you werent hacked stop trying to get ♥♥♥♥♥♥♥♥♥♥

Publicado originalmente por Teksura:

Scan for malware https://www.malwarebytes.com/
Deauthorize all other devices https://store.steampowered.com/twofactor/manage
Change passwords from a clean computer
Generate new backup codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey
Stop using shady third party trade sites or clicking suspicious links.


Do each of the steps.



What happened is your account became compromised, most likely through a third party site. This well known scam then requires you to authorize the trade giving your items away after you allow them access to your account through either malware, or giving away your details through a phishing fake login page or other trick used by those shady third party sites.

The way it does this is after it gains access to your account, a bot waits until you send out a trade offer, and then using the access you gave to them, their bot cancels the trade, changes a bot account to match the name and profile picture of the person you wanted to trade with, and then sends a trade giving your stuff away for free.

The scam depends on you ignoring all the warnings, such as "this user is not on your friends list", "this user has a similar name to someone on your friends list", their items missing from the offer, the big "you will receive nothing" text, the fact that they have the wrong level, wrong "has been on Steam since" date (usually obviously too recent to make sense), and a few other obvious warnings. It only works if you're not even looking at what you're doing. Sadly, an awful lot of people don't care enough to verify the trade is what they are expecting, so this scam continues to work.

Valve will not return items you gifted away to the scammer as a result of ignoring all the warnings. https://support.steampowered.com/kb_article.php?ref=9958-MJDG-3003

Publicado originalmente por Wolf Knight:

steam guard does nothing if the user gives away the account log in. figure out how you did that

scammed/stolen items are not returned

1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

you said you did all you could and yet we see this in your name history

Mulshock ♥♥♥♥♥♥♥♥.com

clearly you didnt do all you could. all 3rd party sites are USE AT OWN RISK

thanks for the help I did what it said. Hopefully my account is safe. and I wont ever use 3rd party sites ever again.

Do your auth app codes still work for you to login?

Publicado originalmente por Mulshock ✪:

Publicado originalmente por Teksura:

Scan for malware https://www.malwarebytes.com/
Deauthorize all other devices https://store.steampowered.com/twofactor/manage
Change passwords from a clean computer
Generate new backup codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey
Stop using shady third party trade sites or clicking suspicious links.


Do each of the steps.



What happened is your account became compromised, most likely through a third party site. This well known scam then requires you to authorize the trade giving your items away after you allow them access to your account through either malware, or giving away your details through a phishing fake login page or other trick used by those shady third party sites.

The way it does this is after it gains access to your account, a bot waits until you send out a trade offer, and then using the access you gave to them, their bot cancels the trade, changes a bot account to match the name and profile picture of the person you wanted to trade with, and then sends a trade giving your stuff away for free.

The scam depends on you ignoring all the warnings, such as "this user is not on your friends list", "this user has a similar name to someone on your friends list", their items missing from the offer, the big "you will receive nothing" text, the fact that they have the wrong level, wrong "has been on Steam since" date (usually obviously too recent to make sense), and a few other obvious warnings. It only works if you're not even looking at what you're doing. Sadly, an awful lot of people don't care enough to verify the trade is what they are expecting, so this scam continues to work.

Valve will not return items you gifted away to the scammer as a result of ignoring all the warnings. https://support.steampowered.com/kb_article.php?ref=9958-MJDG-3003

Should I keep using this same account even though it got hacked and I changed my password. Or is it safer to make a new one.

Making a new one makes no difference... Its up to you to keep it secure no matter what account you have. If you do not keep this one secure, i wonder how a new one will wind up...

Ur just very Unlucky

Publicado originalmente por Ei Kannata ✪ Zone ✪:

Ur just very Unlucky

I hope you dont rely on luck. I would suggest making wise decisions to ensure your account is secure. OP did not make wise decisions I hope you take him example to heart and not make the same mistakes.

Publicado originalmente por Snakub Plissken:

Publicado originalmente por Mulshock ✪:

I used that website months ago and it’s a safe website plus I just got hacked one hour ago.

