I just had everything stolen from my steam account all my money 21 dollars i had for the steam sale gone down the fucking drain.
No idea how they got my password possibly some site linked to my steam account got leaked or a lucky guess either way my Christmas is ruined and years of cards emoticons and backgrounds are now lost

It seems that those who have access to your steam account ie password cracking/breaches/guessing can now turn off 2 step verification and take everything and anything because i had the mobile authenticator and got an email stating that it had been turned off even though whoever did this could have had no access to my authenticator to verify themselves

so don't buy any steam wallet cards ever keep your steam account at zero dollars or 2 cents as 2 cents cant be spent on the community market where they can blow everything and valve seems to refuse to give you refund option for it

and make sure to not use the mobile authenticator ever as i personally at least never had any issues with email verification but mobile seems to slip up and let some things go through without a second verification i noticed this myself and thought nothing of it because i had used steam on my browser on my computer before

sorry if this is long and rambly im just having an awful time the steam sale was all i was looking forward to this christmas and that was ruined and all the emoticons i worked on gathering for years were just stolen like it was nothing OH AND THE ASS LEFT ME WITH ONE EMOTICON ITS FUCKING DEVIOUS FROM SURUGI WITH THE DESCRIPTION I'LL ERASE IT ALL, EVERYTHING! sigh HE HAD TO RUB IT IN WHAT AN ASSHOLE YOU HAVE MY MONEY YOU DESTROYED ALL MY SHIT AND YOU LEAVE ME WITH THIS UGGG sigh

TLDR Dont have money on your steam account and never ever use mobile verification

UPDATE they got in through intel securtiy managment a bloatware peice of software that came with a bios update i also cant figure out how to get rid of it. My time on the email was also spot on rather than 10 minuites late like i had thought

New TLDR steam support is trash and Intel put what is essentially a hackers dream into my bios

7 years ago*

Comment has been collapsed.

Wtf. Damn. I am sorry man.

7 years ago
Permalink

Comment has been collapsed.

changes password

7 years ago
Permalink

Comment has been collapsed.

This is sad and how is this happened. weird too

7 years ago
Permalink

Comment has been collapsed.

can't you check where did you sent the gift history from the trade or gift history? you might find the culprit.

7 years ago
Permalink

Comment has been collapsed.

i have but this website has a no calling out rule i might put this on reddits steam thread and call him out there

7 years ago
Permalink

Comment has been collapsed.

Have you made the thread on the Steam sub-reddit?

7 years ago
Permalink

Comment has been collapsed.

i will tomorrow its 2 am here and i have finals soon

7 years ago
Permalink

Comment has been collapsed.

Have you reported this using the official channels?
If someone managed to breach the two-step authorisation as you say, they'll really want to know about it.

7 years ago
Permalink

Comment has been collapsed.

I agree, if they passed 2-step verification, they have some sh*t to fix

7 years ago
Permalink

Comment has been collapsed.

Well, if it's correct that would be first break of two-step auth. I have heard of.

7 years ago
Permalink

Comment has been collapsed.

Sorry to hear you got hacked. I'd recommend you use randomly generated password across all sites you use, and manage it with something like LastPass. I personally use KeePass but it has a bit of a learning curve.

It's very weird an attacker gained access to your account even with 2FA enabled. Have you tried contacting support and discuss how they got in?

7 years ago
Permalink

Comment has been collapsed.

i messaged them and told them that someone hacked in and took my things

7 years ago
Permalink

Comment has been collapsed.

Isn't it possible for hackers to just gain acces to programs like LastPass their database and get all ur info at once? To me it seems that your data is only as secure as the service you're using. (I know nothing about hacking or pw managing services, just a question)

Thank you for your time :D

7 years ago
Permalink

Comment has been collapsed.

Not if they do their security well and you have to remember 1 single secure password.
A good way is putting together 5 random rare words and in the middle of some of them adding in symbols or numbers to impede dictionary attacks.

7 years ago
Permalink

Comment has been collapsed.

Never use words as passwords. Nor modified words as passwords.
Passwords that are even 12 characters long and contain words, modified or not, like B@n4NA, are not secure.

