i have but this website has a no calling out rule i might put this on reddits steam thread and call him out there
Comment has been collapsed.
Sorry to hear you got hacked. I'd recommend you use randomly generated password across all sites you use, and manage it with something like LastPass. I personally use KeePass but it has a bit of a learning curve.
It's very weird an attacker gained access to your account even with 2FA enabled. Have you tried contacting support and discuss how they got in?
Comment has been collapsed.
i messaged them and told them that someone hacked in and took my things
Comment has been collapsed.
Isn't it possible for hackers to just gain acces to programs like LastPass their database and get all ur info at once? To me it seems that your data is only as secure as the service you're using. (I know nothing about hacking or pw managing services, just a question)
Thank you for your time :D
Comment has been collapsed.
Hi there
Do you make use of a pw manager yourself?
Comment has been collapsed.
Not true.
A 30 character long password with inserted characters mid-word isn't crackable.
You don't understand what I said.
I'm not talking about a simple numbers to letters rule, but a way to make it so bruteforce fails on the length and dictionary attacks fail because they can't be readily adapted to have symbols randomly splitting words.
Go ahead and calculate how many computational hours that would take to bruteforce, that how strong encryption works, you just make it time consuming to crack...
Comment has been collapsed.
A few problems with your argument about "a 30 character long password with inserted characters mid-word" being uncrackable.
1st off, they do not need to guess your actual password so that majorly cuts down the amount of time required. due to security requirements, they only need to guess the method that the hash for your password is and find one of many combinations that match that hash.
2nd Major security keys are often hundreds of characters long for this reason.
3rd. Rainbow tables make passwords of combined words much easier to guess
4th Password restrictions lower the possible entropy required to look at when guessing the password and guessing the hashing algorithm eliminates a lot more of these.
5th you are relying on your password being far enough into the brute force that it takes forever. By the nature of the argument, the probability is that it will never be cracked, but it may be the first one guessed as well. its like saying pick a number between 1 and 500. you may have chosen 499, but if I start at 500 and go backwards you are my second guess.
6th if they are attacking a password manager they probably have access to your system which lends all sorts of other information that could assist them in finding it.
Sorry I kinda went overboard there. I do agree some of what you said :)
Comment has been collapsed.
Yeah, but you can't protect yourself against a weak hashing algorithm or stupid people using the weak passwords and weakening the database.
3, hence why you use unusual words and mess with them by inserting extra characters
4, very little really, say you know the category of 3 characters, doesn't do much to help you.
5, sure, but you hope that making it hard enough people wouldn't bother, and the odds of people doing an algorithm that goes for the least used words and picks them at random isn't very efficient, so unlikely to be used successfully.
6, Yeah, that's probably what happened to OP
It's what I think has a good balance of memorable and secure. Alternatively you can do a wholly random one and try to have it written down or memorized, but that seems pretty tough for most people.
Comment has been collapsed.
You're correct that B@n4NA is not very secure, but bananafootballskyscraperplunger is very secure, very difficult to brute force or crack, much easier to remember, and uses nothing but words.
Using words as passwords is fine, so long as you combine 4+ random words.
Comment has been collapsed.
It seems both LastPass and Keepass have been compromised in the past already. Do you use a manager yourself?
I've always been using the same string of random letters combined with an altering series of symbols and numbers (total of 4 series). Never had any security issues but always open to improvements. Not quite convinced of these managers yet but I'll be looking at them more indepth after my finals for sure.
Thanks for chipping in!
Comment has been collapsed.
Yes indeed, the fact that it doesn't use HTPPS for updates. There might have been a more fitting word than 'compromised' ^^
Comment has been collapsed.
Good question. They can theoretically breach LastPass and steal everyone's database, but they'd only have some encrypted rubbish. LastPass' encryption is incredibly strong, and if you're using a lengthy passphrase (like "correct horse battery staple"), then you're pretty secure.
LastPass did get breached, but instead everyone's master password's hashes got leaked; this also has incredibly strong encryption. Even if the user has a weak password, if they're using 2FA (2-factor authentication, like your smartphone) an attacker still can't get in.
