Phishing is not a new scam type on steam and scams like this happens on a daily basis.

Also, "naming and shaming". Remove the profile link, and probably the screenshot too. Report the account.

I unfortunately have been a victim of this. I logged in on the website, not worrying as I have steam Guard, however whoever this was still managed to send messages to some of my friends with the link, and even deleted them when they knew it wasn't me. It is very worrying since I do have Steam Guard activated

Originally posted by AnthonyvV:

I unfortunately have been a victim of this. I logged in on the website, not worrying as I have steam Guard, however whoever this was still managed to send messages to some of my friends with the link, and even deleted them when they knew it wasn't me. It is very worrying since I do have Steam Guard activated

How is the fact that you have Steam guard enabled related to them sending messages to your friends? Unless you meant to say that they still abused your account.

Yeah, there is a trick which allows hackers to abuse your browser for this, so their logon attempts would appear to come from your location (and thus your current IP address) which kinda defeats the purpose.

The solution to that is to enable 2 factor authentication.

I do have 2 factor authentication enabled.
I viewed my account login history and the person who sent the message to my friends (through my steam account) logged in thousands of kilometers from my location.

Originally posted by AnthonyvV:

I do have 2 factor authentication enabled.
I viewed my account login history and the person who sent the message to my friends (through my steam account) logged in thousands of kilometers from my location.

if the message came from your account, then the account is compromised. did you secure it properly


1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)

if you didnt do everything listed, someone may still have access and/or limited control over the account

Originally posted by AnthonyvV:

I unfortunately have been a victim of this. I logged in on the website, not worrying as I have steam Guard, however whoever this was still managed to send messages to some of my friends with the link, and even deleted them when they knew it wasn't me. It is very worrying since I do have Steam Guard activated

Originally posted by AnthonyvV:

I do have 2 factor authentication enabled.
I viewed my account login history and the person who sent the message to my friends (through my steam account) logged in thousands of kilometers from my location.

Stop sharing your account credentials and your authentification code to a phishing site and things like this won't happen. This is also not a security flaw on steams end or its authentificator, both tools worked as intended.

Originally posted by AnthonyvV:

I do have 2 factor authentication enabled.
I viewed my account login history and the person who sent the message to my friends (through my steam account) logged in thousands of kilometers from my location.

2FA is useless if you give away the auth code and your other credentials to a fake Steam login window.

Steam Guard mobile is just an additional independent security layer so if a user has their password and account name swiped on their PC, the hijackers still require a live phone code. It is not a full proof barrier to entry and if you give it away (which you did) with the other sensitive information, it becomes equally useless.