7 years ago
Permalink

Comment has been collapsed.

Hi there

Do you make use of a pw manager yourself?

7 years ago
Permalink

Comment has been collapsed.

Not true.
A 30 character long password with inserted characters mid-word isn't crackable.
You don't understand what I said.
I'm not talking about a simple numbers to letters rule, but a way to make it so bruteforce fails on the length and dictionary attacks fail because they can't be readily adapted to have symbols randomly splitting words.

Go ahead and calculate how many computational hours that would take to bruteforce, that how strong encryption works, you just make it time consuming to crack...

7 years ago*
Permalink

Comment has been collapsed.

A few problems with your argument about "a 30 character long password with inserted characters mid-word" being uncrackable.

1st off, they do not need to guess your actual password so that majorly cuts down the amount of time required. due to security requirements, they only need to guess the method that the hash for your password is and find one of many combinations that match that hash.

2nd Major security keys are often hundreds of characters long for this reason.

3rd. Rainbow tables make passwords of combined words much easier to guess

4th Password restrictions lower the possible entropy required to look at when guessing the password and guessing the hashing algorithm eliminates a lot more of these.

5th you are relying on your password being far enough into the brute force that it takes forever. By the nature of the argument, the probability is that it will never be cracked, but it may be the first one guessed as well. its like saying pick a number between 1 and 500. you may have chosen 499, but if I start at 500 and go backwards you are my second guess.

6th if they are attacking a password manager they probably have access to your system which lends all sorts of other information that could assist them in finding it.

Sorry I kinda went overboard there. I do agree some of what you said :)

7 years ago
Permalink

Comment has been collapsed.

Yeah, but you can't protect yourself against a weak hashing algorithm or stupid people using the weak passwords and weakening the database.
3, hence why you use unusual words and mess with them by inserting extra characters
4, very little really, say you know the category of 3 characters, doesn't do much to help you.
5, sure, but you hope that making it hard enough people wouldn't bother, and the odds of people doing an algorithm that goes for the least used words and picks them at random isn't very efficient, so unlikely to be used successfully.
6, Yeah, that's probably what happened to OP

It's what I think has a good balance of memorable and secure. Alternatively you can do a wholly random one and try to have it written down or memorized, but that seems pretty tough for most people.

7 years ago*
Permalink

Comment has been collapsed.

7 years ago
Permalink

Comment has been collapsed.

You're correct that B@n4NA is not very secure, but bananafootballskyscraperplunger is very secure, very difficult to brute force or crack, much easier to remember, and uses nothing but words.

Using words as passwords is fine, so long as you combine 4+ random words.

7 years ago
Permalink

Comment has been collapsed.

And if you make it ban2anafootballskyscr!aperplu%nger (even 1 addition is good enough) it can't be beaten by dictionary attacks as they'd use full words and or replace characters, not insert them.

7 years ago
Permalink

Comment has been collapsed.

It seems both LastPass and Keepass have been compromised in the past already. Do you use a manager yourself?

I've always been using the same string of random letters combined with an altering series of symbols and numbers (total of 4 series). Never had any security issues but always open to improvements. Not quite convinced of these managers yet but I'll be looking at them more indepth after my finals for sure.
Thanks for chipping in!

7 years ago
Permalink

Comment has been collapsed.

Not currently, but I am thinking of moving to one eventually.
Using parts of the same password on different sites or a ledger isn't too secure.

7 years ago*
Permalink

Comment has been collapsed.

With Keepass being compromised you mean the abuse of the update function? Well, you can turn it off. Everything else is based on spyware etc. on your local PC. If you keep your PC clean, it's way safer than a cloud based service.

7 years ago
Permalink

Comment has been collapsed.

Yes indeed, the fact that it doesn't use HTPPS for updates. There might have been a more fitting word than 'compromised' ^^

7 years ago
Permalink

Comment has been collapsed.

Good question. They can theoretically breach LastPass and steal everyone's database, but they'd only have some encrypted rubbish. LastPass' encryption is incredibly strong, and if you're using a lengthy passphrase (like "correct horse battery staple"), then you're pretty secure.

