Messaggio originale di KalCuey:

Messaggio originale di nightstalker:

I didn't provide it. But I believe that's a given. It literally said it wanted an approval from Peru, not Poland, sorry krowki guys. In the push notification. And as I was about to decline it I was automatically logged out from my Steam Guard App. "You have been logged out something something." And that was that.

To my, ESET Endpoint, TotalAV, BitDefender and MalwareBytes knolwedge my Android Phone wasn't compromised.

you can argue with us users (that is all you are going to get here, users)

that have seen so many people say the same thing only to remember that ONE time

years ago

that they did/may have logged into some site

anyways

you have been told how it happens

you have been given examples

you are either going to believe it or not

good luck

All I wanted was help and point out the obvious vulnerabilities and insufficencies of Valves'/Steams' user protection and security system, that's all. Mainly those non-existing delays in between critical data point changes in users account. One shouldn't be able to completely migrate his/hers account in under 60 seconds with 2FA/MFA, e-mail, GSM and Steam iD in place. My iD existed for 20+ years and it's gone as of now. Due to less than 60 seconds automated process. That is absolutely crazy and unthinkable. I mean even if I wanted to do something like that, what I described, I shouldn't by any possible and thinkable means be able, or allowed to. Even as a rightfull owner of the account. It's simoly absolute nonsense.

There exists a very good reason why Apple has 24 - 48 hours delay in changing and/or removing GSM. In changing and/or removing e-mail address. It's not Apples' caprice or some OCD tick.

This what happened to me is exactly the reason. If the attacker gotten in my account and either removed GSM, and wouldn't be able to do anything else for another 24 hours, no harm done. Or change an e-mail, no harm done. Or change Steam iD. Again, no harm done. But bypassing and logging me out of my 2FA/MFA gateway and doing all three in under 60 seconds is absolutely outrageous.

Messaggio originale di nightstalker:

What malware? On my Android Phone?

If you think that Smartphones can't get infected with malware, then I got some sad news for you...

The plot thickens ...

Messaggio originale di Snivy:

Messaggio originale di nightstalker:

What malware? On my Android Phone?

If you think that Smartphones can't get infected with malware, then I got some sad news for you...

Did You read the thread? I use paid expensive ESET Endpoint Security. I also installed, scanned and uninstalled TotalAV, BitDefender and MalwareBytes. Zero malicious software detected.

Please, guys, I'm answering and reacting to the same things on 6 pages now. If You want to react, I'll more than welcome it, but please read the thread.

Messaggio originale di 𝙻𝚘𝚝𝚝𝚎:

The plot thickens ...

Not sure about the plot, but some chicks' thighs could, I like them fit, slightly muscular and thick 😂

Messaggio originale di nightstalker:

Messaggio originale di Snivy:

If you think that Smartphones can't get infected with malware, then I got some sad news for you...

Did You read the thread? I use paid expensive ESET Endpoint Security. I also installed, scanned and uninstalled TotalAV, BitDefender and MalwareBytes. Zero malicious software detected.

Please, guys, I'm answering and reacting to the same things on 6 pages now. If You want to react, I'll more than welcome it, but please read the thread.

If there is no malware, then the ONLY way someone could have gotten into your account would have been because YOU handed them the keys to the account.

Real hackers are not going to target someone for their valueless Steam account.
Steam accounts get phished because the account owner got careless.

Messaggio originale di HikariLight:

Messaggio originale di nightstalker:

Did You read the thread? I use paid expensive ESET Endpoint Security. I also installed, scanned and uninstalled TotalAV, BitDefender and MalwareBytes. Zero malicious software detected.

Please, guys, I'm answering and reacting to the same things on 6 pages now. If You want to react, I'll more than welcome it, but please read the thread.

If there is no malware, then the ONLY way someone could have gotten into your account would have been because YOU handed them the keys to the account.

Real hackers are not going to target someone for their valueless Steam account.
Steam accounts get phished because the account owner got careless.

Keys or password to my acc? As I stated before, my credentials could've been stolen, sure thing.

But my concern is why didn't the 2FA/MFA work? Why was it ignored? It popped request from PE [Peru, not Poland], I looked at it, didn't do any action. I didn't allow, nor cancel the request, and I was logged out of the App. And than the hell started...

It's 2FA/MFAs' purpose of existence. Once I don't give my divine yes, or allow, it won't let You log in. Thus my MFA/2FA had to have been obtained, somehow. Not by human factor, but some other. Since I was there, when it was happening in flagranti/e.

Messaggio originale di nightstalker:

Messaggio originale di HikariLight:

If there is no malware, then the ONLY way someone could have gotten into your account would have been because YOU handed them the keys to the account.

Real hackers are not going to target someone for their valueless Steam account.
Steam accounts get phished because the account owner got careless.

Keys or password to my acc? As I stated before, my credentials could've been stolen, sure thing.

But my concern is why didn't the 2FA/MFA work? Why was it ignored? It popped request from PE [Peru, not Poland], I looked at it, didn't do any action. I didn't allow, nor cancel the request, and I was logged out of the App. And than the hell started...

