Hijacked. Malware or phishing.

Follow steps 1-6 to secure your account:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
6. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

Regarding items:
https://help.steampowered.com/faqs/view/3B6E-B322-2400-8D24

ok cheers. i have changed the password, and generated new back up codes and am trying malwarebytes. When i checked the api key thing it just asked me to register one.

all the emails and the like were still mine though they had changed all my privacy settings.

If you use 3rd party sites then you put yourself at risk of phishing and backdoor malware. Most people don't realised they've been compromised until it is too late.

İlk olarak J4MESOX4D tarafından gönderildi:

If you use 3rd party sites then you put yourself at risk of phishing and backdoor malware. Most people don't realised they've been compromised until it is too late.

what do you mean by third party sites? and how does that bypass 2factor?

İlk olarak overtaker40 tarafından gönderildi:

İlk olarak J4MESOX4D tarafından gönderildi:

If you use 3rd party sites then you put yourself at risk of phishing and backdoor malware. Most people don't realised they've been compromised until it is too late.

what do you mean by third party sites? and how does that bypass 2factor?

3rd party sites as in these trading and gambling ones that have a Steam API login but many use techniques to phish credentials. 2FA is just an extra security layer from an independent device - it doesn't magically prevent accounts from ever being hijacked. If you authenticate phishing login or your device becomes compromised then nothing will save your account.

İlk olarak J4MESOX4D tarafından gönderildi:

İlk olarak overtaker40 tarafından gönderildi:

what do you mean by third party sites? and how does that bypass 2factor?

3rd party sites as in these trading and gambling ones that have a Steam API login but many use techniques to phish credentials. 2FA is just an extra security layer from an independent device - it doesn't magically prevent accounts from ever being hijacked. If you authenticate phishing login or your device becomes compromised then nothing will save your account.

Ok thank you. I think the only place I have connected steam to are paradoxes site, gog and creative Assemblies new forums are you suggesting I shouldn't even connect in semi official places like this?

İlk olarak overtaker40 tarafından gönderildi:

İlk olarak J4MESOX4D tarafından gönderildi:

3rd party sites as in these trading and gambling ones that have a Steam API login but many use techniques to phish credentials. 2FA is just an extra security layer from an independent device - it doesn't magically prevent accounts from ever being hijacked. If you authenticate phishing login or your device becomes compromised then nothing will save your account.

Ok thank you. I think the only place I have connected steam to are paradoxes site, gog and creative Assemblies new forums are you suggesting I shouldn't even connect in semi official places like this?

To be on the safer side I wouldn't, although usually the culprits are the various third party trading/gambling sites that Valve doesn't condone yet technically sort of allows to exist.

İlk olarak overtaker40 tarafından gönderildi:

İlk olarak J4MESOX4D tarafından gönderildi:

3rd party sites as in these trading and gambling ones that have a Steam API login but many use techniques to phish credentials. 2FA is just an extra security layer from an independent device - it doesn't magically prevent accounts from ever being hijacked. If you authenticate phishing login or your device becomes compromised then nothing will save your account.

Ok thank you. I think the only place I have connected steam to are paradoxes site, gog and creative Assemblies new forums are you suggesting I shouldn't even connect in semi official places like this?

Those are fine as they are reputable platforms/sites and in some cases required to play certain games. I am referring to these trading/gambling ones primarily. Either you gave away your credentials to a malicious site previous or they were captured with targeting malware previous. If you can't pinpoint what caused it, just ensure you've done the steps provided in #1 to secure your account and device and then you'll be safe to resume going forward with the knowledge of how things like this usually happen.

2FA cannot protect you if you give a faked login interface the code, because the bot behind that phishing interface will sign into Steam on your account, using "save password" and "trust device" to create a session token for the hijacker to use.

As that session token is essentially permanent, the hijacking can happen anytime until the wary user deauthorizes all devices.

Conversely, malware can steal such a session token from your computer as well. The tokens are not HWID bound and therefore reusable.

The only way to prevent this attack, from Valve's side, is to never allow "save password" and "trust device", but then offline mode would have to be removed (the DRM uses this session token for offline authentication as well).

Square Enix for example requires the second factor at all times in FF14 and is therefore immune to a session token attack.

İlk olarak overtaker40 tarafından gönderildi:

İlk olarak J4MESOX4D tarafından gönderildi:

3rd party sites as in these trading and gambling ones that have a Steam API login but many use techniques to phish credentials. 2FA is just an extra security layer from an independent device - it doesn't magically prevent accounts from ever being hijacked. If you authenticate phishing login or your device becomes compromised then nothing will save your account.

Ok thank you. I think the only place I have connected steam to are paradoxes site, gog and creative Assemblies new forums are you suggesting I shouldn't even connect in semi official places like this?

The thing to remember is that such attacks are innocuous. They LOVE to get you to do something by looking nothing much or to catch you off guard.

So it can be links in game chat from a friend (that's not actually your friend), or a site that you ended up wandering to where you may have logged into Steam to look at something (but you didn't actually log in, you gave them your info).

This is how they usually work because you will swear blind you never visted them but you simply forgot or maybe weren't aware even.

The thing to remember is this - NEVER click on any links even from friends and never ever log into Steam except through Steam itself.

Never visit sites that deal with steam inventories, gambling, or dodgy game keys.