LastPass did get breached, but instead everyone's master password's hashes got leaked; this also has incredibly strong encryption. Even if the user has a weak password, if they're using 2FA (2-factor authentication, like your smartphone) an attacker still can't get in.

I don't use LastPass but I do highly recommend it for the average user.

7 years ago
Permalink

Comment has been collapsed.

The only PW manager I had heard of before reading this topic was True Key from Intel, any thoughts on that one?

Very informative, thanks a lot! I'll look into LastPass for sure when my finals are over.

7 years ago
Permalink

Comment has been collapsed.

I'm using LassPass and it's really good. I recommend it.

7 years ago
Permalink

Comment has been collapsed.

Are you using the free version or the premium one?

7 years ago
Permalink

Comment has been collapsed.

The free version is pretty good. Relatively recently you can now sync across devices for free, so the only reason to choose the pro version is if you want to use something like a Yubikey, or to remove ads.

I've heard of True Key but I don't know much about it, so I can't give my opinion on it. Here's a HackerNews post to dig around in.

7 years ago*
Permalink

Comment has been collapsed.

I'm using the free version across my PC and phone. I had tried another password manager before, but it was really cumbersome to set up and use. LassPass is simple and easy by comparison, and works really well across both my phone and PC.

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

7 years ago
Permalink

Comment has been collapsed.

Sure it seems simple on paper, but I wouldn't classify it as having low entropy purely because "of how simple it is".
If you're using a popular phrase as your password, then yes it can easily be cracked. This is why people recommend a random passphrase, since randomness = more entropy. A long passphrase allows more room for randomness, and can be easier for humans to remember since it uses readable words.

If there's something I'm missing then please share.

7 years ago
Permalink

Comment has been collapsed.

It's possible, and password managers are very tempting targets. But so are banks and financial institutions and online retailers storing credit cards and credit agencies. Using a password manager limits you to a single point of failure, and if you use it correctly it eliminates the far more common issue of one less secure site getting hacked and then the hackers getting access to a more secure site via that password. And we hope that password managers stay on top of their security, and that other targets seem more appealing by comparison.

And if they do get in, they most likely just get your master password and not into your account due to 2-factor-authentication, and you can change your master password and go on with your life.

7 years ago
Permalink

Comment has been collapsed.

Lastpass is really good, got a premium code from a random kind guy in here, still using it, recommended.

7 years ago
Permalink

Comment has been collapsed.

Those are some solid points, almost can't wait to give it a try now haha ^^

7 years ago
Permalink

Comment has been collapsed.

I recommend offline managers. I use 'pass' (Password Store) for Linux. Uses standard GPG for encryption and (optionally) git for storage. Smaller attack surface if you are the only one with your database. If you're really paranoid have a (second) phone with no connectivity and store it on that.

7 years ago
Permalink

Comment has been collapsed.

If you're really concerned about security then yep use an offline manager, however if your house burns down then you can lose all of your passwords.
If you're an average user, backing your database to the cloud is a perfectly fine option. In fact I highly recommend this method as I don't want people to lose their passwords.

7 years ago
Permalink

Comment has been collapsed.

sounds like your phone got hacked, installed any apps recently?

7 years ago
Permalink

Comment has been collapsed.

nope none at all besides that they disabled the authenticator to get in and i dont get how unless it did what i said where it doesnt bother to check if you should be logging in and doesnt ask for verification and then he disabled it

7 years ago
Permalink

Comment has been collapsed.

you can disable the authenticator from the app, and you can control everything else from there too; it's either access direct to your phone/other devices or your recovery code that the %&*/ got. Also, if you forgot to log-out of a public/work computer...

7 years ago
Permalink

Comment has been collapsed.

I have the same thoughts as you guys. Hacked phone, or didn't log out of a browser. I suppose they could also do it with a recovery code, but that raises the question of how they'd get hold of the code.

7 years ago*
Permalink

Comment has been collapsed.

Hacked phone was exactly my thought too.

7 years ago
Permalink

Comment has been collapsed.

Sorry, i am very skeptical of your story!
You giving advice "make sure to not use the mobile authenticator ever" is very very bad advice.
Always use mobile auth and having money in your account is totally fine.

