your account is compromised
DO NOT TRADE
If you have access to the account

Steps to take NOW to secure the account:
1. Scan for malware https://www.malwarebytes.com/
2. Deauthorize all other devices https://store.steampowered.com/twofactor/manage
3. Change passwords from a clean computer
4. Generate new backup codes for your Mobile App https://store.steampowered.com/twofactor/manage
5. Revoke the API key https://steamcommunity.com/dev/apikey (there should be nothing in the APIKEY)


Please review how you are logging into Steam, you somehow gave them your log in information. This could of been due to the computer being compromised and redirecting to a fake login, or you using a 3rd party site to login to steam.

The vulnerability you talk about is called the End User.

Browser logins don't show up in the recent logins, so that's not the proof you think it is. Hijackers often sit months on accounts before they take action.

You got phished. Or have malware installed. You can deny it, but that'll only mean it's likely it'll happen again.

Relevant info:

Originally posted by Crazy Tiger:

Phishing is the most likely cause, OP. When people get phished, they give out the account name, password and then active guard code. A bot quickly enters it and hijackers have access then. Ultimately 2FA is "just another code" that can be given away when getting phished. It's not a magical defense layer.

Have you secured your account? If not:
- Scan for malware. https://www.malwarebytes.com/
- Deauthorize all devices https://store.steampowered.com/twofactor/manage
- Change your password on a secure device.
- Generate new back up codes. https://store.steampowered.com/twofactor/manage
- Revoke the api key https://steamcommunity.com/dev/apikey

Find out how you leaked your credentials. Phishing and malware are the two ways it happens, phishing is the most likely one. Either way, find out how you leaked your credentials.

Items are gone, they do not get returned nor will you get money back for them. The item restoration policy: https://support.steampowered.com/kb_article.php?ref=9958-MJDG-3003

Not all items require confirmation. https://steamcommunity.com/groups/community_market/announcements/detail/1705067494681435160

Incredible, rather write a huge-ass wall of text, than admit own mistake. Duuude...

Dude, your God complex doesn't serve you well. Look, we believe that you don't know how & where you ♥♥♥♥♥♥ up. Making mistakes is human!

Pretending you can't make mistakes is moronic though.

It's a lot of mental gymnastics, that's for sure.

Yup, God complex it is.

Originally posted by danechek:

this is some kind of new vulnerability

No it is not, you have no clue what you are talking about it. Steam's end has not been compromised in anyway. The ONLY way accounts are hijacked if by YOU the user leaking your login info.

The use and security of your Steam account are your responsibility.

You have no grounds to file a lawsuit, here is your legally binding contract you signed with Valve.
https://store.steampowered.com/subscriber_agreement

"You are responsible for the confidentiality of your login and password and for the security of your computer system. Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision."

A lawyer would tell you the same thing.

Mods will just lock and close this thread like every other one.

The only vulnerability sits in front of your screen. You leaked your account information, that's a fact.

Originally posted by danechek:

Originally posted by nullable:

Every user wishes they were the victim of some new l33t h4x0ring rather than just proving to be reckless and careless like a million other users before them.

It's not, I don't care at all. you read yourself smarter than others, since you give obvious useless advice, talking about phishing, about what I knew before you were born, but in my 15 years and my 5 accounts this is the first such case and there has never been anything, except for one opinion of a probable discovery many years ago, when there was no steam guard yet and my account was hacked through the mail, then a person played with cheats and after that I was surprised to see that I now have a game block in csgo. And now the situation is completely different.

Steam was literally attacked in 2015 by Lizard squad who leaked over 500,000 different credit card numbers and replaced all backgrounds with said numbers, if you seriously think this is the first of such a thing happening then you know very little on Steam's cyber security war in the last few years.

Originally posted by danechek:

Originally posted by ReBoot:

Dude, your God complex doesn't serve you well. Look, we believe that you don't know how & where you ♥♥♥♥♥♥ up. Making mistakes is human!

Pretending you can't make mistakes is moronic though.

I don't pretend to be wrong, but don't be so sure you know what I do better than me. Today I reported this case to my friend and he was very surprised, he considered me a security freak. He said that he couldn't believe it because I was always worried that the account might be hacked and did not distribute my account information anywhere, did not log in and bypassed any links, phishing, side. I also regularly change passwords everywhere and generate new backup codes + look at authorized devices. This doesn't just apply to Steam.

