All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
TheOriginalOne Jun 23, 2024 @ 7:38am
Addressing Known Security Vulnerabilities and Providing Better Support for Compromised Accounts
Hello Steam Community and Valve Development Team,

I am writing to raise awareness and seek improvement on a significant issue affecting Steam users: "Account security and support for compromised Accounts.

Recently, my account was compromised due to a known vulnerability involving the Steam Guard .SSFN file. Despite following all recommended security measures, unauthorized transactions occurred, leading to financial loss. When I reached out to Steam Support, I was informed that they could not reverse these fraudulent transactions due to their policies, despite the breach being due to a known security gap.

Here are my suggestions to address this issue:

1. Resolve Known Security Vulnerabilities: Steam should prioritize fixing vulnerabilities like the compromise of the Steam Guard .SSFN file to prevent unauthorized access to user accounts.

2. Proactive Monitoring and Notification: Implement more robust monitoring of suspicious activities and notify users immediately if such activities are detected. This can prevent unauthorized transactions from occurring.

3. Comprehensive Support for Compromised Accounts: Steam Support should have the ability to reverse unauthorized transactions and provide refunds in cases where accounts are compromised due to platform security gaps. Users should not bear the financial burden of security failures.

4. Enhanced Security Measures: Introduce additional layers of security, such as mandatory two-factor authentication for high-value transactions, to protect user accounts from being compromised.

5. Improved Communication and Transparency: Ensure transparent communication with users regarding security incidents and steps being taken to address vulnerabilities.

I hope the Valve development team will consider these suggestions seriously to enhance the security of the Steam platform and support users who fall victim to such security breaches. Thank you for your attention to this matter.

Best regards.
< >
Showing 1-15 of 26 comments
Satoru Jun 23, 2024 @ 7:47am 
the ssfn is not a 'security vulnerability'

This is like complaining you left the keys to your car in a restaurant, so car keys are vulnerability

You did not 'follow all security measures'.

Not to mention they didn't even steal your ssfn in the first place. You got phished. That's how they got your account. Your greed made you log into a phishing website.
#1
Tito Shivan Jun 23, 2024 @ 8:05am 
Originally posted by TheOriginalOne:
Recently, my account was compromised due to a known vulnerability involving the Steam Guard .SSFN file.
So an attacker got local machine access into your computer... You're basically on Hiroshima's ground zero of security incidents.

1. The SSFN file won't make a difference if the attacker is into your local machine, which was the case. The attacker can do as much as you can in that scenario.

2. What suspicious activity if they originate from your own machine?

3. They tried. It didn't work out. Some peopkle abused it, some didn't ever learn from their mistakes because 'steam would get their stuff back' anyway.

4. As far as I rememeber, marketplace transactions do require 2FA for anything besides trading cards.

5. Which isn't the case here.
#2
76561199559798421 Jun 23, 2024 @ 8:06am 
API key needs to be deauthorized every 14 days to ensure account security for millions of steam accounts.
#3
Tito Shivan Jun 23, 2024 @ 8:16am 
Originally posted by Everyone is Invited:
API key needs to be deauthorized every 14 days to ensure account security for millions of steam accounts.
No one is using a +14 days old API key to steal items from Steam accounts.
#4
76561199559798421 Jun 23, 2024 @ 8:21am 
they are using like 6 month old api keys to access accounts, people that are foolishly using trade sites then getting phised, simply deauthorizing api keys frequently would save a lot of people headaches.

but yeah if steam did that the whole theft ring would shut down, i am sure you are aware.
#5
Tito Shivan Jun 23, 2024 @ 8:25am 
Originally posted by Everyone is Invited:
they are using like 6 month old api keys to access accounts
Absolute lie since the API key cannot be used to access an account.
It pays off to know what you0re talking about.

Or feel free to point me where I'm wrong in the Steam API reference:
https://partner.steamgames.com/doc/webapi
#6
Start_Running Jun 23, 2024 @ 8:26am 
Valve has done as much as it can .
At somepoint OP, YOu, Me, and everyone else have to take RESPONSIBILITY for our own account security.

Which is why the MAJORITY of steam users never get their accounts compromised.

It's just the silly ones who do silly things.
#7
Crashed Jun 23, 2024 @ 8:40am 
Doesn't the Steam Client, at least on Windows no longer use a .ssfn file and instead have the saved credentials encrypted in the Windows user account Credential Manager?

If you still have any .ssfn files in your Steam folder try deleting them.
Last edited by Crashed; Jun 23, 2024 @ 8:41am
#8
Ben Lubar Jun 23, 2024 @ 9:42am 
Raymond Chen's "wrong side of an air-tight hatchway" metaphor comes to mind.
#9
Crazy Tiger Jun 23, 2024 @ 9:54am 
It would be better if people address the way they handle their account security on their own end. Cause *that* is where the problem is.

All these bandaids people suggest don't fix that problem.
#10
Ben Lubar Jun 23, 2024 @ 9:59am 
Originally posted by Tito Shivan:
Originally posted by Everyone is Invited:
API key needs to be deauthorized every 14 days to ensure account security for millions of steam accounts.
No one is using a +14 days old API key to steal items from Steam accounts.
Killing an API key every 14 days sounds like a great way to ensure nobody ever wants to use your API.
#11
Slav Mcgopnik Jun 23, 2024 @ 10:09am 
Originally posted by Everyone is Invited:
they are using like 6 month old api keys to access accounts, people that are foolishly using trade sites then getting phised, simply deauthorizing api keys frequently would save a lot of people headaches.

but yeah if steam did that the whole theft ring would shut down, i am sure you are aware.
API keys simply enable one step of the process to steal items, the end user still has to authorize all trades.
#12
businees man Jun 23, 2024 @ 11:53am 
:D
#13
Spawn of Totoro Jun 23, 2024 @ 12:15pm 
If you know of a hack or exploit, you can actually get paid by Valve for information on it.

https://hackerone.com/valve

Valve already takes measures against vulnerabilities, but there are some out there that no company can compensate for.
#14
Supafly Jun 23, 2024 @ 12:55pm 
Originally posted by Ben Lubar:
Originally posted by Tito Shivan:
No one is using a +14 days old API key to steal items from Steam accounts.
Killing an API key every 14 days sounds like a great way to ensure nobody ever wants to use your API.
That security sounds like the you need to change your password every x week/month BS. But lets follow that train of thought... What can happen in the 13 days until you killing it on the 14th? Only way for it to benefit killing it is if you kill it every 1ms because the moment it's created it's a risk and needs killing.
#15
< >
Showing 1-15 of 26 comments
Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Date Posted: Jun 23, 2024 @ 7:38am
Posts: 26
Start a New Discussion

Discussions Rules and Guidelines