So my steam account's been hijacked (Account is back!)

[Phrozenflame500]

Have Steam Guard on, don't enter your Username/Password (use the Steam Client trading system whenever possible), have a longass password with tons of symbols and numbers and don't use your Steam password for anything else in case that site gets hacked.

Anyways, you did the right thing immediately contacting Steam Support and hopefully they can either recover your account and your items. Reporting the site might also be useful, Valve might be able to ban the offender's account for whatever that's worth.

 

[Yopaz]

Why not just turn on Steam Guard? Unless they also have your email account hijacked then just having your steam info is useless to them.

I don't understand why it wouldn't have been on in the first place. It's easy and convenient protection from exactly this sort of stuff.

Yeah, I agree. It's a really, really, really minor inconvenience whenever you want to sign in with a different computer, but in return your account gets a little safer. Of course... do not use the same password on Steam and your email... then this is useless.

 

[elvor0]

And people wonder why I don't use steam and mostly get freeware.

captcha: "The nightman cometh"

S... slenderman?

Even though this isn't a steam only problem and could've easily been avoided had the fellow used Steam Guard and not entered his details on a fake site?

Otherwise....yeah I am wondering why you don't use steam and mostly get freeware. Freeware is naff for the most part.

 

[MammothBlade]

This is easily avoidable. Check the URL before entering any personal details....

No, you just avoid any russian trade. As racist as that sounds.

Its a hive of stolen games and items being pawned off on unsuspecting gamers because of Russia's notorious cyber crime. Its an easy way to pawn off illicit goods. You just can't risk it. When shit hits the fan, steam has to take the items away from you and leaves you holding the bag.

That's why all the trades I do are with people in either America, or Europe. Trading outside of the steam network is also frowned upon because if shit shits the fan valve would have no record nor the ability to get your money and stuff back.

You're probably right there. Even having your inventory set to "public" increases your risk of being preyed upon. I was approached by one or two Russians myself, and they stank of fraud, it's pretty easy to see when someone's trying to scam you with bullshit.

 

[DoPo]

have a longass password with tons of symbols and numbers

I want to address this bit because it's a common misconception - no, this does not make your password any more secure than just using "This is my password and it's very, very hard." as your password. In fact, the difference between that and "wah1~b51-81jn!rh1g23r180#5124@5b8" is that the former one is way more secure - by orders of magnitude, in fact. The reason is that there are mostly a limited number of ways to "break in" an account, mostly it comes to these:

- Your password is stolen (phishing, keyloggers, snooping, whatever) - your password is absolutely irrelevant at that point, even if you use "password" it's going to be the same effective strength as a gibberish of symbols. Suffice to say is that just protecting your password is how to counter it, not do anything fancy with the password.
- Somebody is watching you type your password. OK, here a bunch of gibberish helps, but what helps more is to just cover the keyboard with your hand or body. At any rate, long passwords would tend to confuse your peeping friend but seriously, you shouldn't base your password strength based on that, just don't let them see it
- The password is being guessed. Welp, do you really think people would go for "This is my password and it's very, very hard." - it's not likely. Not to mention it has a capital letter, spaces, and punctuation. Most guesses would be for "password", "password123", your pet/relative/loved one name (maybe with a relevant number, like age or year attached to it) or at most something else that's personal (address, favourite show - this kind of stuff). And if those don't work, very, very rarely, if at all, would people try anything further. Heck, a lot would stop after trying 2-3 times and would probably look for a different way.
- The password is being brute forced - bad news is, it's like "being guessed" but on crack. For the record, brute forcing a password is letting a computer automatically try passwords for you - they can go as high as five digits a minute and more. And since it's a machine it won't tire and would be as thorough as possible - it would try "password", it would try "wordpass", it would try "passw0rd", "p455w0rd", etc, as well as all other known popular passwords and their variations (symbol substitution, swapping, and appending) and after that it can just straight up jump into all symbol variations, too. The good news is that it's very, very slow, in fact. The more symbols your password has, the more time it would take to be brute forced (I'm talking WAY more time). Chances are that time is mostly limited for a cracker because you are not important enough. On top of that, it's also very easy to protect against brute forcing - you don't even have to do much. Sure, I'd suggest a longer password, but most good services would have a delay between entering a password and them going "wrong" (maybe a second or so, but that's a lot) or they would limit the amount of wrong passwords you can enter or both. Indeed, Steam already does that - if you get your password wrong a couple of times, you get to fill in a CAPTCHA as well next time.

So, out of these a gibberish password would not really protect you against anything a long but easy to remember password does. A really complex password would at most cause problems if you can't recall it, it won't help with anything. To protect yourself, have a different password for any different service and make that password memorable somehow (I embed something related to the service to each) but still hard to guess, other than that the password doesn't matter as much, it's about how well you guard it.

