All Discussions > Steam Forums > Steam Community > Topic Details
JurrijnP Oct 16, 2017 @ 12:06pm
Steam account hacked even though I have 2FA
I was playing Rocket League and I knew I was being scammed. I had to login BUT of course I checked what information steam would give to that website. It did specifically say it would send a code instead of my login credentials so I trusted it. The next thing I see is my steam go offline because somebody logged in somewhere else (Explain to me how that was done without 2FA) then my credentials got changed and I got NO email from steam they were changed. Then somebody was added to my friend list (Through code as well, I did not add) and well you can guess the result: Everything in Rocket League has been stolen.

That I was scammed I my own fault. But can somebody explain how in the world somebody can hack my account without any email or notification?

I have the accounts but I haven't reported them yet because getting hacked this way isn't an option for reporting.
Last edited by JurrijnP; Oct 16, 2017 @ 12:14pm
< >
Showing 1-14 of 14 comments
Satoru Oct 16, 2017 @ 12:19pm 
2FA cannot prevent phishing attacks as you then give the attacker all your credentials and the one time code
#1
JurrijnP Oct 16, 2017 @ 12:20pm 
Originally posted by Satoru:
2FA cannot prevent phishing attacks as you then give the attacker all your credentials and the one time code
Still, I should have gotten a email that my credentials were changed, shouldn't I?
#2
ELF EYES Oct 16, 2017 @ 12:29pm 
report the violaton to steam and let them know what happend we the community can not do anything for you
Last edited by ELF EYES; Oct 16, 2017 @ 12:30pm
#3
Satoru Oct 16, 2017 @ 12:37pm 
Its not possible for someone to steal the items because even if you foolishly gave them everything and they take over hte account, doing any of that triggers an immediate 7 day cooldown of all trading
#4
JurrijnP Oct 16, 2017 @ 12:38pm 
Originally posted by Satoru:
Its not possible for someone to steal the items because even if you foolishly gave them everything and they take over hte account, doing any of that triggers an immediate 7 day cooldown of all trading
Rocket League trading is in-game
#5
Satoru Oct 16, 2017 @ 12:42pm 
then thats' easy

1) you give me your account+password+2fa
2) I can now log into your acccount on steam
3) Immediately log in
4) THis immediately kick you out of your session
5) I launch Rocket League
6) I trade your items away in game

Note this doesn't require me to change anything on your end. I don't need to change the password, email, phone # etc. Since apparently all I have to do is log in to Rocket Leauge once I have your username/password+2FA, I can obliterate your inventory in 5 minutes it akes to log in and trade to my alt. At no point do I need ot change your credentials because its unnecessary for the goal.
#6
JurrijnP Oct 16, 2017 @ 12:43pm 
Originally posted by Satoru:
then thats' easy

1) you give me your account+password+2fa
2) I can now log into your acccount on steam
3) Immediately log in
4) THis immediately kick you out of your session
5) I launch Rocket League
6) I trade your items away in game

Note this doesn't require me to change anything on your end. I don't need to change the password, email, phone # etc. Since apparently all I have to do is log in to Rocket Leauge once I have your username/password+2FA, I can obliterate your inventory in 5 minutes it akes to log in and trade to my alt. At no point do I need ot change your credentials because its unnecessary for the goal.
My steam client said they were changed, so can you explain that?
#7
Satoru Oct 16, 2017 @ 12:46pm 
Note that changing the password isnt necessary for the scam to work. They probably just used your existing 2FA token to change it.

Regardless they dont need to change the password to do the scam. Once you gave them your password and 2FA you were scrweed. I can add a friend launch RL and trade items within the time it take syou to figure out what the hell happened
Last edited by Satoru; Oct 16, 2017 @ 12:46pm
#8
JurrijnP Oct 16, 2017 @ 12:49pm 
Originally posted by Satoru:
Note that changing the password isnt necessary for the scam to work. They probably just used your existing 2FA token to change it.

Regardless they dont need to change the password to do the scam. Once you gave them your password and 2FA you were scrweed. I can add a friend launch RL and trade items within the time it take syou to figure out what the hell happened
Regardless of any of this, in my opinion this text should be changed: "a unique numeric identifier will be shared with the site, rather than your Steam login credentials." because this text makes it look like steam doesn't give your credentials but instead does. Thats another discussion though
Last edited by JurrijnP; Oct 16, 2017 @ 12:49pm
#9
wuddih Oct 16, 2017 @ 1:07pm 
you entered your stuff on a fake site, including a steam guard code. Steam does not give out your credentials if you use their openid system. it is just that you didn't use that, you used a replication/fake of it .. and that would have been prevented if you would have read the address bar.
#10
JurrijnP Oct 16, 2017 @ 1:08pm 
Originally posted by wuddih:
you entered your stuff on a fake site, including a steam guard code. Steam does not give out your credentials if you use their openid system. it is just that you didn't use that, you used a replication/fake of it .. and that would have been prevented if you would have read the address bar.
My 2FA got triggered on my phone
#11
Tito Shivan Oct 16, 2017 @ 1:19pm 
Originally posted by JurrijnP:
Originally posted by wuddih:
you entered your stuff on a fake site, including a steam guard code. Steam does not give out your credentials if you use their openid system. it is just that you didn't use that, you used a replication/fake of it .. and that would have been prevented if you would have read the address bar.
My 2FA got triggered on my phone
Because the moment you introduced your credentials on the fake site it automatically logged in with your data. That triggers the 2FA push notification.
Last edited by Tito Shivan; Oct 16, 2017 @ 1:20pm
#12
Satoru Oct 16, 2017 @ 1:26pm 
Originally posted by JurrijnP:
Originally posted by wuddih:
you entered your stuff on a fake site, including a steam guard code. Steam does not give out your credentials if you use their openid system. it is just that you didn't use that, you used a replication/fake of it .. and that would have been prevented if you would have read the address bar.
My 2FA got triggered on my phone

Which I can do by my phishing sie taking your credentials and triggering the 2FA on it, then my fake site 'pretends' to trigger the 2FA window as well. YOu input the 2FA code, which passes it to my actual login, and presto I've logged in.

2FA is not designed to protect against phising attacks
Last edited by Satoru; Oct 16, 2017 @ 1:28pm
#13
Darren Oct 16, 2017 @ 5:23pm 
Originally posted by JurrijnP:
Originally posted by Satoru:
Note that changing the password isnt necessary for the scam to work. They probably just used your existing 2FA token to change it.

Regardless they dont need to change the password to do the scam. Once you gave them your password and 2FA you were scrweed. I can add a friend launch RL and trade items within the time it take syou to figure out what the hell happened
Regardless of any of this, in my opinion this text should be changed: "a unique numeric identifier will be shared with the site, rather than your Steam login credentials." because this text makes it look like steam doesn't give your credentials but instead does. Thats another discussion though

Note this basically means they just send your SteamID64 to the site. It does not mean "you" should send them your 2FA code. You will never be prompted to enter that except to login to Steam.

Also note if you are logged into Steam there is no need to login again via a website (you get a button to say that you are logged in correctly from the cookie information Steam already has). Likely the website merely pretended to be a Steam login page.
#14
< >
Showing 1-14 of 14 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Community > Topic Details
Date Posted: Oct 16, 2017 @ 12:06pm
Posts: 14
Start a New Discussion

Discussions Rules and Guidelines