Their data was leaked. The alternative is simply not plausible.

One would have to GUESS the username only you know.

One would have to GUESS the password only you know.

One would have to GUESS the 2FA code that changes every 30s.

That is simply not possible without the user screwing up.

Accounts are PHISHED because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.


The weakest kink is the end user, not the security offered.

Publicado originalmente por Nx Machina:

Accounts are PHISHED because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.


The weakest kink is the end user, not the security offered.

Hello,

thanks for your reply but this does not apply to what I described.
While I agree that 99% of all those problems are simple phishing things I know for a fact that some of the peeps I have seen this happening have nothing phished. Especially if items that are worth 100€ or more have not been touched. The attackers actively chose small items, but in masses.
If they had been phished they had access to do things that require any kind of security action but they did not.
Please don't just spam the standard things and read properly.

For one thing I was live on the ONLY computer the person has that I checked myself for any bad things, vulnerabilities and the selling stuff was AFTER we changed all data, wiping all clients absolutely everything.

Their network was also clean. Netstat did not show anything but the standard connections while this happened.

False Steam API - to phish or not to phish is the question but they need to make phishing an international crime punishable up to life imprisonment in Siberia.

It's literally the ONLY way somebody other than the owner can access the account in any capacity.

It doesn't matter what you think happened.

Publicado originalmente por Thermal Lance:

It's literally the ONLY way somebody other than the owner can access the account in any capacity.

It doesn't matter what you think happened.

Then how can this happen while I have a netstat running to check any kind of connection of the device and it did not show anything neither before nor after we de-authed all devices?
If the computer was infected by anything you would have seen the connection in netstat. There is no way you can connect without being seen there.
And since all devices where de-authed, even if the data was known, an old login would have existed or a cookie for webbrowser would have been stolen it would have been made unusable when de-authing all devices.

Publicado originalmente por kannakamui.de:

Publicado originalmente por Thermal Lance:

It's literally the ONLY way somebody other than the owner can access the account in any capacity.

It doesn't matter what you think happened.

Then how can this happen while I have a netstat running to check any kind of connection of the device and it did not show anything neither before nor after we de-authed all devices?
If the computer was infected by anything you would have seen the connection in netstat. There is no way you can connect without being seen there.
And since all devices where de-authed, even if the data was known, an old login would have existed or a cookie for webbrowser would have been stolen it would have been made unusable when de-authing all devices.

Trust me, if the 2FA system Valve use was to fail. We would know, oh hell yes, we would know.

If you want to go on a wild goose chase over something that is very well understood. Be my guest. But, my time is too valuable for it. Have a great day.

Publicado originalmente por kannakamui.de:

Publicado originalmente por Thermal Lance:

It's literally the ONLY way somebody other than the owner can access the account in any capacity.

It doesn't matter what you think happened.

Then how can this happen while I have a netstat running to check any kind of connection of the device and it did not show anything neither before nor after we de-authed all devices?
If the computer was infected by anything you would have seen the connection in netstat. There is no way you can connect without being seen there.
And since all devices where de-authed, even if the data was known, an old login would have existed or a cookie for webbrowser would have been stolen it would have been made unusable when de-authing all devices.

Your friends all got phished no matter how much mental gymnastics they go through, or try and pass the buck after acting dumbfounded. Whether they gave away their credentials to a scam site or installed tailored malware unwittingly onto their device, that is the only way someone else can backdoor access a Steam account because 3 credential fields are required to enter and it is a technical impossibility to get into an account without these.

Out of all my friends, ZERO have been compromised so having 'multiple' clearly shows they are irresponsible and should just come clean about their behaviour.

Publicado originalmente por J4MESOX4D:

Publicado originalmente por kannakamui.de:

Then how can this happen while I have a netstat running to check any kind of connection of the device and it did not show anything neither before nor after we de-authed all devices?
If the computer was infected by anything you would have seen the connection in netstat. There is no way you can connect without being seen there.
And since all devices where de-authed, even if the data was known, an old login would have existed or a cookie for webbrowser would have been stolen it would have been made unusable when de-authing all devices.

Your friends all got phished no matter how much mental gymnastics they go through, or try and pass the buck after acting dumbfounded. Whether they gave away their credentials to a scam site or installed tailored malware unwittingly onto their device, that is the only way someone else can backdoor access a Steam account because 3 credential fields are required to enter and it is a technical impossibility to get into an account without these.

Out of all my friends, ZERO have been compromised so having 'multiple' clearly shows they are irresponsible and should just come clean about their behaviour.

Yet another evade of my question.

How can this happen AFTER de-authing and changing all details?
There can be no longer a saved session, no longer a new login or anything.
Even >IF< they would have been phished they would need to login which fires the 2FA.

Nothing.

Network Traffic: EMPTY

It would really help if people wouldn't just blindly say "Uhm MY Friends (Which means this applies to the whole world because my friends are impeccable awesome) never have had this". this is not helping in a discussion like this.

I am trying to clearly state that this happened on an account that had a fresh reset of ALL DATA.

New password, reset 2fa, de-authed all devices, everything reset or changed, so no way that jose could use any old data.

At the same time I checked the Network live. It was clean. There was NO connection to anything except the networks that were expected. Steamclient is also clean and unedited.

Please >do read< and don't just throw in the next "uhm phishing"-reply.
I already said that this was also the thing that I always said but on this event I can clearly say a phishing-incident is impossible. Unless you can tell me how someone would access the account we freshly reset with everything changed and de-authed and monitoring the network for every little bit then left or entered the network.

It's straight up not possible in that scenario but yet there have been sales AFTER everything was changed and de-authed.

Publicado originalmente por kannakamui.de:

Publicado originalmente por J4MESOX4D:

Your friends all got phished no matter how much mental gymnastics they go through, or try and pass the buck after acting dumbfounded. Whether they gave away their credentials to a scam site or installed tailored malware unwittingly onto their device, that is the only way someone else can backdoor access a Steam account because 3 credential fields are required to enter and it is a technical impossibility to get into an account without these.

Out of all my friends, ZERO have been compromised so having 'multiple' clearly shows they are irresponsible and should just come clean about their behaviour.

Yet another evade of my question.

How can this happen AFTER de-authing and changing all details?
There can be no longer a saved session, no longer a new login or anything.
Even >IF< they would have been phished they would need to login which fires the 2FA.

Nothing.

Network Traffic: EMPTY

It would really help if people wouldn't just blindly say "Uhm MY Friends (Which means this applies to the whole world because my friends are impeccable awesome) never have had this". this is not helping in a discussion like this.

I am trying to clearly state that this happened on an account that had a fresh reset of ALL DATA.

New password, reset 2fa, de-authed all devices, everything reset or changed, so no way that jose could use any old data.

At the same time I checked the Network live. It was clean. There was NO connection to anything except the networks that were expected. Steamclient is also clean and unedited.

Please >do read< and don't just throw in the next "uhm phishing"-reply.
I already said that this was also the thing that I always said but on this event I can clearly say a phishing-incident is impossible. Unless you can tell me how someone would access the account we freshly reset with everything changed and de-authed and monitoring the network for every little bit then left or entered the network.

It's straight up not possible in that scenario but yet there have been sales AFTER everything was changed and de-authed.

The only way someone other than the account owner could still have access after changing everything would be if the owner repeated the EXACT same mistake that caused the account to become compromised in the first place.

Publicado originalmente por HikariLight:

The only way someone other than the account owner could still have access after changing everything would be if the owner repeated the EXACT same mistake that caused the account to become compromised in the first place.

Absolutely impossible as I was connected and controlling the whole thing. It was, as stated multiple times, shortly after changing everything. They did not have any browser open in the time being, they did not chat in that time, they did not have anything open but steam (and windows of course) and malwarebytes which I had to run a check if the computer was comprimised (which it wasn't) and a network logger. Both installers uploaded onto their system by me so we could keep the browser closed. just to be super sure.

As stated, NOTHING was running, I was monitoring the whole time as I suspected them to have catched anything bad. Because my thinking was the same "Gnah you just dum dum and clicked bad things". But they clearly were not. Especially not in the timeframe of de-authing everything and resetting every possible thing that steam has to offer and the second wave of accessing their inventory.

You've received the answers. Once logging into anywhere and authorizing it on your behalf, they don't need any access to your system as it's been given to them, so they can do what they want because a user decided to go for the illegitimate sites promising items / skins / daily or weekly "wins" or are otherwise catered to gambling / trading or "voting for my team" stuff. Once they give their login and authorize, it's inevitable with the random delay.

If it's not the Steam Client, the best practice for security is not giving anything else your Steam Login.

Publicado originalmente por kannakamui.de:

Publicado originalmente por J4MESOX4D:

Your friends all got phished no matter how much mental gymnastics they go through, or try and pass the buck after acting dumbfounded. Whether they gave away their credentials to a scam site or installed tailored malware unwittingly onto their device, that is the only way someone else can backdoor access a Steam account because 3 credential fields are required to enter and it is a technical impossibility to get into an account without these.