 

[redisforever]

Well from now on I know I'm not checking any link that asks for my steam information 50 times over for even the slightest inaccuracy. This is what I like about Valve they let you learn from your mistakes if get screwed over, I bet if something like this happened on Origin I would have to pay $10 to get my account back and my items would be gone forever.

Origin isn't really any worse than Steam in terms of customer care/kindness.

As this is going to be your one item recovery, I'd go to great lengths to beef up your Steam security heading forward. Change the email associated with it to a new, unique email. Make sure the password is changed to something VERY strong, and use something like KeePass and Anti-Logger to evade keyloggers. Set your account to private. And never, ever, ever give your password and account information to third party sites ever again.

And everyone, please use SteamGuard. It's there for exactly this reason.

 

[Darren716]

I was able to find the site in my history and decided to take a screen capture of it to so how it looked so much like a legitimate steam site.

 

[Racecarlock]

And people wonder why I don't use steam and mostly get freeware.

captcha: "The nightman cometh"

S... slenderman?

Even though this isn't a steam only problem and could've easily been avoided had the fellow used Steam Guard and not entered his details on a fake site?

Otherwise....yeah I am wondering why you don't use steam and mostly get freeware. Freeware is naff for the most part.

I tried it back when the HL2 demo came out because I wanted to play it, but the service was slow as crap and used way too much memory.

And even if they've fixed those issues, I don't care. I don't need something constantly using system resources.

Besides which, freeware is only crap if you don't know where to look. Have you tried rigs of rods, powder game, phun, naev, or vega strike? Those are all pretty great.

 

[Easton Dark]

I was able to find the site in my history and decided to take a screen capture of it to so how it looked so much like a legitimate steam site.

Ah yes, the steamcomnuntiy.

Always read the url.

Well, for the next time, it's always safer just to never put in your account stuff into anything but Steam's log-in client.

 

[Someone Depressing]

Moral of the story: Fuck hats, customer service, and Team Fortress 2

This sucks, man. But really, it can be easily avoided by checking ULRs, reviewing the spelling, grammar, punctuation and - if applicable - particles.

I hope you get your stuff back. This really shouldn't happen to anybody, but oh well, some guy in Russia just thought, "Today, I'll be a douche."

 

[Fireaxe]

Suggestion for future reference: always check for the https domain and verified security certificate.

 

[Imperioratorex Caprae]

And people wonder why I don't use steam and mostly get freeware.

captcha: "The nightman cometh"

S... slenderman?

Nope, an Its Always Sunny in Philadelphia reference. Both episodes that deal with that phrase are absolute gold, btw.

OT: Well, sucks for you dude/dudette/whatever. Not that I don't feel sympathy but one of my biggest rules in any online action is not to click links from people I don't know, and not to enter my information in for an account unless I know its really the site. This comes from years of avoiding WoW account hacks on fake blizz sites or from faked Blizz e-mails.
Sorry to hear you got hijacked but this really should be a lesson to keep with you for the rest of your internet days.

 

[DoPo]

I was able to find the site in my history and decided to take a screen capture of it to so how it looked so much like a legitimate steam site.

It's "steamcomnunity", also I should mention that it's really easy to make a page look like another - you can just rip out the HTML of the legitimate webpage and copy paste it, then tailor it slightly. It takes 5-10 minutes, tops. At the very least, they can take the CSS and use it on their website, which is dumber but whatever. Both of these are very often employed in forging websites, too. In my experience, the "cheap knock off" looking pages (well, discounting poor literacy/grammar if they are the only thing) are a rarity compared to the rest.

You guys reminded me of this

I know, I was going to link it but I got too lazy to find it and copy/paste the URL. I decided somebody else would do it for me. So, thanks, my puppet - you served your purpose admirably

 

[DoPo]

Suggestion for future reference: always check for the https domain and verified security certificate.

The Steam community website is HTTP only, so it won't work. Keeping an eye on the URL is still worth it, though.

 

[Fireaxe]

Suggestion for future reference: always check for the https domain and verified security certificate.

The Steam community website is HTTP only, so it won't work. Keeping an eye on the URL is still worth it, though.

Actually the "Login" page is https.

 

[IceForce]

It's "steamcomnunity"

Actually, it's "steamcomnuntiy". The 'i' and the 't' are swapped around.

Anyway, basic anti-phishing protection should be able to block a site like this, right? Or at the very least, alert the user that there's something suspicious.

 

[DoPo]

Suggestion for future reference: always check for the https domain and verified security certificate.

The Steam community website is HTTP only, so it won't work. Keeping an eye on the URL is still worth it, though.

Actually the "Login" page is https.

Apparently it is. Still, if you use HTTPS for the rest of the Steam community, it just redirects you to HTTP. Now that I think about it, I dunno how useful that bit of info is, since most, if not all, browsers just hide that information from you by default...something I really dislike them doing.

EDIT:

It's "steamcomnunity"

Actually, it's "steamcomnuntiy". The 'i' and the 't' are swapped around.

Erm, yeah, also that.