In actuality, a Steam account has no worth as it can neither be purchased nor sold — as per the SSA.

This, however, does not stop hijackers from selling accounts on external sites.

You may have other commodities that are either tradable or marketable within your Steam account - and this is mainly what hijackers target.

Some hijacking methods, such as phishing, target every Steam user.

A hijacker can make gains by doing the following:

• Transferring your entire inventory to their account: I.e - through trading.

• Using your existing Steam funds to make purchases on your account; this may include gift copies of games and other tradable / marketable commodities which are then sent to their account.

• If your account has no restrictions, the hijacker is able to idle existing games with card drops, then transfer those items to their account, via trading.

• Using your account for other malicious intentions. This is self-explanatory and quite frankly, they do not care about the penalties of doing so, as the hijacked account becomes nugatory after your inventory has been drained.

• They may use the account to send messages to users that you had on friends lists.These messages are usually links to phishing pages.

• They may attempt to sell your account on third-party sites. Note that this is not a transaction which is supported or allowed as per the SSA.

You may have noticed, that trading and marketing has been mentioned multiple times and this is EXACTLY why trading / marketing restrictions exist on Steam!

Shocker, isn't it?

To prevent this, you have to secure your account and have a fair amount of common sense.

This guide will provide ample instructions on how to do so.

Phishing

Accounts on Steam are mainly hijacked due to phishing.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

A prime example of this is sites that offer free items such as skins; or clones of third-party sites that appear with Google Ad word.

These sites will direct you to input your account information into their login page.

Here is an example

This site doesn't implement OpenID and allows a fake embedded Steam login to pop up

In other cases, it's fake gambling sites or third-party sites that claim to offer free items, such as skins.

Keep in mind, just because a site is using HTTPS - that does not mean it is legitimate.

Some sites will also use the free SSL from Cloudflare and will have the padlock and secure protocol appearing.

Again, this does NOT mean that the site is legitimate.

There are two things to note when logging into a third-party site using Steam:

(1) The Steam login page will always open in an external popup or redirect you to the full page of Steam login page — with your account details already enter as shown in the image below.

(2) The Steam login page address bar will always begin with "https://steamcommunity.com/openid/" and notice the padlock and "Valve Corp. [US]".





There are other sites that try to 'clone' Steam domains.

These are phishing pages that collect your credentials.

Your account information is then stolen - which leads to the hijacking of your account.

The hijacker is then able to change the E-mail tied to your Steam account and your password.

Even if you have Steam Guard enabled and you've provided them with your Steam Guard code, this process is carried out by the hijacker.

The mobile authenticator is of no exception because you've provided them with the login authorization code.

Here is an example of fake Steam domains [DO NOT GO TO THESE SITES].





If you receive a link from another user, especially one claiming free access to Steam content, use extreme caution!

All official Steam logins are directed to the store.steampowered.com or steamcommunity.com domains.

Official pages will include an Extended Validation SSL certificate, which most up-to-date modern browsers will identify with green text or a green highlight in the address bar with "Valve Corporation [US]" near the address.

If you suspect a site asking for your login information is not an official Steam site, do not enter any information on the site and disregard it.

Official Steam Store domains will appear as the following:

Black-listing of phishing links & the Steam filter

Note: NEVER post phishing links in the Steam Community (forums or game hub).

Doing so does more harm than good, so we advise that you report them to the relevant party.

Phishing links are black-listed on a daily basis.

If you like to report a phishing link, you should do so by reporting them to a community moderator.

Ianskate regularly black-lists phishing links and / or other malicious links.

Use the comments section: https://steamcommunity.com/id/ianskate

If you regularly report phishing / scam links, i recommend that to inquire about applying to enter the following group: https://steamcommunity.com/groups/ScamURL

The above group page is managed by community moderators.

Social engineering is the art of manipulating people so they give up confidential information.

We will consider social engineering as separate from phishing.

Criminals and hijackers use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to "hack" your software.

Hijackers will create certain E-mail accounts and send thousands of E-mails to users with an E-mail account.

They send E-mails to multiple users because the larger the audience, the greater the odds of finding a gullible victim.

With that said, we are well aware that Valve / Steam does send you E-mails, which are authentic and sometimes are given for the following...

• Marketing receipts
  
• Account credential changes and / or other miscellaneous things.
  
• Activating a product through a web browser
  
• Sale notifications
  
• Replies from Steam Support [on active help requests]

Here is an example of an OFFICIAL Steam E-mail...


Valve has their own E-mail domain and it is the following...

<noreply@steampowered.com>

Examples of fake E-mails and how to spot them

Some social engineering E-mails are simplistic in nature and are concise.

As an example, someone may send you an E-mail stating that your Steam account may have been compromised and that you need to give them your account details to recover it.

That's rather simple and somewhat witty - but only if you're gullible.

These E-mail scams typically contain...

• Links to malware
  
• Contact number - yes they may want you to call that number - to scam you
  
• Asking you to send your account information
  
• Asking you to log in to third-party sites with your Steam account

There are certain malware, virus and what not that can steal account information or do other malicious things.

Pertaining to virus; the most common virus are transmitted through E-mail attachments, downloading files from resources that are not entirely trusted, or peer-to-peer (p2p) file trading applications such as BitTorrent.

With any Anti-Virus program, it is important to keep Anti-Virus definitions updated and run a system scan regularly.

You would want to schedule daily scans with a proper anti-malware software like malwarebytes when dealing with malware

I recommend that you use Avast or Windows Defender in conjunction with Malwarebytes.



A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program -- such as a game -- or sent as an email attachment.



Victim downloads and executes the RAT -> Hijacker has access to victim's PC -> The hijacker puts up the item as a listing.

• Option (A) The hijacker can access victim's e-mail, confirm the listing. The listing is held for 15 days, because the confirmation is done on a platform the thief can more easily access on the compromised device. Some people are so crazy; they leave their credentials or sessions up.
  
  The 15 days is leeway for the victim to notice what has happened and undo the damages.
  
  
• Option (B) The thief can't access victim's mobile 2FA as it's on a wholly separate piece of hardware, thus they can't confirm the listing. Therefore listings are immediate as the risk of compromise is close to null.

If you're not very tech-savy, here's the basics of DNS

Whenever your computer contacts a domain name like “store.steampowered.com,” it must first contact its DNS server.

The DNS server responds with one or more IP addresses where your computer can reach store.steampowered.com.

Your computer then connects directly to that numerical IP address.

DNS converts human-readable addresses like “store.steampowered.com” to computer-readable IP addresses like “173.194.67.102”.

DNS cache poisoning, also known as DNS spoofing, is a type of attack that exploits vulnerabilities in the domain name system (DNS) to divert Internet traffic away from legitimate servers and towards fake ones.

One of the reasons DNS poisoning is so dangerous is because it can spread from DNS server to DNS server.

As per say, you visit Steamcommunity.com, and you're then diverted to a phishing page.

This may seem as a brilliant attacking attempt.

I've quite frankly done this for humor, where'd i'd redirect traffic from Facebook to my own created webpage to troll my highscool friends [in a non-malicious way].

Ah, good times.




Some employers configure their DNS to divert traffic from certain websites, so that their employers don't waste time on Facebook or sites that offer pornography.

OpenDNS can do exactly this - and can be used for network security.

In the OpeDNS control panel, an employer can actually block certain sites such as Facebook or other social media sites.

This works at the NETWORK LAYER.

Thus, if you actually try to PING these sites, you will get a request timed out!

A Steam desktop authenticator [SDA] is a tool / program used to receive authentication codes on a PC rather than a mobile device.

This method may seem rather convenient for users that are unable to use the mobile application due to some limitation or in the contingent of not having a mobile device.

This sounds relatively straight-forward and something that you might want to chomp at.

The issue with this is that that are some SDA's that are purely malware or simply intend to steal your account information.

I did not include this under the 'malware index' of this guide since this hijacking method is very common and is problematic to say at the least.

If you do intend to download a SDA: do ensure that you download the proper one from a GitHub.

Jessecar96's SDA: https://github.com/Jessecar96/SteamDesktopAuthenticator

Note: Some repositories are forked and then used to create a fake SDA and these are the ones that avoid.

I'll be genuinely honest with every user reviewing this guide — : it is simply NOT worth the risk.

This is not a simple 'whatever floats your bot' scenario — it's about the security of a valuable account.

Keep that in mind.

The Web API Key scam is a simple concept but it's difficult to prevent.

Certain third-party sites like OPskins have clones of their website that phish your account information.

The phishing sites usually utilize Google AdWords to pose as the intended third-party sites.

We're going to use OPskins as an example and discuss how the API key scam works.

1) A victim Googles “OPSkins” and the first search result is a phishing site that is advertising with Google AdWords to ensure their listing appears at the top of the search results page. While at first glance these search listings might look legitimate, upon closer inspection the addresses are not correct OPSkins URLs (below we explain how you can distinguish a fake OPSkins URL from a legitimate one).

2) The victim logs into the phishing site.

3) The scam site operator now has access to the victim’s Steam login credentials, which they use to then log in to the victim’s Steam profile.

4) The scammer retrieves the victim’s Steam API key through their Steam account. This key has a lot of power including trade offer history, the ability to cancel trades, etc. See the full list of functions supported by the Steam Web API here
.
5) The scammer then waits for the victim to trade on OPSkins, possibly contacting them to initiate a trade.

6) The scammer then cancels the legitimate trade and changes their Steam username to match the OPSkins bot name so that the victim thinks they are trading to an OPSkins bot.

7) Since the scammer can see the victim’s trade history because they have access to their Steam API Key, the scammer then sends the same trade offer to the victim.

8) The victim then confirms the offer because they believe it to be a legitimate trade to an OPSkins bot.

9) The victim has unknowingly sent a trade offer to the scammer, losing their items.

What can i do if my account was compromised and my trades are being redirected?

If you notice that your trades are being re-directed, you need to do a few things as soon as possible.

[ 1 ] Scan your PC for malware using MWB: https://www.malwarebytes.com/

[ 2 ] Deauthorize all devices: https://store.steampowered.com/twofactor/manage

[ 3 ] Change your password on a secure device

https://store.steampowered.com/account/

[ 4 ] Generate new back up codes from your mobile device.

https://store.steampowered.com/twofactor/manage_action

[ 5] Revoke the Web API key: https://steamcommunity.com/dev/apikey

Your profile avatar has been changed and there is a message that you're going to receive a VAC ban.

This is a "scam scare" tactic.

It is simple...

• The hijacker has obtained access to your account
  
• They then change your profile name, avatar and profile summary.
  
• The summary includes details about a future ban and that you must trade your skins to another account.
  
• That 'other account' is usually the account of the hijacker.

Let's establish some facts.

• VAC is a completely AUTOMATED non-intrusive AC system
  
• VAC bans are delayed; yes; but NO MESSAGE is issued to the account owner
  
• VAC bans are NEVER issued by a Valve employee; as it is automated, which was mentioned in the first point.

What can i do if this has happened to me?

If this happens, it is very clear that your account has been compromised.

We always recommend the same guidelines when your account has been hijacked and you've concurred the API key scam.

The instructions shall be repeated here.

It is very possible that your account has been compromised.

[ 1 ] Scan for malware: https://www.malwarebytes.com/

[ 2 ] Deauthorize all devices: https://store.steampowered.com/twofactor/manage

[ 3 ] Change your password on a secure device.

[ 4 ] Generate new back up codes.

[ 5 ] Revoke any active Web API key: https://steamcommunity.com/dev/apikey

Do not use third-party sites or open links that lead to suspicious pages; as third-party phishing sites use this 'scam scare' tactic.

https://support.steampowered.com/kb_article.php?ref=1266-OAFV-8478

For graphical details of the steps above [1 to 5], please see the index called 'The Web API Key scam'.

There is NO such thing as a PENDING BAN REPORT.

I repeat...

There is NO such thing as a PENDING BAN REPORT.

These are all scams! [Some made with image editing tools]

[Note]: To get a clear view of these images; right click the image and select 'open image in new tab' - from there you can zoom in.

This is ANOTHER 'scam scare' tactic which ends with your accoun being hijacked / stolen!

If someone on Steam has contacted you through your profile page or comments of any of your user-generated content and has made this statement; PLEASE block and report them immediately.

Profile reports are processed by Steam Support; they do not contact you and inform you that your profile has been reported.

This is a common scam method that you will see and quite frankly, many users are gullible enough to follow the scammer's instructions.

They may equivocate and cook up a bunch of nonsense and ask for you account details - password and account name

Reports are anonymous and when action is taken; you receive a relevant message on your profile.

Steam Support NEVER contacts you through your profile page.

Help requests are different.

As with the pending ban report scam - there is no such thing as 'item verification' as well.

There is nothing wrong with your items, and more importantly, no item, regardless of its status, would ever require review by an administrator.

No, your items won't disappear, and no you won't get banned for having "illegal" items.

That's a common ruse or social engineering pretext to make you do something unsafe.

Dupes (or duplicates) exist, and to a lesser degree some glitches (usually more expensive collectors' keepsakes if they really exist), but those are not "hacked" or "illegal".

Long ago, when Steam Support used to restore scammed items for hijacking victims, they duplicated the stolen items because it was impossible to reverse all the subsequent legit trades and market transactions carried out after each item was stolen.

These "dupes", granted by Steam Support itself in recognition of innocent bystanders to fraud, will not get you in trouble with Steam Support.

If someone contacts you and claims to be a Valve employee that does item verification; you must instantly block the user and report them through their profile page.

As you might've guessed, there's no such thing as "illegal purchases".

Any issues with purchases/transactions don't involve someone from the Steam community contacting you.

Here is a text conversation of the SCAM:

[23:35]
conquer War:
sorry to disturb, i made a terrible mistake on your account, just don't be mad at me or anything

[23:35]
GabberGandalf:
sure
no thing

[23:35]
conquer War:
because i was scammed last week for about $773 and I thought it was you since you have the same profile I think he is impersonating you
it was just I accidentally reported your account for doing illegal purchase/scamming instead of someone else and the steam support said that your account will be suspended and your IP will be blocked on steam

[23:37]
conquer War:
I am truly sorry and I tried to tell them that it was just a wrong profile but the steam admin won't listen
also i didn't mean it, it was an honest mistake. I don't want you to get banned so please help me to explain it

[23:37]
GabberGandalf:
ehm
sure thing

[23:37]
conquer War:
Just please add this steam developer named "Christen" now and tell her that the report was a mistake: https://steamcommunity.com/discussions/moderators or if he doesn't accept, it's best to add her on discord ChristenCoomer#2957

[23:39]
GabberGandalf:
ok ty

Let us dissect this stupidity above.

There's no such thing as "illegal purchases" and a "mistake when reporting". Well, the latter is possible but no one will contact you about them making a report by mistake, that's just a pre-step to set up a scam.

Note: This scam will often times refer you to "Valve employees". But, again, these are just fake profiles impersonating real employees on Discord in this case.

What is important here, now is that you block the scammer and report any of the accounts that the link to you (for being involved in scams).

An influx of scams have emerged on Discord where scammers impersonate Valve employees.

In our Discord server or r/Steam (reddit), we constantly have to ban these accounts that are a part of scamming rings, so i've had a lot of experience with seeing and dealing these scams.

They will contact you about things such as pending bans, or with fake gifs and so on.

Note that no Valve employee will contact you on Discord about bans, or anything related to Steam and/or your account (purchases, bans, cooldowns, reports etc). That's the key information to take note of.

Please block them if needed and report these accounts to discord trust & safety.[support.discord.com]

It also seems as if these scammers seem to impersonate specific Valve employees on Steam for reasons that i'm unaware of.

Account data pages have been added to Steam earlier this year and have been useful.

Many users are not aware of these pages, and thus, i would like users to ascertain their use and how they can allow you to potentially know if your account may have been compromised.

This allows you to keep track of your login history - it states information about the OS, time and date etc

https://help.steampowered.com/en/accountdata/MachineAuthName

For the sake of brevity, these abbreviations will be used...

• SGMA - Steam Guard Mobile Authenticator (From your mobile device)
  
• SG - Steam Guard (E-mail version)
  
• SDA - Steam desktop authenticator (a program that simulates SGMA [for PC's].
  
• Auth codes - authorization codes (the codes generated by SGMA, SG or SDA)
  
• 2FA - two-factor authentication (self-explanatory)

2FA provides an additional level of security to your Steam account; this system is stronger than just your username and a password.

Without some form of 2FA - you are a sitting duck!

A hijacker just needs your account name & password and they're successful with stealing your account.

Hence, it is ABSOLUTELY IMPORTANT to have one form of 2FA.

Both SG & SGMA are methods of two-factor authentication that function by generating authorization codes.

These 'auth codes' expire after some period of time; which makes it difficult for a hijacker to use certain attacks or simply guess the authorization code.

SG sends an authorization code to your E-mail when a new device has logged into your account with the correct account name and password.

It is similar with SGMA - but the authorization code is sent your mobile device instead.

• SGMA codes are generated locally and expire within 30 seconds.
  
  
• SG codes are sent to your E-mail and expire within a few minutes.

Note: As these codes are temporal (rely on time), they utilize your device's clock — and if the time on your device is incorrect, your auth codes won't be sent or they will be incorrect!

I strongly recommend that you use SGMA and also add your phone number to your Steam account.

Adding a phone to your account gives you more options to recover your account in case you forget your password, or if your account is stolen. You can use SMS messaging to reset your password, or transfer your Steam Guard Mobile Authenticator from one phone to another.

Here's are the many reasons why SGMA is preferred...

• SGMA codes expire within 30 seconds; making it harder for the hijacker to gain access - but with SG,the codes take longer to expire.
  
  
• Your phone [using SGMA] does not need to be connected to the Internet for the authenticator to work (however, your phone does need to know the correct time).
  
  
• If you're using SG and your E-mail account has been compromised, the hijacker gets a free ride.
  
  
• You require the usage of SGMA to remove trade and market holds; so it's altogether recommended — but if you stick to SG, you get 15 day holds on trades / listings.
  
  
• If your SGMA code has expired, you can quickly check the 'Steam Guard' tab for newly generated codes to enter into the login screen.

The answer is unequivocally yes.

2FA does not magically stop gullible users from giving their account details away or from downloading malware.

As has been say many times; common sense is required here.

Here are some practical explanations of how your account can be hijacked even with a form of 2FA...

• You've logged into a phishing site and provided them with your auth code.
  
  
• Your PC has malware that stole your account information and auth code
  
  
• You (being gullible) physically gave your login details (and auth code) to the hijacker.
  
  
  

We discussed four ways in which hijackers may make gains when hijacking a Steam account.

If you've read it quite carefully, you see that a lot of it involves trading and / or marketing.

This is what gave birth to the many trading / marketing restrictions that exist on Steam.

Those restrictions seem quite useful now, don't they?

Remember when you were whining about them on the Steam forums?

If not, give yourself a pat on the back.

Let's go through some of these restrictions with a small explanation of each one.

Trading & market holds

An item hold won't prevent your account from trading or using the Community Market, but it will delay items being transferred to other accounts if you aren't able to protect your account with a Steam Guard Mobile Authenticator.

Trade and market holds protect items if a user's account is compromised. Even if a hijacker manages to access your account, you can prevent them from stealing your items by canceling any transactions that are on hold.

Newly Authorized device

If you are logging onto Steam from a device that has not been previously authorized by Steam Guard (log in confirmed via email), you will not be able to trade or use the Community Market from this device for 7 days. Any other devices that have already been authorized for at least 7 days will still be able to trade and use the Community Market.

Actions such as clearing your web browser cookies, using a new web browser, reinstalling Steam, and reformatting your computer will make that device look new to Steam and will trigger this restriction.

Exceptions: If you have had a Steam Guard Mobile Authenticator on your account for at least 7 days, there will be no trading or Market restrictions for using new devices/computers. This is because you'll confirm trades and Market listings from the mobile app.

Steam Guard Not Enabled

We require Steam Guard (via email or mobile authenticator) to be enabled for 15 days to help protect your items and Steam Wallet funds from being misused by someone who may have illicitly obtained your password. If you have not had Steam Guard enabled for 15 days, you will be unable to trade or use the Community Market. Accounts that currently have Steam Guard disabled will be unable to trade and use the Community Market.

Steam Guard Only Recently Enabled

If you have recently enabled Steam Guard via email on your account, you will be unable to use the Community Market for the 15 days after Steam Guard was enabled. Removing Steam Guard or disabling and re-enabling Steam Guard will also trigger this restriction.

Recent Password Reset

If you forget your password and need to reset it (note: this is different than changing your password), you will be restricted from trading and the Community Market for 5 days. If your account has not had any activity for more than two months, these restrictions will apply for 30 days. We do this to help protect users who lose access to their email account.

You can change your password from the settings panel in the Steam Client. This restriction only applies to password resets, ex: done via https://help.steampowered.com or by Steam Support.

Mobile Authenticator Added

A Steam Guard Mobile Authenticator provides additional security for your account. Adding an authenticator does not immediately remove existing restrictions. Trades created within the first 7 days of adding the authenticator will still have up to a 15 day trade hold. This allows your items to still be protected and gives you time to recover your account if a malicious actor were to ever add an authenticator to your account.

If your account was already protected by Steam Guard via email, you will have no new restrictions from using trading or the Community Market. If your account was not protected by Steam Guard via email or mobile app, you will be restricted from using trading and the Community Market for 15 days because Steam Guard has been recently enabled.

Mobile Authenticator Removed

Removing a Steam Guard Mobile Authenticator reduces your account security. To help protect your items, you will be unable to trade or use the Community Market for 15 days. In the case your account was compromised, this cooldown gives you time to recover your account and reinstate your security without losing your items.

Newly Added Payment Method

Items that are purchased with trusted payment methods may or may not have a cooldown before they can be traded or used in the Community Market. This cooldown period varies and is game dependent. A payment method that has been verified using Steam's card ownership verification tool is considered trusted. Verify your credit card here and gain access to the Community Market. Verification amounts are sent to your bank in the currency that appears in your Steam store. If your bank converts the charges into your local currency, please contact them for the pre-converted amounts.

Source: https://support.steampowered.com/kb_article.php?ref=1047-edfm-2932

These were re-posted here, and some were not included, so i recommend that further reading be done.

E-mail verification is require at least twice a year.

Reputable domains do not require constant verification.

Steam does ask for more frequent verification for certain email domains.

Some email domains re-use email addresses that are unused.

This means it’s possible to lose access or get your account hijacked if you use one of these providers.

Thus steam asks for more frequent verification to ensure your email remains valid with your email provider.

If you’re using a more reputable email provider, you will only be asked to verify your email maybe once or twice a year.

The bug with E-mail verification

If you're getting the E-mail verification pop-up in the client on a daily basis (even after verifying your E-mail) this is a bug.

The green bar is basically stuck or your client installation may be botched.

To fix this issue, you are required to re-install the Steam Client.

Ensure to backup your games before doing so.

If you've found any security vulnerabilities in Steam, these can be reported.

Here is what Valve has to say when the Hackerone policy was introduced.

Valve's security philosophy

Valve recognizes how important it is to help protect privacy and security. We understand that secure products and services are critical in establishing and maintaining trust with our users. We strive to consistently deliver secure and enjoyable experiences in all of our products and services.

Security includes everyone. Our Steam users, our developers, third party software developers and the security community. Working together we can all make Steam and the Internet safer.

Security of our networks and services is important for us and for you. We take it seriously. If you are a Steam user and have a security issue to report regarding your personal Steam account, please visit our Support site. This includes password problems, login issues, suspected fraud and account abuse issues.

We are running this HackerOne bounty program to reward researchers for identifying potential vulnerabilities. Please review the following guidelines detailing the rules of this bug bounty program. Only research following these guidelines will be eligible for a bounty.

Rewards

For valid reports, Valve will determine rewards within the following ranges based on a number of criteria including CVSS score.

Scope

The current scope is limited to the domains and pieces of software listed here:

• steampowered.com, steamcommunity.com, steamgames.com, valvesoftware.com, counter-strike.net, dota2.com, teamfortress.com and sub-domains, excluding domains explicitly removed in the scope section below
  
• Steam Client for Windows, Mac and Linux
  
• Steam command line utility (SteamCMD)
  
• SteamOS
  
• Steamworks SDK
  
• Steam mobile app on iOS and Android
  
• Steam Servers
  
• Valve game titles

Multiplayer and in-game economy aspects of Valve game titles and dedicated game servers
Please note that game bugs, glitches or gameplay exploits are not part of the bug bounty program, but can still be submitted on our Support site.

No authorization is given to test any other web applications, game titles or mobile applications. No bounties will be given for any disclosures relating to any applications outside the scope of this program.

Dependencies

Valve services make use of a number of open source and commercial packages.

If you discover a vulnerability in a library or OS component, we strongly advise you to follow responsible disclosure procedures directly with the vendor.

We will not pay bounties on undisclosed vulnerabilities in dependent components.

Patches to dependent libraries are generally rolled out by our internal change management systems.

Reports will not be accepted if they refer to vulnerabilities that have been fixed upstream, and scheduled, but not yet
applied to our software or production systems.

We welcome reports that identify Valve systems that have fallen out of date (indicating a problem with our update or change-management procedures).

Responsible Disclosure and Guidelines

When submitting potential vulnerabilities, we ask that you follow HackerOne's general guidelines for disclosure as well as the following additional guidelines. A submission that does not meet these requirements may not qualify for a bounty.

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Disclosure

Valve embraces transparency in our security, and will generally disclose the details of vulnerabilities found upon request, and will generally permit external discussions of them (such as blog posts) with our permission. We reserve the right to make exceptions to this policy at our discretion.

Please note that we will not consent to disclose reports if they have been marked out-of-scope or inapplicable and where Valve has not taken a specific corrective action.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
  
• Spamming
  
• Social engineering (including phishing) of Valve staff or contractors
  
• Any physical attempts against Valve property or data centers
  
  

Account hijacking and other malicious activity is a serious offense on Steam.

Valve has recognized this and has imposed many restrictions on Steam - which we discussed earlier.

When you report a user for malicious activity, these reports are processed by Steam Support.

They do all the relevant investigation and have all the relevant information in other to do so.

Yes, Valve has access to your chat messages which will expire in two weeks and then be regenerated.

This has been explicitly stated in the privacy policy agreement.



However, you should also provide an in-depth explanation in your report submission.

Step by Step instructions:


1) Go to the profile of the offending user

2) Click the 'More' drop-down button located at the top right of the page

3) Choose "Report Profile"

If your account has been stolen / hijacked, you need to contact Steam Support.

https://help.steampowered.com/en/wizard/HelpWithAccountStolen



For further assistance with this, see the following guide [which i have read and personally recommend].
https://steamcommunity.com/sharedfiles/filedetails/?id=1126288560

[Q]: Does Valve return stolen items after an account has been hijacked?

[A]: No, the the item restoration policy is clear; lost / lost items will not be restored.

https://support.steampowered.com/kb_article.php?ref=9958-MJDG-3003

[Q]: Steam Support was unable to recover my account, am i SOL?

[A]: Unfortunately, yes. If you've later discovered some form of proof of ownership, you may then re-create a support ticket and await a response.

[Q]: My account was recovered, but there is an existing ban / cool-down , will it be removed?

[A]: Bans, cool-downs and other restrictions that have been concurred will not be removed. This is because the security of your Steam account is your responsibility — which you've agreed to in the Steam SSA (that thing that you claimed to have read).

[Q]: I have the IP of the hijacker after i have recovered the account, is it of any use?

[A]: Quite frankly, this is not enough for some legal action to be taken.

[Q]: I believe my friend's account may have been compromised, what can i do?

[A]: Report the user's account through their profile page, follow these instructions:

[Q]: Can a hijacker transfer my game to their account?

[A]: No. Games licenses are tied to a Steam account - they cannot be transferred to any account.
Family sharing is a different ball game.

Hijackers / attackers / phishers / scammers will always be around and will try to find newer and more advanced methods to scam you and / or steal your account.

Valve has imposed many security restrictions on Steam that are paramount to users.

Common sense is key in preventing certain hijacking attempts.

Spreading awareness by sharing this guide is something that you'd want to do.

If you have any questions or require assistance with something, feel free to ask in the comment section of this guide.

Consider reviewing the index with 'Answers to common questions' before proceeding.

In any case, if you require further elaboration, you're welcome to ask questions.

Suggestions, criticism and what not are all considered - so if you'd like for something to be added or removed from this guide, let us be aware.

Update Log.

Dec 16, 2018 @ 7:47am [guide polished and published]
Nov 13 @ 9:44am [Added details about discord scams]
Dec 29 @ 6:58pm [Added details about "illegal purchases" scam using an example]