So my steam account's been hijacked (Account is back!)

[Darren716]

So earlier today I was on tf2outpost (a popular trading site for team fortress 2) and I'm looking at a trade where my offer was declined and see that some one else has told the person who posted the trade to add him on steam and left what looked like a link to his steam account. So out of curiosity I clicked on the link to see if the guy had anything I may want to offer on and was brought to what looked like a normal steam profile page but when I clicked on his inventory I was asked for my steam account and password. I thought that the guy may have had is privacy set so that only steam users could look at his inventory so I put in my account name and password and went on my way. A few minutes later I tried to get on steam where it said I was signed into another computer and after a quick check of my email I saw that my account was now being used by some guy in Russia. I quickly realized what happened the link I clicked on wasn't actually a link to a steam account it was a phishing site that was made to look like a steam account, I instantly felt like an idiot for being fooled so easily. I contacted steam support right away but I am wondering if there is anything I could do to get my account back faster or have it be locked because I have some fairly expensive TF2 items and I don't want to see them get sold off?

Did they get passed steamguard, or are you not using it for some reason? Also, I keep a direct link to Steam on my toolbar.

I never activated steam guard because I thought it was automatically engaged and since I felt I was too smart for phishers I never looked in to it. At least I know the first thing I'm doing once I get my account back.

 

[RikuoAmero]

Make sure if you use the same password for multiple things(like your steam account, your email adress, paypal) that you change them all. First thing im going to do is try your steam password in your email adress if im a hacker, look through your emails for receipts and shit from sites where you buy shit, Oh you have an ebay account huh? Well im going to try your steam password in your ebay account now, see what happens.

I admit, for the longest time, I used the one email address, that I've had for over ten years, for everything. However, I eventually woke up and smelt the coffee. Nothing bad happened, I just decided I needed better security. So I created unique email addresses for EVERYTHING (all games, all online accounts, all services), got a password generator, created a unique password for each email address, and then for each online account/service/game, pointed it to the one email. Those accounts then themselves got a unique password. So this means that my Youtube account now has a unique account name, unique password, and is pointed at a unique email that is used only for that Youtube account. Same goes for Paypal, Facebook, Steam, etc. I then set up an email client (I use Mozilla Thunderbird) and added each email address to it.
It does take a while to set up, but now, even if I were to be like the OP here in this thread, the Russian thief wouldn't be able to do anything. He'd need my SteamGuard code and that's sent to my Steam email, which has a different password than the Steam account. Even if he were somehow to get that, and tried to buy things with my Paypal account...he'd need my Paypal email address and password. If he tried to reset the password on Paypal, it would show up on my Paypal's alternate email and I could contact PP and tell them no, it's not me.

 

[RikuoAmero]

So earlier today I was on tf2outpost (a popular trading site for team fortress 2) and I'm looking at a trade where my offer was declined and see that some one else has told the person who posted the trade to add him on steam and left what looked like a link to his steam account. So out of curiosity I clicked on the link to see if the guy had anything I may want to offer on and was brought to what looked like a normal steam profile page but when I clicked on his inventory I was asked for my steam account and password. I thought that the guy may have had is privacy set so that only steam users could look at his inventory so I put in my account name and password and went on my way. A few minutes later I tried to get on steam where it said I was signed into another computer and after a quick check of my email I saw that my account was now being used by some guy in Russia. I quickly realized what happened the link I clicked on wasn't actually a link to a steam account it was a phishing site that was made to look like a steam account, I instantly felt like an idiot for being fooled so easily. I contacted steam support right away but I am wondering if there is anything I could do to get my account back faster or have it be locked because I have some fairly expensive TF2 items and I don't want to see them get sold off?

Did they get passed steamguard, or are you not using it for some reason? Also, I keep a direct link to Steam on my toolbar.

I never activated steam guard because I thought it was automatically engaged and since I felt I was too smart for phishers I never looked in to it. At least I know the first thing I'm doing once I get my account back.

I'm going to try and not be rude, but clearly, you're not smarter. Never assume. It just makes an ass out of u and me (that's one of my favourite lines). No, Steam Guard is never automatically engaged - to set it up, it sends a code to whatever email you have Steam pointed to, logs you out of the Steam program and won't let you back in unless you give it that code. Security is always about double checking everything and always being wary. I would also like to ask just how in the world you could think you were too smart for phishers, but then went right ahead and gave a website your account name and password (without double checking it). I can confidently say I am too smart for most phishers, but that's because I practice what I preach. I double check sites any time they they ask for my password, and if I get an attachment in an email I'm not too sure of, it gets opened in a Linux live CD on a virtual machine. That's not 100% security, but it's pretty much the best I can do.

 

[J Tyran]

since I felt I was too smart for phishers

To be honest this was your mistake, not that I am accusing you of being stupid but down to the fact you should never underestimate scammers. Most of them may be dumb and obvious but some of them are crazily and scarily smart and have honed their scams and techniques and caught out thousands of people, never underestimate their ability at social engineering either. Some of them can talk the most security conscious people into letting their guard down.

