Mainly because it's annoying as hell sometimes.Doom972 said:
That said, I would rather have a minor inconvenience pester me every once and awhile than loose my entire account like this.
So my steam account's been hijacked (Account is back!)
- Thread starter Darren716
- Start date
Recommended Videos
That said, I would rather have a minor inconvenience pester me every once and awhile than loose my entire account like this.
Damn right those 100 Mbs of ram used by steam is way too much considering that 68 % of steam surveyed computers had only 4GB and more.Racecarlock said:
Except that's not how people brute force passwords. A password retry delay does nothing to stop a serious attacker. All of the actual work is done offline via things like rainbow tables after the attacker has downloaded the encrypted database of passwords.DoPo said:
(Your advice is still pretty solid, though.)
It happened to me too for about a year ago. Best thing that ever happened to me on that account. I got in contract with steam support and got a few of my friends to report the user as well. And then, after a week of being hacked, I got it back. And it was full of stuff. The scumbag had used my account as a store to buy and sell games and team fortress 2 hats. Over 800 tf2 items and 9 games. I had a lot of fun with them and I never heard from the spineless hacker ever again. ...... So that's my story. Hope it helped because you too might get the same result. So try to be positive.
Valve let you keep the items? Wouldn't they have cancelled the purchases and refunded the money to whoever owned the credit cards that were used?Not Matt said:
yupp, i didn't use any of it for about two weeks before contacting steam and asking if they were going to clean it up (i know, i am an idiot. but at least i am an honest idiot). They said that there were so much to trace back and since i had deleted 90% of my friend list down to just the people i know in real life human flesh and blood, since the hacker had added more people than i bothered counting to the list. So they told me to keep it and if somebody asked for a refund then i should respect that and give them their stuff back. luckily, very few people came back to me.RikuoAmero said:
edit: oh there was barely money involved, just items to tf2. the games were just indi games to a one digit price tag but it is still pretty cool.
Not really.DoPo said:
A strong password will still prevent it from being crompromised by brute-force, if the password is hashed. Even offline attacks still needs to crack the hash, and rainbow-tables are only useful as far as they have managed to hash thus far. Once you go beyond 6-7 characters, rainbow-tables take up a lot of disk space, and therefore stop being useful.
Sites that prevent certain symbols from being used doesn't bother me so much as long as they still hash it with a strong hash (not MD5 and probably not SHA1 either), because then you can just compensate with a long password from a password manager. But sites that limits password length (beyond a reasonable length like 64, 80, 96 or 128 chars etc.) really gets to me.
At the very least, you are still vulnerable to a hash collision, though. And if anybody stole all password hashes, chances are they'd work on them really hard, even calling in help, if needed. If I remember correctly, when LinkedIn had a lot of their passwords stolen (6 million or so), about 90% of them were cracked in just around a week. Once stolen, the password protection is out of your hands - maybe it would buy you some time, maybe not, depends on how they are protected and so on, but a dedicated cracker (and they rarely steal password hashes at random with no motivation) still puts your password at risk.Athinira said:
I can see on your post that my expertise in this field is quite a bit more expanded than yours, so allow me to educate you a bitDoPo said:
First of all, the hash collission risk is why i said "not MD5 and probably not SHA1 either". Those are hashes that have been proven to be either weak and crackable (MD5) or not as strong as intended (SHA1). Once you move to a stronger hash-algorithm like SHA-2 (256 or 384 bit version), or perhaps even an algorithm like SKEIN or the un-modified original SHA-3 (512 bits) if you're feeling paranoid, you're pretty much safe from hash collision for the forseeable future (50-100 years for SHA-2, to the end of the universe for SHA-3).
The reason why the LinkedIn passwords were cracked so fast when stolen is actually pretty simple, and what i argued against: it's because people use weak passwords!
