Because they get hijacked NOT hacked. They are literally giving strangers everything they need to login to their account. Thats their username, password and a LIVE Steam Guard code.

From Steams side it looks like the user is the one doing that stuff. It is NOT hard to fake a hijacking. You could fake a hijacking, do something whilst being compensated via paypal or something else and then claim a hijacker did that stuff expacting compensation.

If you give a stranger you house keys and tell them your address you house insurance won't compensate if that stranger enters you home and steals your stuff because you did not keep your home secure.

If Steam provide another 999999999999999999999999999999999999999999999 layers of security hijackers would request all that data and the same user would hand it over.

There are more than enough warnings about this. It's up to users to actually look, educate themselves and follow some basic internet safety methods. Like not using dodgy phishing websites.

If they insist on using third party sites do it the safe way

1. Open Web browser
2. Login on Steams Official page
3. Visit Third party site
4. Look for and use the one click login button
5. If 4 doesn't work and you're asked for you username, password and Guard code your on a phishing site. LEAVE and DO NOT use again.

Edit: If not phishing they are using a compromised device, entire possible if keeps happening to your friend. Suggest you have them do ALL of these

Scan for Malware/virus https://www.malwarebytes.com/mwb-download/
Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your Account password on a secure device, mobile phone for example.
Generate new back up codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey

Originally posted by Supafly:

Because they get hijacked NOT hacked. They are literally giving strangers everything they need to login to their account. Thats their username, password and a LIVE Steam Guard code.

From Steams side it looks like the user is the one doing that stuff. It is NOT hard to fake a hijacking. You could fake a hijacking, do something whilst being compensated via paypal or something else and then claim a hijacker did that stuff expacting compensation.

If you give a stranger you house keys and tell them your address you house insurance won't compensate if that stranger enters you home and steals your stuff because you did not keep your home secure.

If Steam provide another 999999999999999999999999999999999999999999999 layers of security hijackers would request all that data and the same user would hand it over.

There are more than enough warnings about this. It's up to users to actually look, educate themselves and follow some basic internet safety methods. Like not using dodgy phishing websites.

If they insist on using third party sites do it the safe way

1. Open Web browser
2. Login on Steams Official page
3. Visit Third party site
4. Look for and use the one click login button
5. If 4 doesn't work and you're asked for you username, password and Guard code your on a phishing site. LEAVE and DO NOT use again.

Edit: If not phishing they are using a compromised device, entire possible if keeps happening to your friend. Suggest you have them do ALL of these

Scan for Malware/virus https://www.malwarebytes.com/mwb-download/
Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your Account password on a secure device, mobile phone for example.
Generate new back up codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey

I see you COMPLETELY didn't bother reading that i said THEY DON'T USE THIRD PARTY SITES NOR DO MOST OF THESE PEOPLE. Yet all I'm CONSTANTLY SEEING are people losing their money for little to no reason and you people just say "LOL GET GOOD" like? in what way does that help an obvious security issue thats being COMPLETELY IGNORED?

Originally posted by Cat Pondering At Yarn (mogging):

Hijacked is the term im seeing after looking up this common issue. For some reason one way o another people keep getting hacked and their steam wallet used to buy goods? And steam does nothing about it.

Steam is doing a lot -- the entire 2FA system is there to help people with keeping their accounts safe.

They just can't prevent people from being... dumb. Because, instead of giving up, account thieves have adapted their approaches and stories.

Other than login in to 3rd party trading site (note that this doesn't have to be something done recent, they save your data for years and hide logged into your account for months before clearing it out)

Some other scam can be anything such as:

* Vote for my team
* Free gift card
* I accidentally reported you
* Clicking links from friends messages (who have also been compromised)

There are so many ways to get your give away your info...

https://steamcommunity.com/sharedfiles/filedetails/?id=2569847731
https://steamcommunity.com/sharedfiles/filedetails/?id=2926756889
https://steamcommunity.com/sharedfiles/filedetails/?id=784477482

If you friend has been hijacked 3 times, he's obviously doing something wrong. Either he failed to correctly secure his account and pc the first time round or he just keep repeating the same mistakes over again and compromising his account details.

Originally posted by Cat Pondering At Yarn (mogging):

I see you COMPLETELY didn't bother reading that i said THEY DON'T USE THIRD PARTY SITES NOR DO MOST OF THESE PEOPLE. Yet all I'm CONSTANTLY SEEING are people losing their money for little to no reason and you people just say "LOL GET GOOD" like? in what way does that help an obvious security issue thats being COMPLETELY IGNORED?

The computer is infected
or the details leaked by the user doing it.

There is no other way how it could happen 3 times to your friend. At least initially. The more than 1 times could be, because the hijacker wasnt locked out of the account fully.
So tell your friend to do the steps to secure the account. But first make sure the computer is secure.

Never log into links or buttons.

Hijacked, not hacked.