They can catch out the best and brightest sometimes, especially when the ones with new techniques.

 

[ItsNotRudy]

How does this work exactly? Even if someone gets your Steam ID/Password, they will need your Email to do the verification. So... you used the same password for email and Steam. Not very smart.

 

[Athinira]

Origin isn't really any worse than Steam in terms of customer care/kindness.

As this is going to be your one item recovery, I'd go to great lengths to beef up your Steam security heading forward. Change the email associated with it to a new, unique email. Make sure the password is changed to something VERY strong, and use something like KeePass and Anti-Logger to evade keyloggers. Set your account to private. And never, ever, ever give your password and account information to third party sites ever again.

If you're going to give advice, at least give proper advice and not just paranoia-based advice.

1) Change password: great advice, and should be done on all sites where he has used the same or similar password.

2) Change e-mail: has no security benefits at all. The secret is in the password, not the username. The only time this would provide security-benefits was if his mail was also compromised.

3) Use KeePass: Great recommendation and something everybody should do. I do that myself, with uniquely generated passwords for all sites. In addition, if you use a browser-based auto-fill addon (KeePassHttp in my case), it only auto-fills the password and username on a site that matches the URL. That means that scam-URL's doesn't fool the software

4) Use Anti-Logger: not familiar with the software, so i can't comment on whether or not it's effective in practice, but it's still not really relevant to this case. He was the victim of scamming, not malware.

5) Private account: i don't see the security benefit. A private account only helps in case the criminals does deliberate targeting of high-value steam accounts. In this case, all they do is fishing, meaning they take whatever comes by and drops their user information. Direct targeting is expensive and not worth it, hence why attackers stick to the low-level cheap method.

6) Account information to third party sites: Not really a useful advice without explaining how someone does that. Other people have already advised on checking the SSL-certificate, but the problem is that the steam websites does not use SSL (i just tried both store.steampowered.com and steamcommunity.com with HTTPS in front, and it still reverts to plain old HTTP). The only remaining option here is to check the URL, use KeePass (as already advised) and i general be suspicious regarding where you enter your password (particularly if you didn't type the URL yourself).

Last important advice is of course SteamGuard. I personally don't use it anymore after a weekend where their service delayed the mails for several hours, which caused me to be unable to log in and play my games. Being a security-compentent person, i judged that the risk of getting my account stolen is less of a hassle than the risk of not being able to log in again the next time they can't sort out their damned services, so i disabled it.

I really wish they would offer an alternative to E-mail that is REAL two-factor (and two-channel) authentication, like the Google authenticator app for Android/iOS, which i also use for my Dropbox.

 

[George Learmonth]

My friend's account once got hacked and his items taken, and a week later he got it back and valve gave him all of his items back, so don't worry

 

[Victim of Progress]

Ouch man, I feel for you. My account was stolen the exact same way, but luckily I contacted my steam support and they gave it back to me. Now I refuse to open pages using the ingame browser, I always check it using chrome first

 

[Snotnarok]

Yeeeeeeah triple check that web address, make sure it's not like steam.powered.fart or something silly

 

[DoPo]

yea, I'm sure Steam's community page is community.steam.com or steam.community.com, or maybe even steam.com/community.

It's steamcommunity.com

Most browsers have a cert pop up next to your url bar, while most websites maybe wont have a cert, big names like Google, Steam, Microsoft, and Apple will. Even on pages that have little relevance.

The Steam community doesn't, unless you go to the login page.

but to be fair, the developers havent catched on to this and still restrict you from using spaces and certain symbols (like comma, slash etc.) and force you to have at least one number in it that gives but a flimsy security.

Which is something that continues to baffle me as any proper login system would involve hashing your password, thus it doesn't matter one bit what your password contains. Sure, you can insist on people having something different than just letters, to make passwords slightly harder to guess, but there is no need to rule any symbols out.

Spoiler: for anybody unsure of hashing

OK - password security on the other side 101 lesson here. There are several overarching ways to hide information when it comes to security, I won't go over them all, just mentioning that they fall under encryption. One of these methods is called a cryptographic hash, in short, it's an one way encryption, i.e., once encrypted, you can't get the original info out. Very popular algorithms are MD5 and SHA (though, they aren't secure enough for passwords, you can look them up and there are converters to see what they do). What happens is that you get a certain piece of information, just text in this case, and then get a jumbled text in return that is based on the initial one you give it. For example "password" would always result in a value of "5f4dcc3b5aa765d61d8327deb882cf99" if you use MD5.

Since it's mostly impossible to get the original value out of the resulting hash, in order to be secure, you need only hold the hashed value and any time a password is entered, you get it through the same algorithm you used before - if the results are the same, then it's the same value, otherwise, they aren't (duh). It's useful, since if anybody manages to steal the passwords held by a service, they won't be able to reverse the hashes, thus, in theory, the passwords are safe.