I don't use LastPass but I do highly recommend it for the average user.
Comment has been collapsed.
The only PW manager I had heard of before reading this topic was True Key from Intel, any thoughts on that one?
Very informative, thanks a lot! I'll look into LastPass for sure when my finals are over.
Comment has been collapsed.
Are you using the free version or the premium one?
Comment has been collapsed.
The free version is pretty good. Relatively recently you can now sync across devices for free, so the only reason to choose the pro version is if you want to use something like a Yubikey, or to remove ads.
I've heard of True Key but I don't know much about it, so I can't give my opinion on it. Here's a HackerNews post to dig around in.
Comment has been collapsed.
Sure it seems simple on paper, but I wouldn't classify it as having low entropy purely because "of how simple it is".
If you're using a popular phrase as your password, then yes it can easily be cracked. This is why people recommend a random passphrase, since randomness = more entropy. A long passphrase allows more room for randomness, and can be easier for humans to remember since it uses readable words.
If there's something I'm missing then please share.
Comment has been collapsed.
It's possible, and password managers are very tempting targets. But so are banks and financial institutions and online retailers storing credit cards and credit agencies. Using a password manager limits you to a single point of failure, and if you use it correctly it eliminates the far more common issue of one less secure site getting hacked and then the hackers getting access to a more secure site via that password. And we hope that password managers stay on top of their security, and that other targets seem more appealing by comparison.
And if they do get in, they most likely just get your master password and not into your account due to 2-factor-authentication, and you can change your master password and go on with your life.
Comment has been collapsed.
Those are some solid points, almost can't wait to give it a try now haha ^^
Comment has been collapsed.
I recommend offline managers. I use 'pass' (Password Store) for Linux. Uses standard GPG for encryption and (optionally) git for storage. Smaller attack surface if you are the only one with your database. If you're really paranoid have a (second) phone with no connectivity and store it on that.
Comment has been collapsed.
If you're really concerned about security then yep use an offline manager, however if your house burns down then you can lose all of your passwords.
If you're an average user, backing your database to the cloud is a perfectly fine option. In fact I highly recommend this method as I don't want people to lose their passwords.
Comment has been collapsed.
nope none at all besides that they disabled the authenticator to get in and i dont get how unless it did what i said where it doesnt bother to check if you should be logging in and doesnt ask for verification and then he disabled it
Comment has been collapsed.
you can disable the authenticator from the app, and you can control everything else from there too; it's either access direct to your phone/other devices or your recovery code that the %&*/ got. Also, if you forgot to log-out of a public/work computer...
Comment has been collapsed.
I have the same thoughts as you guys. Hacked phone, or didn't log out of a browser. I suppose they could also do it with a recovery code, but that raises the question of how they'd get hold of the code.
Comment has been collapsed.
Sorry, i am very skeptical of your story!
You giving advice "make sure to not use the mobile authenticator ever" is very very bad advice.
Always use mobile auth and having money in your account is totally fine.
Contact steam support and report your hack. They would definitely want to hear about this nearly impossible hack.
Comment has been collapsed.
What's the point in using leaky bucket or paper knife?
Comment has been collapsed.
i would be to and thanks for reminding me im going to update my request to steam support to add more detail the first time i was just panicing and it doesn't have much information
Comment has been collapsed.
you still have not provided any screen shots or real details. seems like trolling.
edit: another thing, your tf2 bp value went from $27 on Oct 20th to $7 now, seems like a lot of effort for such a small scam.
Comment has been collapsed.
They would definitely want to hear about this nearly impossible hack.
"Dear Steam Support: I got hacked! Please help me recover my lost items!"
"We apologize for your difficulties with Interstellar Manifolds. For more information on how to disable Interstellar Manifolds, visit our FAQ page on the topic. If your topic does not have to do with getting us free drugs, please turn your computer on and off until the problem is resolved. Unfortunately, we will no longer be able to assist you with this matter. Our eyes are dolphins.
Sincerely Yours,
MyHandsAreHugeWhatIsMyName"
Oh, I'm sure they'll want to hear about it as much as they do any other support request, anyway.
Comment has been collapsed.
