Same here. I received a message from a friend while in the middle of the game regarding a link. I almost never receive these kind of things and have steamguard on at all times to protect my account. Unsure how steam let it happen, but this needs to be fixed to insure consumer safety. I had to change my passwords and remove credentials for my own safety.

ok, i found the option to de-authorize all devices from my account. from there i changed my password and made absolutely sure my details were unchanged. then i switch steam guard from email/text back to steam mobile app. the only indication of a breach is the messages i did not send and the log on from the state of washington.

to get into my account, a hacker would need access to my Email, and my phone in order to log in,. so even if they knew the password they couldnt get any farther, becuase if tyhey tried, i would be notified about a new login being attempted... which did not happen.....


could this be the start of a new kind of threat from hackers against steam users? doesnt this mean that steam guard has been comprimised?

Originally posted by Chris Solomon:

ok, i found the option to de-authorize all devices from my account. from there i changed my password and made absolutely sure my details were unchanged. then i switch steam guard from email/text back to steam mobile app

Gotcha. I changed my password via the steam client, then logged back in with the new password. I did also switch the steamguard authorization from email/text to mobile.

this whoie situation is scary as sh!t for me. i have been super duper carteful with my steam stuff. i don't share it with anyone, nor do i log into steam outside of my home network. i even turn off cell data and switch to wifi when using the steam mobile app.

All the steps, in order...

Scan for malware. https://www.malwarebytes.com/ or with whatever

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key (this should be empty) https://steamcommunity.com/dev/apikey

It's nothing new, it's phishing. People don't realize that a link they clicked on isn't a real Steam URL and they enter all of their login info, including the authenticator code. Especially if the person who sends them the link is a friend that they trust whose account was just hijacked with the same trick.

but how are they posing as me without being able to log into my account?

Originally posted by Chris Solomon:

but how are they posing as me without being able to log into my account?

that is simple = bot ;)

so steam chat services are so insecure that a some ♥♥♥♥♥♥ can setup up a bot to impersonate an actual user and spread their special kind of chaos?

Originally posted by cSg|mc-Hotsauce:

All the steps, in order...

Scan for malware. https://www.malwarebytes.com/ or with whatever

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key (this should be empty) https://steamcommunity.com/dev/apikey

:nkCool:

i have alreadty done all that. and as an added step i activated biometric login for the mobile app, that way, even if someone gets my phone, they still can get in..

i have been a mbam premium user since back when they still offered lifetime perpetual licenses. (i kind of lol at those who dish out a reoccuring fee for their mbam.)

Originally posted by Chris Solomon:

so steam chat services are so insecure that a some ♥♥♥♥♥♥ can setup up a bot to impersonate an actual user and spread their special kind of chaos?

is not steams fault that you let some one in to your account
next time dont use your steam logins on any other things then steam and if its this insecure why do i not have any problems ?

thats just it. i have not. i don't use my steam login on any anything except MY phone and MY personal PC.steam guard should have kept me safe

They all say the same, but it is impossible to get hacked without having done some mistake yourself.

You either got infected and had malware steal your active session, which means steam thinks it is your own doing.

Or you entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

Or lastly someone else has/had physical access to your devices.

You can't deny all 3 of these, as that is impossible.

Originally posted by Chris Solomon:

thats just it. i have not. i don't use my steam login on any anything except MY phone and MY personal PC.steam guard should have kept me safe

The account name, the password and the KEY to the door, the Steam Guard Mobile code giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Originally posted by Dan5000:

They all say the same, but it is impossible to get hacked without having done some mistake yourself.

You either got infected and had malware steal your active session, which means steam thinks it is your own doing.

Or you entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

Or lastly someone else has/had physical access to your devices.

You can't deny all 3 of these, as that is impossible.

act6ually i can. i dont log in via qr code. becuase i only use the mobile app on my while its connected to my home wifi. so the qr function doesnt work. it reverts to giving me codes that i have to type into steam. as for malware, it would have to be something that was able to circumvent mbam realtime protection which is unlikely. deep scans from mbam have come back clean. and only i have access to m y devices.

also, the messages continue to go out to those on my freinds list, even after i have reset and changed my passwords and devices.