All Discussions > Steam Forums > Steam Community > Topic Details
Shining Aug 6, 2023 @ 4:49pm
Someone accessed my steam account without my email?
Hello, like the title says, today I wake up, and got a bunch of emails that "I sold an item and bought 57 other items to other people with that money" it was like a dollar in total so I'm not mad or anything, I was hacked recently so I've been changing the passwords of everything I've logged in to, I guess I also need to change the passwords of stuff I haven't even logged in to but log in automatically like steam? lol.

Anyway my point is, I will change the steam password (the email is the first thing I changed a while ago) but isn't the whole point of having this annoying verification every time I log in into a new pc, suppose to stop this? how was the hacker able to use my steam password without my email, I don't think they had access to my gmail for a second after all the annoying security alerts I got from Google back then. I was trying to make my account more secure adding a phone number...and then I just remembered "why, it's not like the email helped me at all"

And also wondered if I could like report all those steam accounts? I'm sure nothing will happen to them for getting gifted something, but maybe put them on a suspicious list or something? I'm sure steam doesn't have such a thing, asking just in case.

BTW I'm posting this in community since it was a bunch of purchases in Market, please move this to a different category if I was wrong pls

Something went wrong while displaying this content. Refresh

Error Reference: Community_9743614_
Loading CSS chunk 7561 failed.
(error: https://community.cloudflare.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
Showing 1-11 of 11 comments
cSg|mc-Hotsauce Aug 6, 2023 @ 4:50pm 
All the steps, in order...

Scan for malware. https://www.malwarebytes.com/

Deauthorize all devices https://store.steampowered.com/twofactor/manage

Change your password on a secure device.

Generate new back up codes. https://store.steampowered.com/twofactor/manage

Revoke the api key (this should be empty) https://steamcommunity.com/dev/apikey

:summercat2023:
#1
Shining Aug 6, 2023 @ 5:05pm 
I've reset my computer already so no need for malware scanners (I had some trouble with that..stupid scareware). I just deauthorized all devices! thank you for reminding me. Yes I just changed the password on my computer after the reset.

But here's the thing, the api keys are empty, and I don't feel like generating more codes if they aren't working...Like sure, I'm a dumbass, I got hacked, but I don't really see the hacker getting asked a code on my email when he accessed it today. Is that why we get offered the adding phone option? cause ultimately the email is not enough, they can just find a way through it? Like I'm seriously thinking of disactivating it, cause I just got asked for the verification code, 5 times in the last 10 minutes (1 time change password, 2 for logging in store and community links..and why are those 2 different websites, and 2 more after the deauthorization of all devices) and for what? It just won't be enough to protect me from someone stealing all my stuff if they have my password apparently
#2
J4MESOX4D Aug 6, 2023 @ 5:18pm 
You were not hacked - somewhere along the lines you gave away your credentials to a phishing site or you allowed tailored malware onto your device. Hijackers can then stroll in, sell your items for below $1 which doesn't require confirmation to their other accounts through tailored buy orders.

Your Steam account is perfectly safe as long as you don't visit malicious 3rd party sites or install harmful material onto your device.
#3
Kargor Aug 6, 2023 @ 6:00pm 
A password is NOT sufficient to get into an account, unless you have 0 2FA options enabled.

During the login, Steam sends a login key which is then stored by the client -- that key is basically the shortcut into the account: it proves that you've gone through the credentials and 2FA process.

I'm not entirely sure about the conditions that make Steam invalidate such login keys, but there's a good chance that an attacker stealing that key from your box, and maybe some metadata for your box, is all they need to bypass password and 2FA queries.

That's likely where the "scan for malware" comes from. However, I'm not too sure it really helps -- malware stealing Steam login data is rather specialized; anti-malware vendors might not know about them.

There's also the classic web-based attack vector, where they direct you to a site that you *think* is Steam, so they can make you enter all the information they need.

I've even heard about attacks that are so outragously stupid that nobody would ever suspect they might work. For example, outright asking for all the account data so they can "put something onto your account". Or asking you for a file from your computer (which has the aforementioned login key).
#4
Shining Aug 6, 2023 @ 6:30pm 
As to how I got my credentials stole, that's just my own stupidity (I got a troyan in, and that ♥♥♥♥ installed god knows how many malwares), I'm not questioning Steam being unsecured, I was just confused about the whole verification code thingy. I see, thank you Kargor, that whole key explanation really sells it for me. I'll just be more careful in the future, I've already closed access to all devices thanks to Hotsauce's advice, I guess the password change was enough but surely it doesn't hurt.

