MUCH more than his. Sure, keep telling yourself that.

they 100% did 1 or more of the following. gave away their info, or got phished, clicked a bad link, got api scammed, social engineered etc etc

Originally posted by Bastet:

Again, you don't understand how a DATA BREACH works! When a Data Breach occurs, the ones who performed it get access to EVERYTHING on that site, be it login account names, passwords, how many items a person has even if their inventory is private, how much money is in their steam wallet.

There was no data breach, he gave away all his account details.

If there had being a data breach everyone would be complaining their account was compromised but no just you on behalf of your brother and there are zero news articles on a data breach at Valve.

So we go back to:

Let's do a GUESS test on your account:

Account name: Blue Horizon, Yellow Sunset, Mango 765249, Xyz567kkop, etc.

Password: 5hufdetg, not really my password, Drowssap, 3568hugdrb,

How close am i to GUESSING your account details? Should not be hard to answer.

And this is without the KEY to unlock the account which the end user needs to provide when both the account name and password are correct.


So lets do another test:

What is my account name? What is my password?


And finally:

Or please explain how in 20 years of using Steam I have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile.