Steam MFA/2FA can be easily bypassed, my account was stolen

All Discussions > Steam Forums > Help and Tips > Topic Details

nightstalker Mar 8 @ 6:25am

Today my account was stolen in less than 60 seconds.

I had a push notification that someone from Poland or somewhere is trying to login to my account.

In under 60 seconds my Steam Guard Mobile Authenticator has been deactivated without any action of mine. My Phone Number was removed from my account without any action of mine. I didn't receive any e-mail nor SMS request wirh new number. And my e-mail + steam iD have been changed without any action of mine. It all happened in less than 60 seconds.

https://imgur.com/gallery/qZMzYRX

Once my Your Steam Guard App pushed notification to me, I wanted to change my password immediately, but I wasn'table to, since getting to a PC, booting it up, starting Steam a changing password takes a lot longer than 60 seconds. Also user should be able to change password via Steam Guard App. You can't change Your password in Browser. You can't change it in Steam App on Your phone. You can change it only via Windows, Linux or macOS Steam client.

This is really frustrating. I literally didn't stand a chance.

Steam shouldn't allow change of all these items in under 60 seconds.

E.g. when someone from different iP than Yours stable and months or years long used iP logs to Your account, there should be at least 24 hour time period to allow phone number change like Apple has it. And another 24 hours for e-mail change. Another 24 hours for Steam iD change.

Being able to bypass 2FA/MFA, remove phone number, change e-mail, change password, change steam iD and set new ones in under 60 seconds without owners agreement is simply unthinkable. Yet it happened.

Already wrote to Steam support from this account. I hope it gets resolved. Had some credit on Steam account and tons of games and mostly saves. This is horrible 😤😡🤬

Last edited by nightstalker; Mar 8 @ 10:33am

< >

Showing 1-15 of 114 comments

ReBoot Mar 8 @ 6:30am

Nothing was breached, you gave away enough info to log into your account. No amount of MFA can prevent that from happening.

nightstalker Mar 8 @ 6:35am

Originally posted by ReBoot:
Nothing was breached, you gave away enough info to log into your account. No amount of MFA can prevent that from happening.

I didn't allow nor confirm 2FA/MFA. I didn't allow nor confirm my e-mail change. I didn't allow nor confirm my phone change. All attacker had was my brute forced password. How exactly did I give away enough information? I'm confused. Please do elaborate.

What's the point of 2FA/MFA when it's being completely ignored? What's the point of phone number and e-mail, when they can be changed without confirmation of users prior e-mail and phone number?

I'm sorry my friend, but You make 0 sense. These fators are in place in order to protect Your account. They're not there just because. They didn't serve their purpose.

My point being, once Your password is brute forced out from Your account these protection factors won't help. That's now how it suppose to be. They're there literally to help to protect Your account, nothing else. When someone has Your login and password, MFA/2FA is suppose to stop them. Otherwise what's the point of MFA/2FA?!

Last edited by nightstalker; Mar 8 @ 6:39am

Ettanin Mar 8 @ 6:38am

You entered your credentials on a fraudulent site that impersonated the login mask and forwarded requests and responses in the login workflow or installed malware.

Accounts do not get "hacked". A data breach would result in MUCH more valuable digital gold to abuse than your meek account.

There is no other way:
One does not simply
guess your username out of millions of possibilities
AND guess your password out of millions of possibilities
AND guess your E-Mail or App code out of millions of possibilities which also change over time
ALL at the same time.

Last edited by Ettanin; Mar 8 @ 6:40am

ReBoot Mar 8 @ 6:39am

Originally posted by nightstalker:
Originally posted by ReBoot:
Nothing was breached, you gave away enough info to log into your account. No amount of MFA can prevent that from happening.
I didn't allow nor confirm 2FA/MFA. I didn't allow nor confirm my e-mail change. I didn't allow nor confirm my phone change. All attacker had was my brute forced password. How exactly did I give away enough information? I'm confused. Please do elaborate.