As for reporting the steam accounts the small products were sold to, I guess it's pointless, if they divided 1 dollar into 57 products, and different accounts, the hacker clearly knows what they are doing, making this as confusing as possible to track down. I was just curious if I had a way to report it, if not then it's whatever, they clearly live doing this, and fortunately I didn't have credit cards in my steam account and it was just 1 dollar. Thanks again for your replies.
#5
Bankai-Ken Aug 7, 2023 @ 2:23am 
I think you should keep your valuable skins in other special account in your case ,do not give your ac to your guys (friends ).
#6
Muppet among Puppets Aug 7, 2023 @ 5:23am 
Originally posted by Shining:
I don't really see the hacker getting asked a code on my email when he accessed it today.
The hacker used your email too.
You need to secure your email and all associated accounts.
#7
****************??? Aug 7, 2023 @ 1:09pm 
pon
#8
Muppet among Puppets Aug 8, 2023 @ 12:27am 
Originally posted by Chalupabaras:
Another trick to help protect your account is to set to toggle the Client settings to "Don't save account credentials on this computer." It prevents anything that gets into your computer while using Steam Client (which happens far too frequently by design) from accessing your account through the Client's kernel-level system modifications.
But that malicious file wont capture your login key strokes?


Originally posted by Chalupabaras:
You may also want to remove your payment information as well, as the Client's intentional lack of privacy protection features allow hackers to access and sell it on the dark web.
The saved payment can be used for purchases on steam. It doesnt hand out the payment details.


Originally posted by Chalupabaras:
And on a final note... stay away from the Free to Play titles. They're less secure than the adult-based Flash game websites that used to be prevalent before Adobe killed the software.
You can not generalize what is safe or not like that
#9
Boblin the Goblin Aug 8, 2023 @ 12:33am 
Originally posted by Chalupabaras:
Another trick to help protect your account is to set to toggle the Client settings to "Don't save account credentials on this computer." It prevents anything that gets into your computer while using Steam Client (which happens far too frequently by design) from accessing your account through the Client's kernel-level system modifications.

You may also want to remove your payment information as well, as the Client's intentional lack of privacy protection features allow hackers to access and sell it on the dark web.

And on a final note... stay away from the Free to Play titles. They're less secure than the adult-based Flash game websites that used to be prevalent before Adobe killed the software.


Nothing you said is true.
#10
Muppet among Puppets Aug 8, 2023 @ 1:47am 
Originally posted by Chalupabaras:
Originally posted by Muppet among Puppets:
But that malicious file wont capture your login key strokes?

The Steam Client's services are provided from a Windows 7 server housed at Microsoft's facilities. According to Sucuri's sitecheck scans, Microsoft is currently compromised by an ongoing webserver php infection that utilizes clickjacking (among other tools). Google, Gmail and YouTube are also currently compromised in a similar fashion.

Long story short, no. Keyloggers (which is what you're referring to) is chump change compared to a legitimate link with a legitimate preview thumbnail that directs you to a legitimate third-party advertiser's website to watch videos about speedruns, news and cats.

The saved payment can be used for purchases on steam. It doesnt hand out the payment details.

Correct. But it's accessible on the Microsoft servers that provide access to Steam Client's services. All you need is enough storage to download a copy of the entire respective databases (think 4chan's "Twitch files" scenario, but for bad intentions).

Oh, and your "Steam Cloud" storage? It's actually your OneDrive account, stored locally on your computer and synched by Microsoft's servers. External cloud storage is a huge security risk primarily because you have no control over who can access it.

You can not generalize what is safe or not like that

It's more of an understatement than a generalization. But also it's like telling the developer "Your game is so awesome, you don't deserve to get paid for it!"
I dont know when i last read such a long text that was that wrong.
My favorite part was where you said that steam services run on a windows 7 server at microsoft.
#11
Showing 1-11 of 11 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Community > Topic Details
Date Posted: Aug 6, 2023 @ 4:49pm
Posts: 11
Start a New Discussion

Discussions Rules and Guidelines