Out of all my friends, ZERO have been compromised so having 'multiple' clearly shows they are irresponsible and should just come clean about their behaviour.

Yet another evade of my question.

How can this happen AFTER de-authing and changing all details?
There can be no longer a saved session, no longer a new login or anything.
Even >IF< they would have been phished they would need to login which fires the 2FA.

Nothing.

Network Traffic: EMPTY

It would really help if people wouldn't just blindly say "Uhm MY Friends (Which means this applies to the whole world because my friends are impeccable awesome) never have had this". this is not helping in a discussion like this.

I am trying to clearly state that this happened on an account that had a fresh reset of ALL DATA.

New password, reset 2fa, de-authed all devices, everything reset or changed, so no way that jose could use any old data.

At the same time I checked the Network live. It was clean. There was NO connection to anything except the networks that were expected. Steamclient is also clean and unedited.

Please >do read< and don't just throw in the next "uhm phishing"-reply.
I already said that this was also the thing that I always said but on this event I can clearly say a phishing-incident is impossible. Unless you can tell me how someone would access the account we freshly reset with everything changed and de-authed and monitoring the network for every little bit then left or entered the network.

It's straight up not possible in that scenario but yet there have been sales AFTER everything was changed and de-authed.

It's beginning to sound like it's you and not your 'friends'. My guess is your PC is embedded with deep-root malware or you independent device is also compromised. The idea of phishing is to not let the victim know how it happened or why it still happens so in that respect, they've got you good.

What you present means an account cannot be compromised so still somewhere along the lines there is a common leak whether you can identify it or not.

Everything has already been explained. Not sure why OP is dreaming up impossible fantasies and why people always want to describe themselves as knowledgeable in tech. Is it so they and their friends don't feel "stupid" for accidentally leaking the login credentials and not understanding how things work?

Anyway, if OP wants to remain in fairy land, that's fine. Won't help themselves nor their friends, though.

Publicado originalmente por J4MESOX4D:

It's beginning to sound like it's you and not your 'friends'. My guess is your PC is embedded with deep-root malware or you independent device is also compromised. The idea of phishing is to not let the victim know how it happened or why it still happens so in that respect, they've got you good.

What you present means an account cannot be compromised so still somewhere along the lines there is a common leak whether you can identify it or not.

My System and account is clear. Never had any of these issues myself.
Since we used TeamViewerQS on their end which I sent them it can not be from a stolen session of Teamviewer or anything alike. On top of that how would my system in the end come up in your idea? If anything would have happened over my system, I would have seen it, as I watched myself. Also this was on the second attack. The first one was while my friend was asleep and the other part while at University.

Publicado originalmente por Crazy Tiger:

Everything has already been explained. Not sure why OP is dreaming up impossible fantasies and why people always want to describe themselves as knowledgeable in tech. Is it so they and their friends don't feel "stupid" for accidentally leaking the login credentials and not understanding how things work?

Anyway, if OP wants to remain in fairy land, that's fine. Won't help themselves nor their friends, though.

Bro, just because you have the same thinking I did until I saw this stuff happening live, doesn't mean it has to be "just like this". Technology is advanced. It's not always only >this one< thing that can happen.

If you still think "Yo bro, your friend got phished" then think so it's fine but just keeping spamming the same line over and over without reading or understanding what I write does not help and only clusters the thread.

And if that pal would have entered their stuff in a phishing site they'd tell me, if you like that idea or not. I am there for my pals, no matter what dumb thing they did and they know they can openly talk about that any time, because if I know exactly what they did I can fix this. This has been a thing for years.

If you still wanna answer at least try to read what I wrote and just pretend for once that I know what I am doing. Not everyone on the internet is a dum dum idiot that doesn't know what they are doing. I know very well what I am doing and that is why I can't grasp what happened because it makes no sense.

I have seen so many viruses, phishings and modified clients of steam, epic, discord that I lost count but there was rarely something I could not fix or at least follow to the root of the problem. If it was phishing it's easy to find out but if you cut off all ends that would make a phishing-victim still attackable it's just clear that this can not be the reason.

And it is sad that almost all answers in this thread are just "Yo bro is phishing" without even TRYING to think of something else.

So please, just for once: Try to think of something else and just pretend I know what I am talking about and I know what I did. Just for this one thread. Thank you.