Steam account hijacked

[Forgivable]

Hi Guys,

 

My steam account got hijacked, with all my items and games.

 

I have contacted steam support but it might take a while for them to do something about it.

 

Do you have any tips regarding the recovery or how i could slow down the hacker ?

[OverduePixels]

7 minutes ago, Forgivable said:

Do you have any tips regarding the recovery or how i could slow down the hacker ?

 

Do this as soon as possible:

1. Change password immediately and change it anywhere else you have the same password set. The scammer will try to log into your email with it when he loses access.

 

2. De-authorize all other devices here: https://store.steampowered.com/twofactor/manage

 

3. Revoke any API keys set. Their only use, if you don't know what it is, is keeping control of your account. https://steamcommunity.com/dev/apikey

 

Since you mentioned that you already contacted Steam support you should be good on that end.

[Forgivable]

I should also mention that the hacker removed my phone number from this account, I cant access steam guard anymore .

 

I had to contact steam support with a secondary account

 

Also now i can only be logged to my secondary account

 

 

4 minutes ago, OverduePixels said:

 

Do this as soon as possible:

1. Change password immediately and change it anywhere else you have the same password set. The scammer will try to log into your email with it when he loses access.

 

2. De-authorize all other devices here: https://store.steampowered.com/twofactor/manage

 

3. Revoke any API keys set. Their only use, if you don't know what it is, is keeping control of your account. https://steamcommunity.com/dev/apikey

 

Since you mentioned that you already contacted Steam support you should be good on that end.

 

Thanks, unfortunately i cannot do any of this it seems.

 

The hacker took control of the email adress linked to my account, even tho i changed it recently for a brand new different email adress, it seems the hacker manage to connect with the old adress somehow...

[Forgivable]

Update

 

the hacker change all my info and the steam account itself :

 

https://steamcommunity.com/id/bvb213/

 

It is now set as private

[Forgivable]

I dont understand why Steam guard did not do anything to prevent this ?!

 

Isnt it suppose to send me an info that someone is changing the email adress of the account / password  or even that someone from another country is connecting to my account.

 

Now they switched the account back to public... and back to private..

[Forgivable]

If someone has the same problem in the future i recommend to follow the instructions in this video : 

 

 

Especially the fact that you will have to say that you forgot your password, you dont have access to your phone, and you dont have access to your email adress.

 

Then a page should show up in which you will have to fill in details, proof of payment with paypal ect...

 

[Bewitched]

That same thing happend with me. My account were compromised by hijacker and I got access by steam support but somehow hijacker keep getting access of my account. I keep receiving sms that steam guard removed...etc. that happend 3 or 4 times but somehow I managed to get access back with cd keys , creditcard info, govt I'd proof. 

 

So you cant do anything just change email and password. And reset you computer. 

 

 

Just ask help from steam support.

 

Steam support really acted weird in my case and gave access to hijacker. 

[Forgivable]

1 hour ago, IgnitedSolly said:

That same thing happend with me. My account were compromised by hijacker and I got access by steam support but somehow hijacker keep getting access of my account. I keep receiving sms that steam guard removed...etc. that happend 3 or 4 times but somehow I managed to get access back with cd keys , creditcard info, govt I'd proof. 

 

So you cant do anything just change email and password. And reset you computer. 

 

 

Just ask help from steam support.

 

Steam support really acted weird in my case and gave access to hijacker. 

 

Did you change the phone number that you link to your steam account after these events ? 

[Bewitched]

15 minutes ago, Forgivable said:

 

Did you change the phone number that you link to your steam account after these events ? 

Yes I did.

[FP jh34ghu43gu]

5 hours ago, Forgivable said:

The hacker took control of the email adress linked to my account

F

 

4 hours ago, Forgivable said:

Isnt it suppose to send me an info that someone is changing the email adress of the account / password  or even that someone from another country is connecting to my account.

1) You get emails about those changes

2) There is no safety feature around different country logins.

 

Steam security is pretty shit for a billion dollar corporation ngl. Hell they don't even give API key registration notifications which honestly could probably stop a good 10-25% of hijackings.