Some people always point out that the advancement in computational power is the threat to passwords. But the biggest advancement in the science of password-cracking isn't about computational power, but it was when we learned about how people use passwords. It came around when the password database of the PHPBB forums was leaked with 250k passwords, only hashed with MD5 and not salted. The cracking of this password database gave password crackers a unique insight in how most people statistically construct passwords. Where password-crackers used to run through all passwords or use simple dictionary attacks (trying all words in a dictionary), they were now modified to try passwords in a specific order, specifically the order that people are most likely to build their passwords around. Knowledge like:
1) If the password contains capitalized letters, only the first letter or all letters used is likely to be capitalized
2) Passwords containing numbers usually puts the numbers at the end, and the numbers are likely to be obvious (like just '1', '123' or '123456'. 'zebra123' is an example of a common password where the user is required to use both letters nad numbers).
3) Most commonly used words in a password ('password', 'zebra', 'monkey', 'batman' are examples of words that are often used in passwords).
4) People VERY rarely use spaces in passwords, even when it's allowed.
5) Common substitutions ('p@ssw0rd', 'm0nkey' etc.).
In addition, more work has been put into making dictionaries better. One password-cracker who build a password-cracking dictionary did a very clever thing: he downloaded the English Wikipedia (all of it) and used every word there in a prioritized order for his dictionary.
And this is why 90% of LinkedIn passwords was cracked so fast and so easily, because password crackers KNOW how people create passwords. That 90% (or more, given more time) of those are cracked so fast isn't really that interesting. What's interesting is the ones they didn't manage to crack (and still hasn't) !! The passwords that are strong out of the box, salted and protected by a proper hash that is collision resistant, those might never be cracked if they are strong enough
Everyone saying that it will be okay and that everything will be fine.
No actually it will not. You're going to get VAC banned and lose all your items regardless. They will probably catch the thief too on his main account but steam is known for giving you the finger when people take your stuff. Most hackers will use actual hacks to get accounts that they hacked VAC banned so they can't be recovered, basically hacker trolling.
Sorry kiddo you should use different passwords and not simple passwords like heypassword19 super easy to guess.
EDIT: Also its funny because most hackers are weak willed fools, I've confronted a few scriptlosers IRL and broken a couple egos after threats. Anyone who threatens you over the internet is a weak link in society and needs to be removed. Hell most hackers in general are autistic (the bad kind) and think that they are more important than the rest of the world and spend their lives hacking and stealing money from people because they think they are above it all. (See XJ9 even though hes not a hacker similar situation) So yeah if you ever run into a hacker you should make it your mission to make them mad, because its really easy and they are horrible people. (for the most part)
No actually it will not. You're going to get VAC banned and lose all your items regardless. They will probably catch the thief too on his main account but steam is known for giving you the finger when people take your stuff. Most hackers will use actual hacks to get accounts that they hacked VAC banned so they can't be recovered, basically hacker trolling.
Sorry kiddo you should use different passwords and not simple passwords like heypassword19 super easy to guess.
EDIT: Also its funny because most hackers are weak willed fools, I've confronted a few scriptlosers IRL and broken a couple egos after threats. Anyone who threatens you over the internet is a weak link in society and needs to be removed. Hell most hackers in general are autistic (the bad kind) and think that they are more important than the rest of the world and spend their lives hacking and stealing money from people because they think they are above it all. (See XJ9 even though hes not a hacker similar situation) So yeah if you ever run into a hacker you should make it your mission to make them mad, because its really easy and they are horrible people. (for the most part)
Yep. I'm hoping Valve will put this in their caution label in the future for people who don't know. Always check the URL.
Depends how fast he contacted Valve support. I got my account back fast when the same thing happened to me.Adultism said:
It's not a big deal if he loses his items, provided he didn't spend any money on them.
If you had read the first post of this thread, you'd know that's not what happened at all.Adultism said:
Hey bro I got phished yesterday too. I'll tell my story in bullet form so that it's easier and faster to read.
-Playing Dota 2.
-A guy messaged me in steam.
-He told me to help his friend with his trade.