And yet the forums auto censor it, why do you think that is? Unfortunately you're mistaken about the safety. And a lot of people in your shoes double down and claim that the sketchy 3rd party sites they're using are safe because they don't want to admit they're mistaken. And regardless of your denials just about any account that gets hijacked is because of user error. Users are the weakest link in the security model, so that's what scammers and hijackers target. Much easier than overcoming actual security.

Also while you can imagine the amount of time that's passed grants you safety, I'm willing to bet your account has either been compromised for a while or you haven't updated your compromised credentials in the interim. Time doesn't magically grant you protection in those cases.

Publicado originalmente por Mulshock ✪:

Ok but how did they bypassed steam guard valve even said that steam guard is supposed to make the account more safe and without physical contact it’s hard to get the code.

Steam Guard is a layer of security yes, it does make your account more safe. But it's not an invincible shield that let's users be reckless and careless. Many users seem oblivious to that detail and often dredge up those arguments.

Listen we can't tell you exactly when or where you did what. Just that we see these topics frequently and your resistance to the reality of the situation and your arguments from ignorance don't change things in your favor.

This is a terrible response. The whole point of two factor is to prevent someone from getting your account info and being able to login to it. Even if you give them the email and they get the password, the mobile authentication is supposed to help prevent that, but it doesn't. My friend had that happen to him as well, but doesn't do any third party websites whatsoever. He got no warning of a trade happening and the hacker was able to trade through him in less than an hour and he had no idea. Steam is to blame for this and need to figure it out before more people get their accounts hacked.

Steam Guard Mobile Authenticator can't protect you if you give the SteamGuard code away.
SMA does not allow you to enter your login credentials recklessly on fake websites.

SMA protects you in case you leak your account name and password, it does not protect you if you give your complete credentials, including SteamGuard code away.

Publicado originalmente por Spuck:

Publicado originalmente por Snakub Plissken:

And yet the forums auto censor it, why do you think that is? Unfortunately you're mistaken about the safety. And a lot of people in your shoes double down and claim that the sketchy 3rd party sites they're using are safe because they don't want to admit they're mistaken. And regardless of your denials just about any account that gets hijacked is because of user error. Users are the weakest link in the security model, so that's what scammers and hijackers target. Much easier than overcoming actual security.

Also while you can imagine the amount of time that's passed grants you safety, I'm willing to bet your account has either been compromised for a while or you haven't updated your compromised credentials in the interim. Time doesn't magically grant you protection in those cases.



Steam Guard is a layer of security yes, it does make your account more safe. But it's not an invincible shield that let's users be reckless and careless. Many users seem oblivious to that detail and often dredge up those arguments.

Listen we can't tell you exactly when or where you did what. Just that we see these topics frequently and your resistance to the reality of the situation and your arguments from ignorance don't change things in your favor.

This is a terrible response. The whole point of two factor is to prevent someone from getting your account info and being able to login to it. Even if you give them the email and they get the password, the mobile authentication is supposed to help prevent that, but it doesn't. My friend had that happen to him as well, but doesn't do any third party websites whatsoever. He got no warning of a trade happening and the hacker was able to trade through him in less than an hour and he had no idea. Steam is to blame for this and need to figure it out before more people get their accounts hacked.

If I give away my front door keys to a thief, I can't then blame the lock if my house is burgled. 2FA adds an extra security layer from an independent device and that's it. If your friend allowed his entire credential set to be phished which includes a live auth code which is then login-botted into a real client then that's his atrocious incompetence. Don't embarrass yourself by defending this.

Publicado originalmente por Spuck:

Steam is to blame for this and need to figure it out before more people get their accounts hacked.

Yeah, Valve should terminate his account since he breached the contract with Valve.

There is no cure for stupidity.

Publicado originalmente por Spuck:

Publicado originalmente por Snakub Plissken:

And yet the forums auto censor it, why do you think that is? Unfortunately you're mistaken about the safety. And a lot of people in your shoes double down and claim that the sketchy 3rd party sites they're using are safe because they don't want to admit they're mistaken. And regardless of your denials just about any account that gets hijacked is because of user error. Users are the weakest link in the security model, so that's what scammers and hijackers target. Much easier than overcoming actual security.