Knowing steam support says "fuck you" in the item recovery department, the most you're going to get back is the games in the account unless the hijacker is a total moron and doesn't move your funds/items out before (if?) snail support restores your access.

 

If your email and steam account were both compromised it sounds like you have pretty shit web safety, general tips:

• Long and unique passwords for emails, this is the one thing you don't want compromised and using the most characters you can makes for a stronger password than the standard 8 character 1 upper/lower 1 number 1 char. etc... however do throw in some special chars/numbers as using 6 plain words can be just as easy to crack as using a 6 letter word*.
• Checkout https://haveibeenpwned.com/ every few months to make sure your passwords weren't compromised in a data leak, if you can't be arsed to use a password manager and use the same password for multiple sites this is very important to check and act on if you're ever leaked.
• If someone sends you a link and you have to login after clicking it; if it's a common site like backpack.tf or marketplace.tf, manually retype the URL before you login. This can help you avoid scam urls that change 1 letter to make it look legit like maybe backpock.tf or marketpIace.tf (the lowercase L becomes an uppercase i). If it's an uncommon site like rollers.tf (idk) I would not login to it until you have thoroughly researched it. And if it doesn't take you to the official steam login page then nope the fuck out.
• 2FA only stops people if they already have your password (big yikes if they do), don't think it will protect you from any hijacking because you only need to give them a code once (through a fake login) for them to create an api key (in steam's case, other sites will vary how much damage 1 login session can do) which can pretty much fuck everything.
• Nothing will ever be so urgent that you won't have time to research it before hand. If someone is trying to pressure you into something and it "has to be done right now" then it's probably a scam and they are trying to invoke fear so you don't think rationally.
• If you're on windows, security scans once a month if you are downloading stuff regularly. If you weren't using the same password for both accounts then you could have some spyware. (Unless you got phished out of both accounts).
• And of course if it looks sketchy it probably is, don't click/download if your gut says no and always do research if you haven't seen it before.

*

 

 

Side note where the hell did the insert spoiler button go, CBA to remember how to type the element out with text whenever I need one once a month.

Password cracking time (for a normal computer) is represented by (1.7*10^-6 * C^L) where C is the total characters you can use and and L is length. The other numbers is just the time it takes to compute 1 hash. There are 52 letters (upper/lowercase), 10 numbers, and 32 special characters, however usually systems limit these and often times people will only use the number ones ( !@#$%^&*() ) and (,.?'<>) which is 16 total.

So for a standard 8 char password the crack time are

Only letters) 90.88 million

Letter/Nums) 371.18 million (+408% over letters)

Letter/Nums/Chars) 2,329.19 million (+2,562% over letters)

Comparatively using only numbers and letters but increasing your length exponentially raises the crack times such as (compared to the 8 char letter/nums/chars)

Length of 10) 1.43 * 10^12 (+612%)

Length of 11) 8.85 * 10^13 (+37,980%)

Length of 16) 8.10 * 10^22 (+3.48*10^13%)

Length of 32 (Max password is not 16)) 3.86 * 10^51 (+1.66*10^42% -> 1,658,735,893,000,000,000,000,000,000,000,000,000,000,000% longer time to crack than an 8 char password with letters/nums/special chars)

 

Keep in mind we're focused about percentage in this not the actual crack time because yes 90 million seconds sounds like forever (2.85 years) But this number is for a standard computer no GPU acceleration. Super computers can crack passwords hundreds of thousands times faster than these numbers and smart dictionary algorithms can be used to guess common ones even faster (If your password could only have letters it's more likely people will use a word rather than my name, jhghugu, after all)

 

Sorry about the password rant I just hate when sites make me use all 5+ bullshit special restrictions but don't let me go over 16 chars

 

 

Also I put a -trust on that profile so people know it's hijacked. Comment on my steam profile if you get it back and I'll remove it.

 

[Forgivable]

Just to let you all know, look what Steam Support is answering me :

 

Upon further investigation, we have determined that you are not the account’s creator. We won’t be able to provide you with access.