-Told me to click this link and comment in it.
-Stupid me concentrating on the game, I opened the link.
-I told my buddy to take over my hero.
-It looked legit. When I was about to comment, it asked me to log in through steam. So I did.
-I did the procedure, the email verification code and etc.
-After that, steam automatically logged me out then I couldn't log in again.
-Checked the link again, there was an "s" on dota2lounges. There shouldn't be on the original site.
-After a few hours, all of my valuable Dota 2 items are gone.
-Really felt stupid, but I knew I had it coming.
-Felt stupid, so I reported to steam support. Told them what happened gave them my credit card information and some screen shot of the guy who gave me the link.
Now, I'm just waiting for steam support to reply. I really worked hard getting all those items... and my games. D: Moral of the story: Do not help people when in game. I hope our accounts get back! ^_^ When I get my account back, I'll give a common Dota 2 item to the first one who cares about my situation. And always be positive. Don't loose hope even if you don't get your account back. It's not the end of the world.
Edit: Removed link. Thanks for the warning.
-Playing Dota 2.
-A guy messaged me in steam.
-He told me to help his friend with his trade.
-Told me to click this link and comment in it.
-Stupid me concentrating on the game, I opened the link.
-I told my buddy to take over my hero.
-It looked legit. When I was about to comment, it asked me to log in through steam. So I did.
-I did the procedure, the email verification code and etc.
-After that, steam automatically logged me out then I couldn't log in again.
-Checked the link again, there was an "s" on dota2lounges. There shouldn't be on the original site.
-After a few hours, all of my valuable Dota 2 items are gone.
-Really felt stupid, but I knew I had it coming.
-Felt stupid, so I reported to steam support. Told them what happened gave them my credit card information and some screen shot of the guy who gave me the link.
Now, I'm just waiting for steam support to reply. I really worked hard getting all those items... and my games. D: Moral of the story: Do not help people when in game. I hope our accounts get back! ^_^ When I get my account back, I'll give a common Dota 2 item to the first one who cares about my situation.
And always be positive. Don't loose hope even if you don't get your account back. It's not the end of the world.Edit: Removed link. Thanks for the warning.
I suggest you don't provide links that you know can lead to malicious websites. Even if you explicitly tell people not to click it, there's always the risk of someone doing so by mistake or by not paying enough attention. I'm also fairly certain that it is a violation of the Escapist CoC.Darkluigi said:Hey bro I got phished yesterday too. I'll tell my story in bullet form so that it's easier and faster to read.
-Playing Dota 2.
-A guy messaged me in steam.
-He told me to help his friend with his trade.
-Told me to click this link and comment in it. *removed malicious link*
-Stupid me concentrating on the game, I opened the link.
-I told my buddy to take over my hero.
-It looked legit. When I was about to comment, it asked me to log in through steam. So I did.
-I did the procedure, the email verification code and etc.
-After that, steam automatically logged me out then I couldn't logged in again.
-Checked the link again, there was an "s" on dota2lounges. There shouldn't be on the original site.
-After a few hours, all of my valuable Dota 2 items are gone.
-Really felt stupid, but I knew I had it coming.
-Felt stupid, so I reported to steam support. Told them what happened gave them my credit card information and some screen shot of the guy who gave me the link.
Now, I'm just waiting for steam support to reply. I really worked hard getting all those items... and my games. D: Moral of the story: Do not help people when in game. I hope our accounts get back! ^_^ When I get my account back, I'll give a common Dota 2 item to the first one who cares about my situation.
Out of curiosity, what happened with your items? Did Steam restore everything to its pre-hacked state?Darkluigi said:Got my account back.
I have good new I got my account back and everything in my inventory was there, the only problem was that the bastard removed everyone from my friends list so it's going to take a while to get all of my friends to add me again. I'm am very happy with how quickly steam support got me my account back since I was thinking it would take a few weeks and now here I am five days later and everything is good.Darkluigi said:Got my account back.