Why not use mobile tokens to protect users' wallets?
I hope that Steam can add a new feature so that every purchase (whether it is a community market purchase or a game purchase) requires the confirmation of a mobile token before it can be completed. Today, without my knowledge, a hacker directly used the balance in my steam wallet to make purchases in the community market. I understand Steam's policy on the community market, but I just hope that this situation will not happen again!
< >
Showing 1-15 of 29 comments
Ettanin Mar 17 @ 4:32am 
Stop logging into shady third party sites and stop installing shady, malware-packed software.

See section 1 C Steam Subscriber Agreement.
Ettanin Mar 17 @ 4:33am 
You exposed your login credentials:
a) Either by logging into a site that faked a Steam login and made a bot log into your account using the save password as well as the trust device feature while injecting a Steam API access into it.
b) Or by installing malware that stole your session data or injected a keylogger.
c) Or by using outdated login information that got exposed in a leak.
d) Or by falling for a Steam Support impersonation scam on Discord or similar platforms.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Ensure your email address and/or password aren't contained in any public breaches:
- Email: https://haveibeenpwned.com/
- Password: https://haveibeenpwned.com/Passwords
-- If they are contained in any public breaches ("oh no, pwned!"), change your email account's password from a secure computer before proceeding.
-- If that happens, you may want to secure other accounts than just Steam.
-- Consider using mobile two-factor authentication on your e-mail address if your e-mail provider supports it.
4. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
5. Change passwords from a clean computer
6. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
7. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)
8. Change your trade link: Profile > your inventory > trade offer > Who can send me trade offer > scroll down and make a new trade link.
9. If points were stolen within 14 days, reset your Steam password (not change, RESET using Forgot Password) to cancel pending awards.

Steam Support will not restore stolen items nor stolen wallet funds.
In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account.
If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.
Last edited by HikariLight; Mar 17 @ 4:56am
Locutus Mar 17 @ 5:15am 
Originally posted by HikariLight:
If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.
Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.
BJWyler Mar 17 @ 5:19am 
Originally posted by Locutus:
Originally posted by HikariLight:
If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.
Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.
Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and gullible will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.
Last edited by BJWyler; Mar 17 @ 5:22am
Locutus Mar 17 @ 5:38am 
Originally posted by BJWyler:
Originally posted by Locutus:
Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.
Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and guiilbe will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.
Honestly, it’s not fair to pin all the blame for account security problems on users, like it’s all their fault for not being careful enough. And calling people ‘greedy’ or ‘gullible’? That’s just lazy and unfair. It totally ignores how sneaky and convincing these online scams can be. Honestly, your take just sounds kind of biased and arrogant, like you’re not even trying to see the whole picture.
Originally posted by Locutus:
Originally posted by BJWyler:
Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and guiilbe will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.
Honestly, it’s not fair to pin all the blame for account security problems on users, like it’s all their fault for not being careful enough. And calling people ‘greedy’ or ‘gullible’? That’s just lazy and unfair. It totally ignores how sneaky and convincing these online scams can be. Honestly, your take just sounds kind of biased and arrogant, like you’re not even trying to see the whole picture.
You must understand that people lile this see nothing wrong with the scammers behavior, only the people who fell for it.
If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account
Ettanin Mar 17 @ 7:21am 
A lock is only as secure as the keyholder keeps its key.
DaN Mar 17 @ 7:39am 
Have same issue.. just found out that my wallet gone.. the history shows they (hacker) bought then sell items on market until wallet emptied..
Please Help.. :steamsad:
Purchasing requires an active login. That requires a 2FA token already.
Locutus Mar 17 @ 7:56am 
Originally posted by fluxtorrent:
If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account
I’m not sure how it is where you are, but here, if your credit card information is stolen and someone tries to withdraw money from your account, they need to obtain a verification code sent by the bank to the user's phone. This method is very effective. What I want is just a secondary verification like that, especially since this feature should be able to be turned off, just like the current mobile tokens.
DaN Mar 17 @ 7:58am 
I am.. even login on PC sometimes req re scan from phone.. or is it the clue that my account had been compromised..
It's look last transaction on 13 mar 2025.
Now I had been logout all session and changed password.. if this still happen it must be really not safe..

What happens to my wallet.. 😭
Originally posted by Locutus:
Originally posted by fluxtorrent:
If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account
I’m not sure how it is where you are, but here, if your credit card information is stolen and someone tries to withdraw money from your account, they need to obtain a verification code sent by the bank to the user's phone. This method is very effective. What I want is just a secondary verification like that, especially since this feature should be able to be turned off, just like the current mobile tokens.
Steam is not a bank.
If users cannot do the simple thing of keeping their username, password, and 2FA secure, that is a USER error, not Steam's.
Locutus Mar 17 @ 8:00am 
Originally posted by Ettanin:
A lock is only as secure as the keyholder keeps its key.
Yeah,but locksmiths can also upgrade locks, can't they?
< >
Showing 1-15 of 29 comments
Per page: 1530 50

Date Posted: Mar 17 @ 4:11am
Posts: 29