What's the point of 2FA/MFA when it's being completely ignored? What's the point of phone number and e-mail, when they can be changed without confirmation of users prior e-mail and phone number?

Nobody brute-forced your password! More likely, you've fell for the good old phishing. Mistakes happen, to the best of us.

Now I suggest you learn from your mistake and read up on phishing.

Ettanin Mar 8 @ 6:42am

Originally posted by nightstalker:
Okay, I let's say my account credentials were phished. Why didn't the MFA/2FA help? What's the pointof this factor of protection, when it didn't help?

because of save password. You likely gave a bot the current code in the login mask and caused the bot to create a session token for the hacker to use later.

Last edited by Ettanin; Mar 8 @ 6:43am

nightstalker Mar 8 @ 6:43am

Originally posted by Ettanin:
You entered your credentials on a fraudulent site that impersonated the login mask and forwarded requests and responses in the login workflow or installed malware.

Accounts do not get "hacked". A data breach would result in MUCH more valuable digital gold to abuse than your meek account.

There is no other way:
One does not simply
guess your username out of millions of possibilities
AND guess your password out of millions of possibilities
AND guess your E-Mail or App code out of millions of possibilities which also change over time
ALL at the same time.

Okay, I let's say my account credentials were phished. Why didn't the MFA/2FA help? What's the point of this factor of protection, when it didn't help at all?

I didn't approve of the login in my Steam App. After a short while I was logged out from it. What's the purpose of the Steam Guard?l than?

Ettanin Mar 8 @ 6:44am

Originally posted by nightstalker:
Originally posted by Ettanin:
You entered your credentials on a fraudulent site that impersonated the login mask and forwarded requests and responses in the login workflow or installed malware.

Accounts do not get "hacked". A data breach would result in MUCH more valuable digital gold to abuse than your meek account.

There is no other way:
One does not simply
guess your username out of millions of possibilities
AND guess your password out of millions of possibilities
AND guess your E-Mail or App code out of millions of possibilities which also change over time
ALL at the same time.
Okay, I let's say my account credentials were phished. Why didn't the MFA/2FA help? What's the point of this factor of protection, when it didn't help at all?

I didn't approve of the login in my Steam App. After a short while I was logged out from it. What's the purpose of the Steam Guard?l than?

Then it must be malware that stole your local session token. Never save your password nor remember the device if you want to be absolutely safe.

Last edited by Ettanin; Mar 8 @ 6:45am

nightstalker Mar 8 @ 6:46am

Originally posted by Ettanin:
Originally posted by nightstalker:
Okay, I let's say my account credentials were phished. Why didn't the MFA/2FA help? What's the pointof this factor of protection, when it didn't help?
because of save password. You likely gave a bot the current code in the login mask and caused the bot to create a session token for the hacker to use later.

I literally didn't do anything. I just looked at screen of my phone in the Steam App Authenticator and suddenly I was logged out. It happened under 60 seconds. l

Once again. One shouldn't be able to bypass 2FA/MFA. One shouldn't be able to change e-mail in under 6o seconds from other groiP locations than the last logins were made of. One shouldn't be able to remove phone number without SMS or some other way of confirming that I'm actually doing it and also not in under 60 seconds.

Ettanin Mar 8 @ 6:48am

Originally posted by nightstalker:
Originally posted by Ettanin:
because of save password. You likely gave a bot the current code in the login mask and caused the bot to create a session token for the hacker to use later.
I literally didn't do anything. I just looked at screen of my phone in the Steam App Authenticator and suddenly I was logged out. It happened under 60 seconds. l

Once again. One shouldn't be able to bypass 2FA/MFA. One shouldn't be able to change e-mail in under 6o seconds from other groiP locations than the last logins were made of. One shouldn't be able to remove phone number without SMS or some other way of confirming that I'm actually doing it and also not in under 60 seconds.

it can be bypassed if you choose Valve to let them "Remember" you. By stealing the session token file. That file is NOT HWID bound.

Don't install shady software and if you do, never use auto login.