As a side effect, since you will always be hashing a text value and would be holding the hash, it doesn't matter how long the text is, or what you have in it, as you are still receiving a the same format of return value.

That's the short of it, of course - there are techniques that could crack a hash but in general they take a lot of time and/or computation power, furthermore, they mostly countered by using cryptographic salt. But you can look that up if needed, suffice to say for now, that properly hashed passwords don't need any extra security in the form of having certain symbols included or excluded.

 

[BloatedGuppy]

If you're going to give advice, at least give proper advice and not just paranoia-based advice.

I'm not sure how any of my advice qualified as "paranoid", but a little paranoia might have served the OP well given the circumstances.

Change e-mail: has no security benefits at all. The secret is in the password, not the username. The only time this would provide security-benefits was if his mail was also compromised.

I've found if your mail is compromised even once...say, if someone becomes aware of it via some MMO subscription or because someone sold a list...EVERY account you have tied to that email becomes vulnerable. For something as high value as a Steam account, I'd recommend a unique email that isn't used for anything else.

Use Anti-Logger: not familiar with the software, so i can't comment on whether or not it's effective in practice, but it's still not really relevant to this case.

Eh. It's just a good security measure to use if you're doing a review of personal online security. Again, not sure how it would qualify as "paranoid excuse", especially since like most Malware scanners you can get the base functionality for free.

Private account: i don't see the security benefit. A private account only helps in case the criminals does deliberate targeting of high-value steam accounts. In this case, all they do is fishing, meaning they take whatever comes by and drops their user information. Direct targeting is expensive and not worth it, hence why attackers stick to the low-level cheap method.

Fair enough, but as the account has already been compromised I'd be concerned about future attempts on the account, thus would want to minimize the profile of it as much as possible. This, perhaps, is a bit paranoid, but frankly I'd be a bit paranoid after having my account compromised.

Account information to third party sites: Not really a useful advice without explaining how someone does that.

I'm not sure why ANYONE would be typing in their steam user name and password outside of Steam start up or the rare access to the Steam forums.

Last important advice is of course SteamGuard.

I actually had Steamguard leapfrogged once because the email itself had been compromised. That wasn't a good time. Fortunately I was sitting right on top of the PC when the account was taken, and thus had it back and passwords changed inside of 20 minutes.

I really wish they would offer an alternative to E-mail that is REAL two-factor (and two-channel) authentication, like the Google authenticator app for Android/iOS, which i also use for my Dropbox.

Agreed. Anyone who has used Steam for a few years has likely accrued a lot of value on their account. The more security options for that, the better.

 

[Fieldy409_v1legacy]

Make sure if you use the same password for multiple things(like your steam account, your email adress, paypal) that you change them all. First thing im going to do is try your steam password in your email adress if im a hacker, look through your emails for receipts and shit from sites where you buy shit, Oh you have an ebay account huh? Well im going to try your steam password in your ebay account now, see what happens.

I admit, for the longest time, I used the one email address, that I've had for over ten years, for everything. However, I eventually woke up and smelt the coffee. Nothing bad happened, I just decided I needed better security. So I created unique email addresses for EVERYTHING (all games, all online accounts, all services), got a password generator, created a unique password for each email address, and then for each online account/service/game, pointed it to the one email. Those accounts then themselves got a unique password. So this means that my Youtube account now has a unique account name, unique password, and is pointed at a unique email that is used only for that Youtube account. Same goes for Paypal, Facebook, Steam, etc. I then set up an email client (I use Mozilla Thunderbird) and added each email address to it.
It does take a while to set up, but now, even if I were to be like the OP here in this thread, the Russian thief wouldn't be able to do anything. He'd need my SteamGuard code and that's sent to my Steam email, which has a different password than the Steam account. Even if he were somehow to get that, and tried to buy things with my Paypal account...he'd need my Paypal email address and password. If he tried to reset the password on Paypal, it would show up on my Paypal's alternate email and I could contact PP and tell them no, it's not me.

An email adress for everything? Thats really good, good work being on top of it. I only have two emails, one for stuff like forums like this and one for serious stuff. But that many passwords is awesome.

 

[KingsGambit_v1legacy]

Out of curiosity, didn't Steam Guard kick in? I was under the impression it was meant to help prevent precisely this kind of thing.

Also, I wouldn't think anything of being caught out by this site. One normally expects phisers to try and recreate PayPal/Banking sites so it's not their normal MO.

 

[Doom972]

Out of curiosity, didn't Steam Guard kick in? I was under the impression it was meant to help prevent precisely this kind of thing.

Also, I wouldn't think anything of being caught out by this site. One normally expects phisers to try and recreate PayPal/Banking sites so it's not their normal MO.

I was wondering that myself. Unless he gave that guy his email address and password, Steam Guard should've prevented it. A lot of people don't like Steam Guard for some reason and disable it.