It's like if you are fooled into giving the keys to your house to a robber, it's not the police's fault when you are robbed.

Every Steam user has all the tools they need to stay secure. Some of us have been here daily for over 2 decades and never once had an incident. The best lock in the world won't help you if you give away the keys.

It's a careful balancing act of ease of use and security. Too easy to use and security suffers. Too much security and ease of use suffers. I think Steam strikes a nice balance, but you'll still have those who fall off one edge or the other. You can see just as many examples of people here complaining about Steam's security measures as you'll find people complaining that they were 'hacked'.

Valve can't protect people from themselves short of putting a Valve employee in the home of every Steam user to smack them upside the back of the head every time they go to do something stupid. Since this will never happen, knowledge is your best defense. You (or your friend) should learn how these scams work so they recognize an attempt when they see it.

Originally posted by Cat Pondering At Yarn (mogging):

Hijacked is the term im seeing after looking up this common issue. For some reason one way o another people keep getting hacked and their steam wallet used to buy goods? And steam does nothing about it.

Some of you claim its "their fault for using a third party login" but i constantly see people saying they don't do that nor even engage in steam trading. This issue has happened to my close friend three times now and steam does nothing at all.

30 bucks once, 40 bucks, 50 bucks has been stolen from them and steam just sits there acting like its not their problem? What exactly can we do about this?

Steam can't make your friend secure their account properly. That's all your friend needs to do. Three times wasn't enough for him to take security seriously? I mean I get how ego gets in the way sometimes but that kinda of stubborness I can't fathom.

At any rate you can believe what you want. Here's what I know. I've seen plenty of people they don't use 3rd party trading sites, and then a dozen posts later, they mention "except for skinsite-x", which they decided didn't count because they're convinced it's legit. Users and their ego saving stories need to be taken with a grain of salt... they can't be blindly trusted.

Either way, lots of ways users screw up and leak credentials and reuse passwords and then expect someone else to fix it, anything so they don't have to accept responsibility.

And I get it. It would be nice if Steam took care of it all instead of having to learn about a dry boring subject... but the reality is neglecting some boring subjects relating to necessary skills has consequences.

Originally posted by Cat Pondering At Yarn (mogging):

Originally posted by Supafly:

Because they get hijacked NOT hacked. They are literally giving strangers everything they need to login to their account. Thats their username, password and a LIVE Steam Guard code.

From Steams side it looks like the user is the one doing that stuff. It is NOT hard to fake a hijacking. You could fake a hijacking, do something whilst being compensated via paypal or something else and then claim a hijacker did that stuff expacting compensation.

If you give a stranger you house keys and tell them your address you house insurance won't compensate if that stranger enters you home and steals your stuff because you did not keep your home secure.

If Steam provide another 999999999999999999999999999999999999999999999 layers of security hijackers would request all that data and the same user would hand it over.

There are more than enough warnings about this. It's up to users to actually look, educate themselves and follow some basic internet safety methods. Like not using dodgy phishing websites.

If they insist on using third party sites do it the safe way

1. Open Web browser
2. Login on Steams Official page
3. Visit Third party site
4. Look for and use the one click login button
5. If 4 doesn't work and you're asked for you username, password and Guard code your on a phishing site. LEAVE and DO NOT use again.

Edit: If not phishing they are using a compromised device, entire possible if keeps happening to your friend. Suggest you have them do ALL of these

Scan for Malware/virus https://www.malwarebytes.com/mwb-download/
Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your Account password on a secure device, mobile phone for example.
Generate new back up codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey

I see you COMPLETELY didn't bother reading that i said THEY DON'T USE THIRD PARTY SITES NOR DO MOST OF THESE PEOPLE. Yet all I'm CONSTANTLY SEEING are people losing their money for little to no reason and you people just say "LOL GET GOOD" like? in what way does that help an obvious security issue thats being COMPLETELY IGNORED?

And I see you didn't read ALL of my post.Specifically

Originally posted by Supafly:

Edit: If not phishing they are using a compromised device, entire possible if keeps happening to your friend. Suggest you have them do ALL of these

Scan for Malware/virus https://www.malwarebytes.com/mwb-download/
Deauthorize all devices https://store.steampowered.com/twofactor/manage
Change your Account password on a secure device, mobile phone for example.
Generate new back up codes https://store.steampowered.com/twofactor/manage
Revoke the API key https://steamcommunity.com/dev/apikey

Originally posted by Cat Pondering At Yarn (mogging):

I see you COMPLETELY didn't bother reading that i said THEY DON'T USE THIRD PARTY SITES NOR DO MOST OF THESE PEOPLE. Yet all I'm CONSTANTLY SEEING are people losing their money for little to no reason and you people just say "LOL GET GOOD" like? in what way does that help an obvious security issue thats being COMPLETELY IGNORED?

As others have said, the pc is infected. It is impossible without leaking your data to get into your account. It is ALWAYS the users fault.