It's 2FA/MFAs' purpose of existence. Once I don't give my divine yes, or allow, it won't let You log in. Thus my MFA/2FA had to have been obtained, somehow. Not by human factor, but some other. Since I was there, when it was happening in flagranti/e.

If you can't tell whether your credentials were 'stolen' then you cannot state the level of phishing that was accomplished and the methods used. 99% of users in similar situations know exactly how they were compromised at source and then we can measure how it was achieved. 2FA is not foolproof and if your token ID was duped and your phone is also compromised then nothing can save you.

If 2FA worked to your expectations then no Steam accounts or any online account would ever get compromised. Scammers are smarter and they can devise methods and techniques gain access without the victim realising until its too late. If you can't determine how this occurred at the start point then you can't really say where things went wrong either.

Messaggio originale di J4MESOX4D:

Messaggio originale di nightstalker:

Keys or password to my acc? As I stated before, my credentials could've been stolen, sure thing.

But my concern is why didn't the 2FA/MFA work? Why was it ignored? It popped request from PE [Peru, not Poland], I looked at it, didn't do any action. I didn't allow, nor cancel the request, and I was logged out of the App. And than the hell started...

It's 2FA/MFAs' purpose of existence. Once I don't give my divine yes, or allow, it won't let You log in. Thus my MFA/2FA had to have been obtained, somehow. Not by human factor, but some other. Since I was there, when it was happening in flagranti/e.

If you can't tell whether your credentials were 'stolen' then you cannot state the level of phishing that was accomplished and the methods used. 99% of users in similar situations know exactly how they were compromised at source and then we can measure how it was achieved. 2FA is not foolproof and if your token ID was duped and your phone is also compromised then nothing can save you.

If 2FA worked to your expectations then no Steam accounts or any online account would ever get compromised. Scammers are smarter and they can devise methods and techniques gain access without the victim realising until its too late. If you can't determine how this occurred at the start point then you can't really say where things went wrong either.

Sure, I agree. Though, there are still massive flaws on side of Valve/Steam user account protection and control nonetheless, as I stated before:

Messaggio originale di nightstalker:

All I wanted was help and point out the obvious vulnerabilities and insufficencies of Valves'/Steams' user protection and security system, that's all. Mainly those non-existing delays in between critical data point changes in users account. One shouldn't be able to completely migrate his/hers account in under 60 seconds with 2FA/MFA, e-mail, GSM and Steam iD in place. My iD existed for 20+ years and it's gone as of now. Due to less than 60 seconds automated process. That is absolutely crazy and unthinkable. I mean even if I wanted to do something like that, what I described, I shouldn't by any possible and thinkable means be able, or allowed to. Even as a rightfull owner of the account. It's simoly absolute nonsense.

There exists a very good reason why Apple has 24 - 48 hours delay in changing and/or removing GSM. In changing and/or removing e-mail address. It's not Apples' caprice or some OCD tick.

This what happened to me is exactly the reason. If the attacker gotten in my account and either removed GSM, and wouldn't be able to do anything else for another 24 hours, no harm done. Or change an e-mail, no harm done. Or change Steam iD. Again, no harm done. But bypassing and logging me out of my 2FA/MFA gateway and doing all three in under 60 seconds is absolutely outrageous.

There's not a single excuse for Valve/Steam, that user can do such critical operations within dozens of seconds, while no stop-mechanism pops in and stops the process, that's all. It's a blatant ignorance and a relict from the past, when Steam was founded back in 2003, this system. Or maybe it's of a later date, but it's not contemporary nor recent.

Delay between critical data point changes in Your account is an industry standard for at least a decade and a half. It protects both user and a company owning the platform. I bet You a dollar that if Valve/Steam established delay between critical data point changes in user accounts, the statistics wouldn't be as they are:

https://store.steampowered.com/stats/support/

I mean look at those numbers, they're crazy:

Request Category | Submitted Last 24 Hours | Typical Response Times

Refund Requests | 290,710 | 50.28 minutes to 1.51 hours
Account Security & Recovery | 33,881 2.43 hours to 1.22 days
Purchase & Billing Suppor | 13,252 | 2.36 hours to 10.75 hours
Game & Steam Technical Support | 6,597 | 16.49 hours to 1.48 days

Can You imagine the impact if Valve/Steam introduced critical data point changes delays into users accounts? It would save hundreds of man-hours a day...

33k Account Security & Recovery requests a day, God, that's a monstrous number. With delay at critical datapoints in user account security measure it would go down a LOT. And I don't need to be an expert to know it's true.

Imagine if you read the TOS ... big "if" ... I know.

A brief moment of reading could have spared us this public spectacle. A publicly accessible testament of negligence.

