Stop logging into shady third party sites and stop installing shady, malware-packed software.

See section 1 C Steam Subscriber Agreement.

You exposed your login credentials:
a) Either by logging into a site that faked a Steam login and made a bot log into your account using the save password as well as the trust device feature while injecting a Steam API access into it.
b) Or by installing malware that stole your session data or injected a keylogger.
c) Or by using outdated login information that got exposed in a leak.
d) Or by falling for a Steam Support impersonation scam on Discord or similar platforms.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Ensure your email address and/or password aren't contained in any public breaches:
- Email: https://haveibeenpwned.com/
- Password: https://haveibeenpwned.com/Passwords
-- If they are contained in any public breaches ("oh no, pwned!"), change your email account's password from a secure computer before proceeding.
-- If that happens, you may want to secure other accounts than just Steam.
-- Consider using mobile two-factor authentication on your e-mail address if your e-mail provider supports it.
4. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
5. Change passwords from a clean computer
6. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
7. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)
8. Change your trade link: Profile > your inventory > trade offer > Who can send me trade offer > scroll down and make a new trade link.
9. If points were stolen within 14 days, reset your Steam password (not change, RESET using Forgot Password) to cancel pending awards.

Steam Support will not restore stolen items nor stolen wallet funds.
In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account.

If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.

Originally posted by HikariLight:

If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.

Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.

Originally posted by Locutus:

Originally posted by HikariLight:

If someone is going to hack you, they would go after your banking info, not your valueless Steam items.
Steam accounts get HIGHJACKED, not hacked, as the account owner gave away their login info due to using a shady scam site.

Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.

Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and gullible will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.

Originally posted by BJWyler:

Originally posted by Locutus:

Ah, right, right, so I didn't emphasize my inventory but my wallet balance, OK? Isn't your statement a victim-blaming theory? Does the information leakage caused by my operation make my loss inevitable? It's just a simple operation, using a mobile token or email to confirm before making a payment, which can reduce the loss. I don't understand why you attribute all this to me.

Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and guiilbe will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.

Honestly, it’s not fair to pin all the blame for account security problems on users, like it’s all their fault for not being careful enough. And calling people ‘greedy’ or ‘gullible’? That’s just lazy and unfair. It totally ignores how sneaky and convincing these online scams can be. Honestly, your take just sounds kind of biased and arrogant, like you’re not even trying to see the whole picture.

Originally posted by Locutus:

Originally posted by BJWyler:

Because its the same old song and dance given by those who refuse to accept personal responsibility for their own account security. It doesn't matter how many locks you put on a door, the greedy and guiilbe will either forget to use them, ignore them, or be convinced to unlock them. There is no amount of security that will protect a fool from themselves. It only makes it more onerous for the regular people to use these systems.

Honestly, it’s not fair to pin all the blame for account security problems on users, like it’s all their fault for not being careful enough. And calling people ‘greedy’ or ‘gullible’? That’s just lazy and unfair. It totally ignores how sneaky and convincing these online scams can be. Honestly, your take just sounds kind of biased and arrogant, like you’re not even trying to see the whole picture.

You must understand that people lile this see nothing wrong with the scammers behavior, only the people who fell for it.

If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account

A lock is only as secure as the keyholder keeps its key.

Have same issue.. just found out that my wallet gone.. the history shows they (hacker) bought then sell items on market until wallet emptied..
Please Help..

Purchasing requires an active login. That requires a 2FA token already.

Originally posted by fluxtorrent:

If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account

I’m not sure how it is where you are, but here, if your credit card information is stolen and someone tries to withdraw money from your account, they need to obtain a verification code sent by the bank to the user's phone. This method is very effective. What I want is just a secondary verification like that, especially since this feature should be able to be turned off, just like the current mobile tokens.

I am.. even login on PC sometimes req re scan from phone.. or is it the clue that my account had been compromised..
It's look last transaction on 13 mar 2025.
Now I had been logout all session and changed password.. if this still happen it must be really not safe..

What happens to my wallet.. 😭

Originally posted by Locutus:

Originally posted by fluxtorrent:

If you already got social engineered to give them access to your account do you honestly think ANOTHER layer is going to stop them?

I personally would prefer not to have another hoop to jump through when I can just not give away access to my account

I’m not sure how it is where you are, but here, if your credit card information is stolen and someone tries to withdraw money from your account, they need to obtain a verification code sent by the bank to the user's phone. This method is very effective. What I want is just a secondary verification like that, especially since this feature should be able to be turned off, just like the current mobile tokens.

Steam is not a bank.
If users cannot do the simple thing of keeping their username, password, and 2FA secure, that is a USER error, not Steam's.

Originally posted by Ettanin:

A lock is only as secure as the keyholder keeps its key.

Yeah,but locksmiths can also upgrade locks, can't they?