Yes I agree steam support is shite, but if this is some wider problem than it would hurt business and they would get on it.
Otherwise, media would have have fun reporting the hack.
Comment has been collapsed.
and they would get on it.
If they actually could understand your support ticket well enough to assign priority to it, sure. My point was that they generally respond in batshit ways that make it clear they never properly read your ticket in the first place (so it's rather hard to get important information across to them). It'd be a lot more effective making a reddit thread, getting attention (and perhaps supporting commentary), and waiting/hoping for an official Valve response there.
Meanwhile, the media isn't going to cover an exploit until it's clear it's widespread, so by that point the damage of such a situation (if it is an actual situation) would already be notable.
Comment has been collapsed.
No idea how they got my password possibly some site linked to my steam account got leaked
This is also fishy non of the sites where you login with your Steam ID get access to your account details so for someone to get your password from another site you'd need to be using the same password there.
Comment has been collapsed.
That's neither an issue with Steam or any legitimate website.
Comment has been collapsed.
This cannot be true. They can't bypass your authenticator unless they gain access to your mobile phone. If such, people that has like hundreds and thousands of dollar worth inventory will get hacked other than us who has nothing compared to them.
Comment has been collapsed.
or he found out something specific to me i don't know what that would be though i dont understand what happened my cards are gone to not turned to gems or sold or even traded they look to have been deleted without a trace
Comment has been collapsed.
i wish i knew what i havent had anything set up wrong to my knowledge
Comment has been collapsed.
hmm i think it was at one point before being deleted
Comment has been collapsed.
Slightly confused as to how this could have happened, unless they have access to your recovery code - depending on where you keep it, that could've been the area that was accessed/hacked, such as PC documents, email, phone, etc.
Nevertheless, I thought that if you disable the mobile authenticator, then it puts you back into a trade hold, so I'm confused as to how they could have sent stuff over unless you haven't been online recently. Not to mention that if you log in from a new location, there's also a 7-day restriction put onto your account (don't remember if it's just market or everything). Something doesn't add up here, unless the person is someone that you know and have shared the account with?
Someone please confirm, I remember restrictions like this back near the beginning when logging in from my PC vs my parents' PC. Not sure if they changed it more recently.
Comment has been collapsed.
they bought from themselves on the community market and somehow deleted my cards they didn't make them gems they are just gone
Comment has been collapsed.
If you have recently enabled Steam Guard via email on your account, you will be unable to use the Community Market for the 15 days after Steam Guard was enabled. Removing Steam Guard or disabling and re-enabling Steam Guard will also trigger this restriction.
If you're in contact with support, I would definitely ask them about the above. It's not possible for them to have been able to disable your mobile authenticator and then use the community market immediately afterwards, unless there's something wrong with Valve's system.
Also this:
Removing a Steam Guard Mobile Authenticator reduces your account security. To help protect your items, you will be unable to trade or use the Community Market for 15 days. In the case your account was compromised, this cooldown gives you time to recover your account and reinstate your security without losing your items.
Comment has been collapsed.
holy shit maybe thats where my cards went i never checked trades because i knew you couldnt trade after turning off authentication
Comment has been collapsed.
If you've ever used teamviewer or were still logged into the browser while infected then that's the most likely scenario. Other things not to do: use the email or password you use for Steam anywhere else, send gifts directly to strangers, or use sites or programs that want access to steam credentials (card idlers, gambling/skins/raffles). Somewhere down the line you left an opening for an exploiter to take advantage of. It's very rare for Steam itself to have a backdoor access bug and the people who'd take advantage of it are generally too stupid to know how to find them anyway.
Comment has been collapsed.
never even heard of team viewer and i used malware bytes a few hours after the attack when i found out about it and it found nothing
The email thing is possible as my old email password was very similar but not the same and it was discovered and then changed a few months back but that still leaves the question of how they shut off the authenticator
Comment has been collapsed.
