Your responsibility. Steam accounts get compromised either through phishing or through malware. When you get phished, you give away the login name, password and then active guard code. 2FA isn't the magical shield some people think it is.

The scammers needed 3 details.

They can not ask steam for it.
So they must have gotten them from you or a device you used.

robinson eredeti hozzászólása:

So yes the hacker hacked his way through all the steam "secutiry" features into my account

Highly, highly unlikely. If there was an exploit to gain control of Steam accounts attackers wouldn't spare it with regular user accounts.

You mention you didn't log into third party sites. But phishing links als mimic the Steam login itself. A chat link to an apparently familiar URL (like a trade offer) with a promt to log in Steam also does the trick to get account details from users.

Review your browser history for suspicious domains or URLs similar to the Steamcommunity ones.

Good phisers won't let you even notice you were phished.

robinson eredeti hozzászólása:

I just want to make it clear that all the skins I bought were off the community marketplace ONLY and I have never traded with anyone. I have never logged in steam anywhere else than here (the program Steam) and my phone (Steam "Guard"). So yes the hacker hacked his way through all the steam "secutiry" features into my account and proceeded to sell my skins to himself and then transfer my money to him.

Not possible. Either you allowed your credentials to be phished via a fake login or they were captured with tailored malware on a device your account has used. 3 credentials are required which includes a live auth code to get into any Steam account.

You would be the first person in over 100m users to be 'hacked' otherwise and your account doesn't really stand out as much of a target.

If you can't pinpoint how this occured then at least you know how it happened and it certainly isn't down to a platform vulnerability or hackerZz.

Any 3rd party trading sites are a huge risk of this occurring and sometimes they will sit idle on accounts for even years waiting to strike.

ShelLuser eredeti hozzászólása:

robinson eredeti hozzászólása:

I have never logged in steam anywhere else than here (the program Steam) and my phone (Steam "Guard").

Unfortunately your alias history (= history of names you used before) suggests otherwise: it lists some external websites which doesn't happen out of the blue.

robinson eredeti hozzászólása:

So yes the hacker hacked his way through all the steam "secutiry" features into my account

Very unlikely. No offense but if the "bad guys" would have a way to hack Steam accounts then something tells me they'd be going after accounts which much more games and bigger inventories. Yet that doesn't happen...


Also... scammers are very efficient when it comes to hiding their tracks. I even deem it likely for you to be fully convinced that you logged on Steam while in fact... it wasn't but something that looks very similar to it. This could even have happened last year, and after a period of doing nothing they finally struck.

Thing is, we've seen these things happen over and over again. Several times per week easily, and some people are indeed convinced that it had to be hackers but... it's close to impossible.

And it's important to try and find out how this could have happened because otherwise you may risk that it happens again. Like I asked before: did that URL with the Steam API key show you any entries?

Nope the link just asked me to just create a new one so maybe they covered that up too. And if you are referring to the name "queef. com" its just mockery of the guys with names like CSGO TRADING. com and that so no never been in a 3rd party site or something like that and yes no offence taken I was also sure that they would go for accounts with like way more skins and also pricier skins so I'm just stunned at how poor that hacker was to steal my cheap skins lol.

Crazy Tiger eredeti hozzászólása:

Your responsibility. Steam accounts get compromised either through phishing or through malware. When you get phished, you give away the login name, password and then active guard code. 2FA isn't the magical shield some people think it is.

The thing is I have never given away any of my account details ever thats why I thought it was hacking but right now I really dont care anymore they were cheap skins and nothing I can't replace, it would have been way more serious if they deleted my account. They did change my password but i managed to change it again and logged out of all other devices where i was logged in on as well as changed my email and removed the steam guard app from the account i am lucky i didnt have any credit card attached to my account they could've easily gotten it too.

robinson eredeti hozzászólása:

ShelLuser eredeti hozzászólása:

Unfortunately your alias history (= history of names you used before) suggests otherwise: it lists some external websites which doesn't happen out of the blue.


Very unlikely. No offense but if the "bad guys" would have a way to hack Steam accounts then something tells me they'd be going after accounts which much more games and bigger inventories. Yet that doesn't happen...


Also... scammers are very efficient when it comes to hiding their tracks. I even deem it likely for you to be fully convinced that you logged on Steam while in fact... it wasn't but something that looks very similar to it. This could even have happened last year, and after a period of doing nothing they finally struck.