Also while you can imagine the amount of time that's passed grants you safety, I'm willing to bet your account has either been compromised for a while or you haven't updated your compromised credentials in the interim. Time doesn't magically grant you protection in those cases.



Steam Guard is a layer of security yes, it does make your account more safe. But it's not an invincible shield that let's users be reckless and careless. Many users seem oblivious to that detail and often dredge up those arguments.

Listen we can't tell you exactly when or where you did what. Just that we see these topics frequently and your resistance to the reality of the situation and your arguments from ignorance don't change things in your favor.

This is a terrible response. The whole point of two factor is to prevent someone from getting your account info and being able to login to it. Even if you give them the email and they get the password, the mobile authentication is supposed to help prevent that, but it doesn't. My friend had that happen to him as well, but doesn't do any third party websites whatsoever. He got no warning of a trade happening and the hacker was able to trade through him in less than an hour and he had no idea. Steam is to blame for this and need to figure it out before more people get their accounts hacked.

HIJACKED!!!!!!!!!!!!!!! not hacked. They arfe not the same. Hacked means security weaknesses in code were exploited. OP and your friends account were not hacked. They gave their login data away, likely a phishing website. In which they got hijacked. Steam guard is nothing more than an extra key. If you give the key away to a stranger nothing stop that stranger entering you home, damaging stuff and stealing items. Your insurance company wouldn't pay out for new stuff becuase a person voided the policy by NOT keeping it secure. Same goes for cars or anything else if YOU DO NOT keep them secure YOU are at fault and the policy is void.

Valve is NOT responsible when users willingly GIVE strangers access to their accounts. User error. OP and your friend screwed up. Better they accept and LEARN from their mistakes so as to NOT repeat it on Steam or worse their bank.

Publicado originalmente por Mulshock ✪ ♥♥♥♥♥♥♥♥♥.com:

I got hacked

i like the fact that you got scammed, and now you're again using scam websites and promoting them in your name... seriously.

Publicado originalmente por Spuck:

Publicado originalmente por Snakub Plissken:

And yet the forums auto censor it, why do you think that is? Unfortunately you're mistaken about the safety. And a lot of people in your shoes double down and claim that the sketchy 3rd party sites they're using are safe because they don't want to admit they're mistaken. And regardless of your denials just about any account that gets hijacked is because of user error. Users are the weakest link in the security model, so that's what scammers and hijackers target. Much easier than overcoming actual security.

Also while you can imagine the amount of time that's passed grants you safety, I'm willing to bet your account has either been compromised for a while or you haven't updated your compromised credentials in the interim. Time doesn't magically grant you protection in those cases.



Steam Guard is a layer of security yes, it does make your account more safe. But it's not an invincible shield that let's users be reckless and careless. Many users seem oblivious to that detail and often dredge up those arguments.

Listen we can't tell you exactly when or where you did what. Just that we see these topics frequently and your resistance to the reality of the situation and your arguments from ignorance don't change things in your favor.

This is a terrible response. The whole point of two factor is to prevent someone from getting your account info and being able to login to it. Even if you give them the email and they get the password, the mobile authentication is supposed to help prevent that, but it doesn't. My friend had that happen to him as well, but doesn't do any third party websites whatsoever. He got no warning of a trade happening and the hacker was able to trade through him in less than an hour and he had no idea. Steam is to blame for this and need to figure it out before more people get their accounts hacked.

I think you have some misconceptions about what 2FA does and does not protect against. Let's start with what it does protect against:

Poor Password Security: We've all done it at some point, heck, a lot of us still do it. People sometimes use weak passwords, or use the same username and password for multiple places. Password databases get leaked sometimes. While most passwords are stored encrypted, it's not impossible to crack that encryption. A lot of password managers these days will warn you if a password you're using was found in a leaked database because with that username/password combo out there, bots can simply attempt to brute force their way into accounts by trying that username/password combo in various sites. 2FA protects you here because even with that username and password, they don't have enough to get into your account. So even if another site has a security breach and their password database gets leaked and you happen to use that same password on Steam, they won't have the 2FA code they need to get into the account.