Contact steam support and report your hack. They would definitely want to hear about this nearly impossible hack.

7 years ago
Permalink

Comment has been collapsed.

What's the point in using leaky bucket or paper knife?

7 years ago
Permalink

Comment has been collapsed.

i would be to and thanks for reminding me im going to update my request to steam support to add more detail the first time i was just panicing and it doesn't have much information

7 years ago
Permalink

Comment has been collapsed.

you still have not provided any screen shots or real details. seems like trolling.

edit: another thing, your tf2 bp value went from $27 on Oct 20th to $7 now, seems like a lot of effort for such a small scam.

7 years ago*
Permalink

Comment has been collapsed.

They would definitely want to hear about this nearly impossible hack.

"Dear Steam Support: I got hacked! Please help me recover my lost items!"

"We apologize for your difficulties with Interstellar Manifolds. For more information on how to disable Interstellar Manifolds, visit our FAQ page on the topic. If your topic does not have to do with getting us free drugs, please turn your computer on and off until the problem is resolved. Unfortunately, we will no longer be able to assist you with this matter. Our eyes are dolphins.
Sincerely Yours,
MyHandsAreHugeWhatIsMyName"

Oh, I'm sure they'll want to hear about it as much as they do any other support request, anyway.

7 years ago
Permalink

Comment has been collapsed.

Yes I agree steam support is shite, but if this is some wider problem than it would hurt business and they would get on it.
Otherwise, media would have have fun reporting the hack.

7 years ago
Permalink

Comment has been collapsed.

and they would get on it.

If they actually could understand your support ticket well enough to assign priority to it, sure. My point was that they generally respond in batshit ways that make it clear they never properly read your ticket in the first place (so it's rather hard to get important information across to them). It'd be a lot more effective making a reddit thread, getting attention (and perhaps supporting commentary), and waiting/hoping for an official Valve response there.

Meanwhile, the media isn't going to cover an exploit until it's clear it's widespread, so by that point the damage of such a situation (if it is an actual situation) would already be notable.

7 years ago
Permalink

Comment has been collapsed.

i agree

7 years ago
Permalink

Comment has been collapsed.

No idea how they got my password possibly some site linked to my steam account got leaked

This is also fishy non of the sites where you login with your Steam ID get access to your account details so for someone to get your password from another site you'd need to be using the same password there.

7 years ago
Permalink

Comment has been collapsed.

+1

7 years ago
Permalink

Comment has been collapsed.

Could have been a phishing site though - looks the same as Steam login page but it's steamcmmunity.com or something like that. I remember these scams being very popular back in the day.

7 years ago
Permalink

Comment has been collapsed.

But if that's the case then it's the person's own fault for not checking and being careless. Personally, I always double check if I'm on the correct website before I enter my login info anywhere.

7 years ago
Permalink

Comment has been collapsed.

I did not say otherwise, was just pointing out how someone could have gotten confused and lose his account by typing in his credentials on a seemingly legitimate website.

7 years ago
Permalink

Comment has been collapsed.

That's neither an issue with Steam or any legitimate website.

7 years ago
Permalink

Comment has been collapsed.

This cannot be true. They can't bypass your authenticator unless they gain access to your mobile phone. If such, people that has like hundreds and thousands of dollar worth inventory will get hacked other than us who has nothing compared to them.

7 years ago
Permalink

Comment has been collapsed.

or he found out something specific to me i don't know what that would be though i dont understand what happened my cards are gone to not turned to gems or sold or even traded they look to have been deleted without a trace

7 years ago
Permalink

Comment has been collapsed.

Look at trades if they are not in a recent trade you are just having a display bug.

7 years ago
Permalink

Comment has been collapsed.

you screwed up something

7 years ago
Permalink

Comment has been collapsed.

i wish i knew what i havent had anything set up wrong to my knowledge

7 years ago
Permalink

Comment has been collapsed.

I am sorry for you but thanks for the reminder. Time to change the password again.

I also added you to my whitelist as I plan to do some WL GAs later this month. A chance at merrier Christmas is the least I can do for ya :)

7 years ago
Permalink

Comment has been collapsed.

aww thanks man

7 years ago
Permalink

Comment has been collapsed.

