Originally posted by Aluvard:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
6. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Have you revoked your API code, if there is any? https://steamcommunity.com/dev/apikey

In most cases that's the centerpiece of hijackings.

Also it won't hurt to generate new backup codes for your authentificator (if you use that) and to check, if stuff like your email adress and possibly telephone number are still correct.

Originally posted by Jerry:

Have you revoked your API code, if there is any? https://steamcommunity.com/dev/apikey

In most cases that's the centerpiece of hijackings.

Also it won't hurt to generate new backup codes for your authentificator (if you use that) and to check, if stuff like your email adress and possibly telephone number are still correct.

thank you
- when i check the API page, there is only an empty site with "Register for a new Steam Web API Key", and a "register" button and a empty "domain name" textfield. I gues this is good?
- My Account details (phone and email) are still correct.
- I generated new codes.

I believe that by entering the SMS code, I transferred my authenticator to the scammer. However, with the password reset and the other steps I took, the access should have been removed from their phone, right? Thanks!

Sounds like you should be okay for now. A bit surprising, that this one does not go for API hijacking, but I'm rather unfamiliar with Leetify, compared to other stuff, we get to see here daily.

My usual favourite piece of advice, that should protect you from at least a good share of dangers:
Steam allows for one-click login. When you are logged into the website of Steam in your browser, every third party Steam login should show you your account with an option to confirm it. If it is instead asking for your name and password, something is wrong.

Originally posted by Jerry:

Sounds like you should be okay for now. A bit surprising, that this one does not go for API hijacking, but I'm rather unfamiliar with Leetify, compared to other stuff, we get to see here daily.

My usual favourite piece of advice, that should protect you from at least a good share of dangers:
Steam allows for one-click login. When you are logged into the website of Steam in your browser, every third party Steam login should show you your account with an option to confirm it. If it is instead asking for your name and password, something is wrong.

thank you ! :)

Just for clarity it seems there's a legitimate leetify site and a scam one being advertised to take advantage of it. The proper site uses Steam's expected login procedure for legitimate third parties and doesn't ask you to enter your login details.

They've got a scam faq on their page.

https://leetify.com/blog/phishing/