Keyloggers: Keyloggers were and to a degree still are a big problem. What they do is they quietly sit on your system and record a log of what you are typing in. The main goal here is to keep an eye out for when you are putting in a username and a password, and send that information somewhere. The problem with Keyloggers is they just don't work against 2FA. Sure, they will have the username and the password, but the 2FA code they need changes frequently, and as I have come to understand, each code is only good for one use (I could be misinformed on this, don't quote me on it). This is a large part of why 2FA exists, a keylogger or other malicious logging program would need to exist on both devices to be any good.

Just Plain Giving Away Your Info: Even giving it to someone you trust is stupid. When I was younger, I was discussing password security with my then-girlfriend. I casually mentioned one which I thought was pretty clever and easy to remember, but didn't mention what I used it for. I thought it wasn't an issue because she was my girlfriend, and I hadn't said where I used the password and never expected her to be the type to try and log into my accounts. A few months later, I would find out that she would take that password and try using it on everything she could think of, and eventually got into one of my email accounts this way. She read my emails and got mad at me for things I had said in private to my father when asking him for advice. Then she denied ever logging into my account, but couldn't really explain how she knew the contents of my emails. 2FA would have been a roadblock she would never have been able to overcome in that situation. Even knowing the password, she would never have been able to get into my account without the code from my phone.



So, that's all great and everything. What does 2FA NOT protect against?


Social Engineering: See also: Giving away your keys. You, the end user, are the weakest link in account security. No amount of account security can protect your account from yourself. 2FA does nothing if you simply give away your username, password, and login code from the mobile authenticator. This is what hijackers tend to target. It's very common for them to present their website as being somehow affiliated with Steam, and offer a way for you to "log in with your Steam account". Some of these sites (such as the common "vote for my esports team" scam sites) just throw up a fake login page 100% of the time, and don't try very hard to hide what they are. They do just enough that someone not paying any attention might not notice. It doesn't matter if most people catch on, they get a few that don't. Most of these sites however rely on a determined userbase to not only advertise for them and spread the scam to others, but depend on their marks to make an active effort to defend them. They do this by simply not targeting a large chunk of their userbase, and offering rewards to people who advertise for them or bring in fresh marks. This is common among CSGO gambling or trading sites. One of their common tricks is to just ask you to send them items and then deny ever receiving them, then blaming Steam for the "error" and encouraging you to go tell Support that your item vanished. Meanwhile, they have your item and are laughing at your gullibility. The other trick they do is when they find someone with a valuable inventory, they spring the trap and attempting to log in with that account instead redirects you to their fake login page, where you input your username, password, and authenticator code. At that point, you've given them full access to your account and they just wait for you to make a trade, cancel it, and redirect your inventory contents to one of their proxy accounts. Then you don't pay attention when approving the trade because you're expecting it to be the trade you just initiated, and your inventory is gone the moment you authorize the trade.




2FA is not a magic shield. It is a system designed to protect against things that are out of your control. It can not protect you against yourself.

Publicado originalmente por Spuck:

My friend had that happen to him as well, but doesn't do any third party websites whatsoever.

1. How do you know that, because he told you so ? We have seen that claimed here before, just before they post "Oh yea, I did log into that one just this once......but that site is legit."


2. Logging into shady sites and giving away the credentials to the account is just one way this can work, and is the most commonly seen way as you can tell from looking around here in the forums, but it's not the only way.

There is also the "Vote for our team" bait, that adds another layer to these types of account compromises.

Publicado originalmente por bearhiderug:

Publicado originalmente por Bear Grylls:

I am sorry to say this, but Steam does not give a ♥♥♥♥♥ about their community

only the money the community gives.
anything else they sweep under the rug

Publicado originalmente por Mulshock ✪ ♥♥♥♥♥♥♥♥♥.com:

Should I keep using this same account even though it got hacked and I changed my password. Or is it safer to make a new one.

some good stuff here
no need for another account. just secure your current one

The fact that almost an entire year later they are still advertising scam sites in their username does not bode well for their account security.