Malwarebytes is good for what it can find, but I would never rely on it as a single solution. Try a scan with SUPERAntiSpyware (free edition) for example and you'll see what I mean. Also the fact that someone hacked your previous email is a sign that you did something wrong back then too. You seem to be leaving a trail of breadcrumbs. :P
Comment has been collapsed.
it didnt seem like anything at the time it just said i logged in from russia and i had been using library wifi and a vpn off and on at the time so i just changed my password and forgot about it
also can you link me to the anti spy thing the website i found for it looks like a windows xp era virus site
Comment has been collapsed.
Public internet is risky, VPNs are even riskier. Never trust the free ones or the one time purchase ones.
You're probably on the right site. This is a direct download: http://superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
While malwarebytes is great for malware products, I like this one for worms/trojans/spyware. I use it weekly for all of the tracking cookies I get from doing survey sites and things I need to be adblock-free to access.
Comment has been collapsed.
oh my god i just checked and they used several different burner accounts to take everything
Comment has been collapsed.
Yeah, I found out after that there isn't a restriction on different IPs after having Steam Guard on for a certain amount of time. The restriction does, however, get triggered if you disable it, which is what the OP said happened (getting an email about it being turned off), which is why I was confused.
Comment has been collapsed.
Could the person have deleted all of the games from your Steam account since they had access to it?
My account got hacked once, but luckily Steam gave me the 1-time account reset and gave me all of the items that had been stolen from me. It absolutely blew loads because I was in vacation out of the country and I just sent them numerous pictures with timestamps to prove that I was the owner of the account and my that I could verify my location. Support was very nice about it. They may ask for any Steam Wallet codes you have redeemed or any product keys.
I highly recommend contacting support ASAP to see if they'll reset your account as well. You just have to make sure that you have no sort of key selling/trading sites anywhere on your profile. It's a 1-time thing, so don't let it happen again though. They may ask for any Steam Wallet codes you have redeemed or any product keys.
TL;DR - CONTACT SUPPORT IMMEDIATELY AND REPORT THE ISSUE. PROVIDE AS MUCH INFO AS YOU CAN
Comment has been collapsed.
I will be more than skeptical, this is definitely 100% your fault.
2FA cannot be disabled without accessing to your account or providing proof of ownership
Choose one of them
Comment has been collapsed.
Please delete the part where you recommend to not use mobile auth. that is simply bad advice. mobile auth definitely makes your steam account a lot safer. as others said, it is very possible that either your phone was hacked or you made some sort of mistake. maybe it was even a friend of yours who used your phone when you were in the bathroom or whatever. i really doubt there is a reliable method to hack mobile auth. if there were, we would hear lots more stories from people who actually have some serious value on their account (i'm talking hundreds or thousands of dollars, not 21). anyway, sorry this happened to you. but please don't tell people to make their account less safe. because that's what you're doing here. :)
Comment has been collapsed.
I absolutely agree. Unless you have prove that mobile auth actually lessens security, advising to disable it is a disservice to other users.
Also, I am truly sorry that this happened to you, but I really don't see how the fault lies with the mobile auth.
Comment has been collapsed.
just a personal warning this could be just me but watch your log ins next time and see if you start noticing it not ask for 2 step verification
Comment has been collapsed.
I always have to use my phone to enter the authentication code. I have used this for a long time now. The only place where I don't need the code is from my old desktop PC (which I haven't used in a year) because I have auto log in activated (not sure if that system still doesn't ask for a code, but I would think so).
But, as I said, advising people to not use the mobile auth is simply not a good or fair advice, unless you have prove that it actually lessens security. And that is certainly not the case, even in your example. It may not have helped to secure your account as intended, but it didn't make it more vulnerable.
Comment has been collapsed.
The only time I've seen a failure to ask for 2-step is during browser transactions where identification was previously provided.
Comment has been collapsed.
21 is the amount of wallet credit they stole they took well over a hundred dollars in cards and tf2 items
Also my phone never touches anyone elses hands and no one else knows my password also it was off at the time as in it didn't have any texting or calling privileges necessary for this
Comment has been collapsed.
the browser pop up or does steam offer this in the thing?
Comment has been collapsed.
Sure you didn't use that fishy steam card giveaway/ref link site?
Comment has been collapsed.
As far as I know once you disable SteamApp you have a trade hold again (I know since I changed mobiles and had to do it) so I am sorry to say but there is something weird in what you are saying.
