You exposed your login credentials:
a) Either by logging into a site that faked a Steam login and made a bot log into your account using the save password as well as the trust device feature while injecting a Steam API access into it.
b) Or by installing malware that stole your session data or injected a keylogger.
c) Or by using outdated login information that got exposed in a leak.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Ensure your email address and/or password aren't contained in any public breaches:
- Email: https://haveibeenpwned.com/
- Password: https://haveibeenpwned.com/Passwords
-- If they are contained in any public breaches ("oh no, pwned!"), change your email account's password from a secure computer before proceeding.
-- If that happens, you may want to secure other accounts than just Steam.
4. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
5. Change passwords from a clean computer
6. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
7. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)
8. Change your trade link: Profile > your inventory > trade offer > Who can send me trade offer > scroll down and make a new trade link.
9. If points were stolen within 14 days, reset your Steam password (not change, RESET using Forgot Password) to cancel pending awards.
10. Once you have done all of the above steps, edit your profile to get rid of the fake message planted by the scammer (if it exists).

Be aware that Steam Support will not restore stolen items nor stolen wallet funds.
In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account.

Valve employees will never communicate with you about your account using any chat system including Steam Chat and Discord. There's no situation in which you'd need to reach out to a Valve or Steam employee directly to resolve an issue.

The ONLY way you can contact Steam support and through which you will receive official answers is through https://help.steampowered.com and no other way.

If you don't have access to the account anymore, follow this guide:

https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560

Originally posted by Ettanin:

If you don't have access to the account anymore, follow this guide:

https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560

I have full access to the account and it is secure. However, I want help regarding the damage caused by the person who stole my account.

Originally posted by Ettanin:

You exposed your login credentials:
a) Either by logging into a site that faked a Steam login and made a bot log into your account using the save password as well as the trust device feature while injecting a Steam API access into it.
b) Or by installing malware that stole your session data or injected a keylogger.
c) Or by using outdated login information that got exposed in a leak.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Ensure your email address and/or password aren't contained in any public breaches:
- Email: https://haveibeenpwned.com/
- Password: https://haveibeenpwned.com/Passwords
-- If they are contained in any public breaches ("oh no, pwned!"), change your email account's password from a secure computer before proceeding.
-- If that happens, you may want to secure other accounts than just Steam.
4. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
5. Change passwords from a clean computer
6. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
7. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)
8. Change your trade link: Profile > your inventory > trade offer > Who can send me trade offer > scroll down and make a new trade link.
9. If points were stolen within 14 days, reset your Steam password (not change, RESET using Forgot Password) to cancel pending awards.
10. Once you have done all of the above steps, edit your profile to get rid of the fake message planted by the scammer (if it exists).

Be aware that Steam Support will not restore stolen items nor stolen wallet funds.
In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account.

Valve employees will never communicate with you about your account using any chat system including Steam Chat and Discord. There's no situation in which you'd need to reach out to a Valve or Steam employee directly to resolve an issue.

The ONLY way you can contact Steam support and through which you will receive official answers is through https://help.steampowered.com and no other way.

I have done most of the steps here. The account is under my control now, but I'm wondering how they managed to log into my account despite Steam Guard. A foreign website appears in 3rd party website logins, but I have nothing to do with that site. There is no malware on the computer, and there is no problem with my e-mail.

steam guard is not a magic shield that makes the account immune to being compromised/stolen. it is just an extra layer of protection, nothing more.

you somehow gave away the log in, figure out how you did that.
all 3rd party sites are USE AT OWN RISK.

trading sites, gambling sites, vote for my team, $50 gift card scam, etc. are common ways people give up their log in.

Scammers often trick people using methods like.

- Fake trading/gambling sites.
- Free stuff promotion.
- Vote for my team / can you do me a fav.
- You won a prize / I gifted you something.
- Impersonate as admin/support.
- I accidentally reported you / you have pending ban.
- Try my demo, or whatever.

All of it relates to trying get you to login on their scam site, there two ways they make it look legit.

1. They do discord spoof hyperlink you can google this as can make a command to hide real link, and redirect you to scam site that looks exactly like steam.

2. They use script tunnel page where it pop up a fake small browser tab inside your browser that display real Steam url, but the login session is given to them as you're doing it via their server.

2FA is only a tool to help deter people from trying to brute force into your account, that it. If you hand over the information + code then they get access that simple.

same case here got all my stuff sold and the asshalt bought DOTA stuff for over price I only got two effing confirmations on steam guard and my stuff got sold anyway this is bull crap