Please note that Steam accounts are non-transferable. If you purchased this account, we recommend contacting the seller to request a refund.
 

 

I cannot believe it, I sent them proof, I got all games on my hard drive, all the screenshots, all the paypal payment for 13 years ect..... and they manage to claim it is not mine 

[Forgivable]

17 hours ago, FP jh34ghu43gu said:

F

 

1) You get emails about those changes

2) There is no safety feature around different country logins.

 

Steam security is pretty shit for a billion dollar corporation ngl. Hell they don't even give API key registration notifications which honestly could probably stop a good 10-25% of hijackings.

Knowing steam support says "fuck you" in the item recovery department, the most you're going to get back is the games in the account unless the hijacker is a total moron and doesn't move your funds/items out before (if?) snail support restores your access.

 

If your email and steam account were both compromised it sounds like you have pretty shit web safety, general tips:

• Long and unique passwords for emails, this is the one thing you don't want compromised and using the most characters you can makes for a stronger password than the standard 8 character 1 upper/lower 1 number 1 char. etc... however do throw in some special chars/numbers as using 6 plain words can be just as easy to crack as using a 6 letter word*.
• Checkout https://haveibeenpwned.com/ every few months to make sure your passwords weren't compromised in a data leak, if you can't be arsed to use a password manager and use the same password for multiple sites this is very important to check and act on if you're ever leaked.
• If someone sends you a link and you have to login after clicking it; if it's a common site like backpack.tf or marketplace.tf, manually retype the URL before you login. This can help you avoid scam urls that change 1 letter to make it look legit like maybe backpock.tf or marketpIace.tf (the lowercase L becomes an uppercase i). If it's an uncommon site like rollers.tf (idk) I would not login to it until you have thoroughly researched it. And if it doesn't take you to the official steam login page then nope the fuck out.
• 2FA only stops people if they already have your password (big yikes if they do), don't think it will protect you from any hijacking because you only need to give them a code once (through a fake login) for them to create an api key (in steam's case, other sites will vary how much damage 1 login session can do) which can pretty much fuck everything.
• Nothing will ever be so urgent that you won't have time to research it before hand. If someone is trying to pressure you into something and it "has to be done right now" then it's probably a scam and they are trying to invoke fear so you don't think rationally.
• If you're on windows, security scans once a month if you are downloading stuff regularly. If you weren't using the same password for both accounts then you could have some spyware. (Unless you got phished out of both accounts).
• And of course if it looks sketchy it probably is, don't click/download if your gut says no and always do research if you haven't seen it before.

*

  Reveal hidden contents

 

Side note where the hell did the insert spoiler button go, CBA to remember how to type the element out with text whenever I need one once a month.

Password cracking time (for a normal computer) is represented by (1.7*10^-6 * C^L) where C is the total characters you can use and and L is length. The other numbers is just the time it takes to compute 1 hash. There are 52 letters (upper/lowercase), 10 numbers, and 32 special characters, however usually systems limit these and often times people will only use the number ones ( !@#$%^&*() ) and (,.?'<>) which is 16 total.

So for a standard 8 char password the crack time are

Only letters) 90.88 million

Letter/Nums) 371.18 million (+408% over letters)

Letter/Nums/Chars) 2,329.19 million (+2,562% over letters)

Comparatively using only numbers and letters but increasing your length exponentially raises the crack times such as (compared to the 8 char letter/nums/chars)

Length of 10) 1.43 * 10^12 (+612%)

Length of 11) 8.85 * 10^13 (+37,980%)

Length of 16) 8.10 * 10^22 (+3.48*10^13%)

Length of 32 (Max password is not 16)) 3.86 * 10^51 (+1.66*10^42% -> 1,658,735,893,000,000,000,000,000,000,000,000,000,000,000% longer time to crack than an 8 char password with letters/nums/special chars)

 

Keep in mind we're focused about percentage in this not the actual crack time because yes 90 million seconds sounds like forever (2.85 years) But this number is for a standard computer no GPU acceleration. Super computers can crack passwords hundreds of thousands times faster than these numbers and smart dictionary algorithms can be used to guess common ones even faster (If your password could only have letters it's more likely people will use a word rather than my name, jhghugu, after all)

 

Sorry about the password rant I just hate when sites make me use all 5+ bullshit special restrictions but don't let me go over 16 chars

 

 

Also I put a -trust on that profile so people know it's hijacked. Comment on my steam profile if you get it back and I'll remove it.