Thing is, we've seen these things happen over and over again. Several times per week easily, and some people are indeed convinced that it had to be hackers but... it's close to impossible.

And it's important to try and find out how this could have happened because otherwise you may risk that it happens again. Like I asked before: did that URL with the Steam API key show you any entries?

Nope the link just asked me to just create a new one so maybe they covered that up too. And if you are referring to the name "queef. com" its just mockery of the guys with names like CSGO TRADING. com and that so no never been in a 3rd party site or something like that and yes no offence taken I was also sure that they would go for accounts with like way more skins and also pricier skins so I'm just stunned at how poor that hacker was to steal my cheap skins lol.

Uhhh..........

Watch out for Account Hijacking:

NEVER click unknown links from untrusted sources.

https://help.steampowered.com/en/faqs/view/6639-EB3C-EC79-FF60


USE OFFICIAL STEAM WEBSITES
Only enter your password into official Steam websites, such as steampowered.com and steamcommunity.com. These pages will include an Extended Validation SSL certificate, which most up-to-date modern browsers will identify with green text or a green highlight in the address bar with "Valve Corporation [US]" near the address.

https://help.steampowered.com/en/wizard/HelpWithAccountStolen

You logged into a fake Steam website. The hijacker got your login info....your fault.

It IS your responsibility to secure your account, and you AGREED to those terms when you jioined. Just because you only realised now doesn't excuse that.

And you act as if it's aunique thing. It isn't. Banks do it as do ANY service out there.

For example, if you go to your local town and go to a cafe. You draw some money out via the nearby ATM, and then later on find out that ATNM had been compromised and you were skimmed. you WILL get your money back because that was negligent on the bank's end with THEIR security.

However, if you went to that cafe and left your wallet on the table while you were otherwised engaged, and someone took your card and you had also left your PIN number in there. You get robbed, and the bank WILL NOT pay you the money back becuase just like with Steam YOU were negligent.

I'm sorry this is a harsh lesson for you, but that's how the world and law works. You are better off learning it rather than railing against it, because you CANNOT win.

Your name history proves that you give away your information. Smarten up and quit blaming other people for your mistakes

aiusepsi eredeti hozzászólása:

ShelLuser eredeti hozzászólása:

No lock is going to keep you safe if you give away the keys.

This is exactly why the new best-practice for security is to have systems where the user can't give the key away, i.e. where phish-resistance is designed in as a property of the system.

I mean sure that's sort of a nice thing to want but you also have to understand that ultimately there will always be tradeoffs between security and convenience.

The most secure computer is one that isn't connected to anything on an island. But that's not very useful is it? Steam already erects multiple barriers in order to protect users. They've added tons of them over the years. You can only protect users so much from their own greed.

Sounds like you gave your information away. Not a problem with the Steam service.

You were not hacked, you got phished - i.e. input your Steam credentials in a third-party website - or otherwise gave your Steam credentials away to someone else.

Consider your items forever lost. Steam does not return inventory items or wallet funds: https://support.steampowered.com/kb_article.php?ref=3415-WAFH-6433#noreturn

Your account is still at risk if you did not take steps to secure it. Follow the following steps:

1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
5. Revoke the API key https://steamcommunity.com/dev/apikey - This field should be blank

Do NOT trade until your account is secured.

That's your problem because you used shady 3rd party site which stole your password.

robinson eredeti hozzászólása:

MY responsability or YOUR WEAK security system?!

Your responsibility.

Every single person who was "hacked", "scammed", or "phished" on Steam have one thing in common. They gave the keys to the castle away. In your case it was most likely your use of shady 3rd party trading sites.

Chalupabaras eredeti hozzászólása:

Activision, T-Mobile and Reddit recently announced they were hacked. Microsoft's got a bunch of security issues going on, so does Google and Apple, but they're still within the 90-day investigation period before they have to announce as well.

And having been hacked doesn't actually mean you can then magically log into an account, steal items, and do other things.

It is not 'too easy' to hack accounts. Its much easier to phish users because users are bad at security. And no you cannot hijack accounts just by analytics. I have no idea what you're even talking about with that level of nonsense. That is not how that works.

You're right, Tito, it's the user's responsibility to maintain the security of their accounts. However, Valve isn't exactly known for being an online Fort Knox. It's better than when the SteamChina fiasco came to light, but not good enough if I can wreck your servers by exploiting the CS:Go botnets' own blackhat SEO against the botnets.

Ok so you're just making stuff up then?