They don't need to get access to your mobile phone, they only need to gain access to your recovery code (I assume). Was it written somewhere on your computer ?

7 years ago
Permalink

Comment has been collapsed.

hmm i think it was at one point before being deleted

7 years ago
Permalink

Comment has been collapsed.

I concur with him if they had your recovery code then they can easily gain access to your account

7 years ago
Permalink

Comment has been collapsed.

Something doesn't add up, it'd seem as if not only your steam account but also your phone got hacked. If I were you I would change my password for every single account I had, it wouldn't surprise me if more of your stuff got compromised.

7 years ago
Permalink

Comment has been collapsed.

Not necessarily, if they found his recovery code on his PC that would make his authenticator irrelevant.

7 years ago
Permalink

Comment has been collapsed.

Slightly confused as to how this could have happened, unless they have access to your recovery code - depending on where you keep it, that could've been the area that was accessed/hacked, such as PC documents, email, phone, etc.

Nevertheless, I thought that if you disable the mobile authenticator, then it puts you back into a trade hold, so I'm confused as to how they could have sent stuff over unless you haven't been online recently. Not to mention that if you log in from a new location, there's also a 7-day restriction put onto your account (don't remember if it's just market or everything). Something doesn't add up here, unless the person is someone that you know and have shared the account with?

Someone please confirm, I remember restrictions like this back near the beginning when logging in from my PC vs my parents' PC. Not sure if they changed it more recently.

7 years ago*
Permalink

Comment has been collapsed.

they bought from themselves on the community market and somehow deleted my cards they didn't make them gems they are just gone

7 years ago
Permalink

Comment has been collapsed.

If you have recently enabled Steam Guard via email on your account, you will be unable to use the Community Market for the 15 days after Steam Guard was enabled. Removing Steam Guard or disabling and re-enabling Steam Guard will also trigger this restriction.

If you're in contact with support, I would definitely ask them about the above. It's not possible for them to have been able to disable your mobile authenticator and then use the community market immediately afterwards, unless there's something wrong with Valve's system.

Also this:

Removing a Steam Guard Mobile Authenticator reduces your account security. To help protect your items, you will be unable to trade or use the Community Market for 15 days. In the case your account was compromised, this cooldown gives you time to recover your account and reinstate your security without losing your items.

7 years ago
Permalink

Comment has been collapsed.

ahh ok i will add that to my message right away

7 years ago
Permalink

Comment has been collapsed.

Nice catch.

7 years ago
Permalink

Comment has been collapsed.

I think there's a workaround / exploit to avoid getting a trade hold, if memory serves right it had something to do with the browser cookies.

7 years ago
Permalink

Comment has been collapsed.

holy shit maybe thats where my cards went i never checked trades because i knew you couldnt trade after turning off authentication

7 years ago
Permalink

Comment has been collapsed.

But they would need access to your browser files, they'd need to have hacked your PC and not only your account.

7 years ago
Permalink

Comment has been collapsed.

If you've ever used teamviewer or were still logged into the browser while infected then that's the most likely scenario. Other things not to do: use the email or password you use for Steam anywhere else, send gifts directly to strangers, or use sites or programs that want access to steam credentials (card idlers, gambling/skins/raffles). Somewhere down the line you left an opening for an exploiter to take advantage of. It's very rare for Steam itself to have a backdoor access bug and the people who'd take advantage of it are generally too stupid to know how to find them anyway.

7 years ago
Permalink

Comment has been collapsed.

never even heard of team viewer and i used malware bytes a few hours after the attack when i found out about it and it found nothing

The email thing is possible as my old email password was very similar but not the same and it was discovered and then changed a few months back but that still leaves the question of how they shut off the authenticator

7 years ago
Permalink

Comment has been collapsed.

Malwarebytes is good for what it can find, but I would never rely on it as a single solution. Try a scan with SUPERAntiSpyware (free edition) for example and you'll see what I mean. Also the fact that someone hacked your previous email is a sign that you did something wrong back then too. You seem to be leaving a trail of breadcrumbs. :P

7 years ago
Permalink

Comment has been collapsed.

it didnt seem like anything at the time it just said i logged in from russia and i had been using library wifi and a vpn off and on at the time so i just changed my password and forgot about it

also can you link me to the anti spy thing the website i found for it looks like a windows xp era virus site

7 years ago
Permalink

Comment has been collapsed.