From what you said the only way they could have done anything is through your mobile..
And on the side note:
"You can remove two factor authentication from your account by opening the Steam Mobile App, navigating to the Steam Guard menu item, and selecting "Remove Authenticator". This will bring you to a confirmation window, where you can confirm your choice by selecting "Remove Authenticator" again."
One more thing that states you got your mobile jacked
Comment has been collapsed.
Don't have to be a dick about it... The man just lost $20
Comment has been collapsed.
I can't figure it out I hadn't installed anything I had spent the previous 2 days watching 12 oz mouse on adult swims website I didn't give any information to anyone I logged into some accounts I use all the time that link to steam but thats about it that I can think of
Comment has been collapsed.
check your PC for any spy-ware or any web browser application that requests to read your data on all websites. I'm pretty sure you are hacked by spyware
Comment has been collapsed.
What really seems strange to me,you say, that the hacker removed your 2FA und stole your cards and stuff. How's that even possible? Last time I had to remove my mobile authenticator due to some technical issue, there was a full trade lock for 15 days after removing it. So when remvoing 2FA, one should not be able to trade or sell even a single trading card worth only a cent, right?
Comment has been collapsed.
That's what I don't understand I checked the times on trades most are around 10 minutes before the email saying authenicator was removed but the email takes time to reach my account and the last few are 10 minutes past the date
Comment has been collapsed.
812 Comments - Last post 9 minutes ago by PicoMan
30 Comments - Last post 10 minutes ago by IAMERROR404
315 Comments - Last post 18 minutes ago by MeguminShiro
2,046 Comments - Last post 2 hours ago by Gamy7
35 Comments - Last post 3 hours ago by Sunshyn
163 Comments - Last post 8 hours ago by WangKerr
1,533 Comments - Last post 13 hours ago by Whoosh
23 Comments - Last post 4 minutes ago by antidaz
496 Comments - Last post 7 minutes ago by LastM
838 Comments - Last post 9 minutes ago by Thexder
23 Comments - Last post 15 minutes ago by lext
195 Comments - Last post 17 minutes ago by mdpeters
91 Comments - Last post 22 minutes ago by Sh4dowKill
700 Comments - Last post 34 minutes ago by brodinson
I just had everything stolen from my steam account all my money 21 dollars i had for the steam sale gone down the fucking drain.
No idea how they got my password possibly some site linked to my steam account got leaked or a lucky guess either way my Christmas is ruined and years of cards emoticons and backgrounds are now lost
It seems that those who have access to your steam account ie password cracking/breaches/guessing can now turn off 2 step verification and take everything and anything because i had the mobile authenticator and got an email stating that it had been turned off even though whoever did this could have had no access to my authenticator to verify themselves
so don't buy any steam wallet cards ever keep your steam account at zero dollars or 2 cents as 2 cents cant be spent on the community market where they can blow everything and valve seems to refuse to give you refund option for it
and make sure to not use the mobile authenticator ever as i personally at least never had any issues with email verification but mobile seems to slip up and let some things go through without a second verification i noticed this myself and thought nothing of it because i had used steam on my browser on my computer before
sorry if this is long and rambly im just having an awful time the steam sale was all i was looking forward to this christmas and that was ruined and all the emoticons i worked on gathering for years were just stolen like it was nothing OH AND THE ASS LEFT ME WITH ONE EMOTICON ITS FUCKING DEVIOUS FROM SURUGI WITH THE DESCRIPTION I'LL ERASE IT ALL, EVERYTHING! sigh HE HAD TO RUB IT IN WHAT AN ASSHOLE YOU HAVE MY MONEY YOU DESTROYED ALL MY SHIT AND YOU LEAVE ME WITH THIS UGGG sigh
TLDR Dont have money on your steam account and never ever use mobile verification
UPDATE they got in through intel securtiy managment a bloatware peice of software that came with a bios update i also cant figure out how to get rid of it. My time on the email was also spot on rather than 10 minuites late like i had thought
New TLDR steam support is trash and Intel put what is essentially a hackers dream into my bios
Comment has been collapsed.