My only concern right now is that it might happen again, no matter what. I once again changed the password on my account, mobile number, re-attached the authenticator and I'm not sure that even if I turn off the computer for a year this will not happen. I just want to find out the reasons and make sure my account is safe, I don't care about 100 tlr.

What others consider you is completely irrelevant. Your case is one of thousands, there's threads about it daily. It's ALWAYS about the user getting phished. There is no "security breach" other than you giving out your information.

So... the "bad guys" found a way into Steam and instead of going for Gaben for a massive monetary paycheck they went for your account? Suuure.

Quite frankly, at this point I don't even fully believe that your account actually got compromised anymore. Maybe this is your idea of entertainment?

I come to this conclusion because... instead of asking for help you just throw accusations all around and just dismiss all given solutions. Ignorance is bliss... I mean... "Steam doesn't admit their guilt"? What kind of nonsense is that? I mean, wouldn't the alleged hackers be the real culprits? What the heck did Steam do here?

Even if there was a backdoor your whole attitude simply screams otherwise.

See, would this happen to me I'd be hellbent on getting back at the people who did this to me. I wouldn't be stupid enough to lash out at the only party that could actually help me out with my whole misery. Biting the hand that feeds you anyone?

You seem a wee bit too eager to put the blame on Steam for something that others allegidly did to you. Making me a disbeliever.

Regularly changing passwords is ♥♥♥♥♥♥♥♥ anyway.

Originally posted by danechek:

Originally posted by Crazy Tiger:

Browser logins don't show up in the recent logins, so that's not the proof you think it is. Hijackers often sit months on accounts before they take action.

You got phished. Or have malware installed. You can deny it, but that'll only mean it's likely it'll happen again.

Relevant info:

The answer to you will not differ from the answer to the person above, I know about all this and took all these actions yesterday right away. Phishing could not have happened in any way, I never authorized anywhere, I did not create api keys. No one sends me any spam links because I don't even add anyone as a friend. And I don’t surf the Internet, I always do the same thing at the computer, I don’t download any software from the Internet, I don’t go to any sites. Steam / Gog / Epic Games and all. No sites where I logged in related to steam or even been there in recent years. And I changed my password and backup years literally two weeks ago, since the time has come (I do this regularly). And as you know, when you change your password, authorization on all devices is reset, so the option that someone has been authorized in my Steam for a long time is incorrect. And I myself from time to time, not only in Steam, but in principle in social networks and everywhere, I look through authorized devices to prevent such situations of hacking.

Also about the fact that not all transactions require confirmation - I regularly sell unnecessary cards on the marketplace in order to buy others, any even with a price below 1 tl requires confirmation in the application.

You can stay in denial all you want, it won't change reality.

I just sold a bunch of trading cards, none required confirmation with the mobile authenticator. As per the explanation in my first post.

Piece of advice: Format your OP and add paragraphs. As it is now is barely readable and people won't bother.

Phishing is still most probably the culprit of your account theft. A good phishing site won't even be noticeable, can be disguised like a Steam UGC page where you're suddenly not logged in, not necessarily be a third party login site.

Phishing isn't the kind of stuff only dumb people fall in. It only takes a mistake to fall in it. And we all make mistakes.

Originally posted by ReBoot:

Regularly changing passwords is ♥♥♥♥♥♥♥♥ anyway.

And despite NIST dropping the policy it's still widely used and applied. Old habits die hard.

Originally posted by danechek:

Originally posted by Unn4m3d (♥AUT♥):

What others consider you is completely irrelevant. Your case is one of thousands, there's threads about it daily. It's ALWAYS about the user getting phished. There is no "security breach" other than you giving out your information.

you are not much different from those who work in steam support. But let's imagine the situation, I will now write to you the login and password of my other Steam account, you can log in to it, without confirmation through Steam Guard, 2fa, or reset the authenticator, sell items through the marketplace, and then exit the device, while still and delete the login history, which is basically impossible. If you enter, it's already a record. And there is no record. No entry. There is no action except that the account itself sold the items, as if I did it or it was done from my computer, but I did not do this and it was not done from my computer.

If someone is able to get the authentication file from your desktop, they don't need the 2FA code.