Last edited by Ettanin; Mar 8 @ 6:49am

nightstalker Mar 8 @ 6:49am

Originally posted by Ettanin:
Originally posted by nightstalker:
Okay, I let's say my account credentials were phished. Why didn't the MFA/2FA help? What's the point of this factor of protection, when it didn't help at all?

I didn't approve of the login in my Steam App. After a short while I was logged out from it. What's the purpose of the Steam Guard?l than?
Then it must be malware that stole your local session token. Never save your password nor remember the device if you want to be absolutely safe.

What malware? On my Android Phone? I have 2FA/MFA authenticator on my Android Phone. Had. Till I was logged out, in under 60 seconds since the time of first login from new country and iP request. How can malware spoof my SMS? None came. Never. You shouldn't be able to remove phone number without prior confirmation of 2FA token from SMS. That's the whole purpose of my GSM number in Steam account. There is no other, literally. My e-mail shouldn't have the possibility of change without my prior clicking on a link and confirming this. I never did any of these actions, not a single one.

Last edited by nightstalker; Mar 8 @ 6:51am

#10

Ettanin Mar 8 @ 6:50am

Originally posted by nightstalker:
Originally posted by Ettanin:
Then it must be malware that stole your local session token. Never save your password nor remember the device if you want to be absolutely safe.
What malware? On my Android Phone? I have 2FA/MFA authenticator on my Android Phone. Had. Till I was
logged out, in under 60 seconds since the time of first login from new country and iP request. How can malware spoof my SMS? None csme. You shouldn't be able to remove phone number without prior confirmation of 2FA token from SMS. That's the whole purpose of my GSM number in Steam account. There is no other, literally. My e-mail shouldn't have the possibility of change without my prior clicking on a link and confirming this. I never did any of these actions, not a single one.

Malware on your PC. The "remember me" function stores a session token that lets you login without 2FA.

#11

nightstalker Mar 8 @ 6:52am

Originally posted by Ettanin:
Originally posted by nightstalker:
What malware? On my Android Phone? I have 2FA/MFA authenticator on my Android Phone. Had. Till I was
logged out, in under 60 seconds since the time of first login from new country and iP request. How can malware spoof my SMS? None csme. You shouldn't be able to remove phone number without prior confirmation of 2FA token from SMS. That's the whole purpose of my GSM number in Steam account. There is no other, literally. My e-mail shouldn't have the possibility of change without my prior clicking on a link and confirming this. I never did any of these actions, not a single one.
Malware on your PC. The "remember me" function stores a session token that lets you login without 2FA.

I don't login via browser, via Steam App only. On computer. When I log out from Steam App and login it asks me for MFA/2FA token. I mean not anymore, obviously. But before today it did.

Last edited by nightstalker; Mar 8 @ 6:53am

#12

Ettanin Mar 8 @ 6:52am

Originally posted by nightstalker:
Originally posted by Ettanin:
Malware on your PC. The "remember me" function stores a session token that lets you login without 2FA.
I don't login via browser, via Steam App only.

and that's how it happened. Malware stole that file from your Steam installation

Last edited by Ettanin; Mar 8 @ 6:53am

#13

nightstalker Mar 8 @ 6:55am

Originally posted by Ettanin:
Originally posted by nightstalker:
I don't login via browser, via Steam App only.
and that's how it happened. Malware stole that file from your Steam installation

I use Eset Endpoint security and no cracked games on my PC. How? Where did I get malware from?

#14

Ettanin Mar 8 @ 6:56am

Originally posted by nightstalker:
Originally posted by Ettanin:
and that's how it happened. Malware stole that file from your Steam installation
I use Eset Endpoint security and no cracked games on my PC. How? Where did I get malware from?

Zero day or lesser known malware. Antivirus software can't detect 100% of all malware.

#15

< >

Showing 1-15 of 114 comments

Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details

Date Posted: Mar 8 @ 6:25am

Posts: 114

Start a New Discussion

Discussions Rules and Guidelines

Report this post