 

Thank you.

 

The password for my steam was unique long with numbers and capital letters too.

 

I tried haveibeenpowned : 

 

Oh no — pwned!

Pwned on 5 breached sites and found no pastes (subscribe to search sensitive breaches)

 

 

I have never clicked on anything fishy on my side, but the hacker also hijacked my facebook 1 month ago, thats when i decided to change my steam email adress for a new one, but it seems it wasnt enough !!! 

[Forgivable]

And they keep on denying my ownership :

Hi there,

As our last reply, we have determined that you are not the account’s creator. 

Please note that Steam accounts are non-transferable. If you did not originally create this account on Steam (http://www.steampowered.com), you are not considered to be the owner of the account. A Steam account is owned by its original creator and ownership cannot be transferred.

We cannot provide assistance to anyone other than the original account creator.

If you are not the account's original creator, but rather acquired the account through a service, please contact the service for a refund.

Best Regards,
 

 

This is UNBELIEVABLE, i know everything about my account, i got all proof they need, and they dont even read any of my messages....

 

I am so disappointed by steam

[Forgivable]

Finally got an optimistic reply from Support, they asked me to send a screen of the CD keys i bought with some handwritting on it, to show i am the creator of this account.

 

I hope it will help.

[Forgivable]

Hi guys,

 

Thanks to the proof i have sent them I manage to get my account back, thats a big relief, thanks to all of you who tried to help me.

 

Hope to see you on a CTF server soon ! 

[Roi]

1 hour ago, Forgivable said:

Hi guys,

 

Thanks to the proof i have sent them I manage to get my account back, thats a big relief, thanks to all of you who tried to help me.

 

Hope to see you on a CTF server soon ! 

 

great to see you got your acc back, did you have 2fa just out of curiosity?

[Bewitched]

1 hour ago, Forgivable said:

Hi guys,

 

Thanks to the proof i have sent them I manage to get my account back, thats a big relief, thanks to all of you who tried to help me.

 

Hope to see you on a CTF server soon ! 

Steam support can again give them access again(happened with me), keep talking with steam support all concern that hijacker gettting access of my account again and again.

[Forgivable]

3 minutes ago, Roi said:

 

great to see you got your acc back, did you have 2fa just out of curiosity?

 

Hi, yes I had Stean guard on my phone and my phone number linked to my account.

 

The hacker managed to hack and steal my old email adress that was previously linked to my steam account, making all the other security measures useless it seems.

 

But the strange thing is that i linked a new email adress to my steam account 1 month ago to prevent this to happen, but somehow they managed to log in with th old one without triggering any security alert on my phone !

[Forgivable]

1 minute ago, IgnitedSolly said:

Steam support can again give them access again(happened with me), keep talking with steam support all concern that hijacker gettting access of my account again and again.

Oh damn i close the ticket I hope it will not happen again. 

 

I have asked for permanant suppression of the old email adress in the meantime and changed all password and phone numbers

[Roi]

1 hour ago, Forgivable said:

 

Hi, yes I had Stean guard on my phone and my phone number linked to my account.

 

The hacker managed to hack and steal my old email adress that was previously linked to my steam account, making all the other security measures useless it seems.

 

But the strange thing is that i linked a new email adress to my steam account 1 month ago to prevent this to happen, but somehow they managed to log in with th old one without triggering any security alert on my phone !

 

thats so absurd, even with 2fa people can hijack others, as far as i can suspect they find out your original email created with the steam and found some idiot at support that fell into the hacker support ticket lies. Hopefully there wont be any vac or anything so you dont lose items :x