For the whole internet to see.

https://store.steampowered.com/subscriber_agreement/


C. Your Account

When you complete Steam’s registration process, you create a Steam account ("Account"). Your Account may also include billing information you provide to Valve for transactions concerning Subscriptions, Content and Services and the purchase of any physical goods through Steam (“Hardware”). You may not reveal, share or otherwise allow others to use your password or Account except as otherwise specifically authorized by Valve. You are responsible for the confidentiality of your login and password and for the security of your computer system. Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision. Unless it results from Valve’s negligence or fault, Valve is not responsible for the use of your Account by a person who fraudulently used your login and password without your permission. If you believe that the confidentiality of your login and/or password may have been compromised, you must notify Valve via the support form (https://support.steampowered.com/newticket.php) without any delay.

Your Account, including any information pertaining to it (e.g.: contact information, billing information, Account history and Subscriptions, etc.), is strictly personal. You may therefore not sell or charge others for the right to use your Account, or otherwise transfer your Account, nor may you sell, charge others for the right to use, or transfer any Subscriptions other than if and as expressly permitted by this Agreement (including any Subscription Terms or Rules of Use) or as otherwise specifically permitted by Valve.

Messaggio originale di 𝙻𝚘𝚝𝚝𝚎:

You must be fun at parties.

To all others, thx for being not very helpful. I managed to recover my account. I'm gonna investigate on how it did happen and I may update this thread, if I receive a relevant answer.

You mean those parties where I play on a beamer with a fully functional, unstolen, unhacked and unhijacked account? Yes. Yes I am.

Messaggio originale di 𝙻𝚘𝚝𝚝𝚎:

You mean those parties where I play on a beamer with a fully functional, unstolen, unhacked and unhijacked account? Yes. Yes I am.

Beamer? What kind of slang for a projector, or gamer even is that. Jesus, You really aren't from this era, are You now...

And I write that as a really early Millenial...

Nightstalker, it is impossible to ignore what people have told you. Period.

No one has ever hacked Steam.
And even if you did, the PASSWORDS are hashed, and finding the accounts connected to them would take the NSA longer than they would want to, and that's the NSA.
Oh and they're not even located on the same server. :P


THe odds of someone cracking everything relating to your personal log in information and it not being someone literally phishing you is beyond absurd.

We are talking about odds so great that winning the lottery every single day for a month is octillions of times more likely!

Do you even grasp that scale here?
An Octillion is a huge number!

You cannot keep claiming you weren't phished.
THis is the only way it can happen.

There has never been any evidence of any other way.

Messaggio originale di davidb11:

And another one who doesn't read what's written. I never said I was hacked, not once. I didn't even try to indicate it. I didn't say I wasn't being stolen the login data via some means, or I don't know what.

All I said is that Steam/Valves' user account protection measures are heavily sub-par, they're weak, insufficent, when all You need is Steam iD and a password to completely change the owner of the account.

MFA/2FA should be unbreachable, but as the boilerplate from Steam support said:

"If your account is still stolen despite binding a Steam authenticator, it means that you seem to have used an unsafe device or logged into an unsafe website, resulting in the theft of token-related files. The hacker logged into the account with the correct token information."

- I think I would remember something like that, not telling the fact that I didn't have MFA/2FA before a few days ago, I used e-mail as second factor, that means my e-mail would've have to be comrpomised, which it wasn't since I checked the log for foreign iPs and there were none.

Another boilerplate copy/paste I've received was:

"The other way this might have happened is through malware. We have some tips for removing malware from your computer here. It may be a good idea to contact a local computer security expert if you're having trouble removing this malware. After ensuring that your computer is secure, please update the password to your Steam account, e-mail, and any other accounts you have recently logged into. Additionally, please closely review our Account Security Recommendations."

- Once again, I use ESET Endpoint security on all my devices. And I use it in paranoid mode.

Nonetheless, no matter how did the attacker got past the MFA/2FA, it's as I stated at least dozen times before in this thread. There should be multiple factors that would prevent such thing from happening. Time-delay factors in place.

Btw. is it popular to read one or two posts and react to a whole thread like a boss? It's getting tiresome.

And as for Your blind faith and religion:

1. 2011 Steam Hack (Biggest Breach)
In November 2011, hackers breached Valve's Steam database and gained access to usernames, hashed passwords, email addresses, purchase histories, and encrypted credit card details.
This was likely the biggest security breach in Steam's history.

2. 2015 Steam Winter Sale Exploit
During the Winter Sale of 2015, Steam suffered a caching issue that exposed random users' account information (including email, phone number, and partial payment details).
It was not a hack, but a server-side issue with caching, meaning people could accidentally see other users' info.

3. 2016 Steam Zero-Day Exploit
A security researcher found a critical vulnerability in Steam's client that could allow attackers to execute malicious code.

4. 2021 Steam Bug Allowed Free Game Activation
In 2021, a bug allowed users to generate and activate any game key for free.
While this wasn't a breach, it showed flaws in Steam's backend security.

Repeat after me. Steam is infallable. Every single user account misappropriation is users' fault. Steam in unerring. GabeN is the The Only Path. Steam user security system is perfect.