Public internet is risky, VPNs are even riskier. Never trust the free ones or the one time purchase ones.

You're probably on the right site. This is a direct download: http://superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

While malwarebytes is great for malware products, I like this one for worms/trojans/spyware. I use it weekly for all of the tracking cookies I get from doing survey sites and things I need to be adblock-free to access.

7 years ago
Permalink

Comment has been collapsed.

oh my god i just checked and they used several different burner accounts to take everything

7 years ago
Permalink

Comment has been collapsed.

There is no restriction when you have Mobile Authenticator on. At least I didn't encounter one after formatting my PC.

7 years ago
Permalink

Comment has been collapsed.

Yeah, I found out after that there isn't a restriction on different IPs after having Steam Guard on for a certain amount of time. The restriction does, however, get triggered if you disable it, which is what the OP said happened (getting an email about it being turned off), which is why I was confused.

7 years ago
Permalink

Comment has been collapsed.

Yes, disabling the Mobile Authenticator does trigger the restriction (14 days, if I'm not mistaken).

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

7 years ago
Permalink

Comment has been collapsed.

Could the person have deleted all of the games from your Steam account since they had access to it?

My account got hacked once, but luckily Steam gave me the 1-time account reset and gave me all of the items that had been stolen from me. It absolutely blew loads because I was in vacation out of the country and I just sent them numerous pictures with timestamps to prove that I was the owner of the account and my that I could verify my location. Support was very nice about it. They may ask for any Steam Wallet codes you have redeemed or any product keys.

I highly recommend contacting support ASAP to see if they'll reset your account as well. You just have to make sure that you have no sort of key selling/trading sites anywhere on your profile. It's a 1-time thing, so don't let it happen again though. They may ask for any Steam Wallet codes you have redeemed or any product keys.

TL;DR - CONTACT SUPPORT IMMEDIATELY AND REPORT THE ISSUE. PROVIDE AS MUCH INFO AS YOU CAN

7 years ago
Permalink

Comment has been collapsed.

I will be more than skeptical, this is definitely 100% your fault.
2FA cannot be disabled without accessing to your account or providing proof of ownership

Choose one of them

  • Forget open session somewhere
  • Stolen steam password + stolen mail password (probably same password)
  • Stolen steam password + stolen personal information including address + some credit card info
  • Stolen steam password + stolen backup code
  • Stolen steam password + smartphone got hacked (less likely)
7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 7 years ago.

7 years ago
Permalink

Comment has been collapsed.

Did you even read the thread?

7 years ago
Permalink

Comment has been collapsed.

Please delete the part where you recommend to not use mobile auth. that is simply bad advice. mobile auth definitely makes your steam account a lot safer. as others said, it is very possible that either your phone was hacked or you made some sort of mistake. maybe it was even a friend of yours who used your phone when you were in the bathroom or whatever. i really doubt there is a reliable method to hack mobile auth. if there were, we would hear lots more stories from people who actually have some serious value on their account (i'm talking hundreds or thousands of dollars, not 21). anyway, sorry this happened to you. but please don't tell people to make their account less safe. because that's what you're doing here. :)

7 years ago
Permalink

Comment has been collapsed.

I absolutely agree. Unless you have prove that mobile auth actually lessens security, advising to disable it is a disservice to other users.

Also, I am truly sorry that this happened to you, but I really don't see how the fault lies with the mobile auth.

7 years ago
Permalink

Comment has been collapsed.

just a personal warning this could be just me but watch your log ins next time and see if you start noticing it not ask for 2 step verification

7 years ago
Permalink

Comment has been collapsed.

I always have to use my phone to enter the authentication code. I have used this for a long time now. The only place where I don't need the code is from my old desktop PC (which I haven't used in a year) because I have auto log in activated (not sure if that system still doesn't ask for a code, but I would think so).

But, as I said, advising people to not use the mobile auth is simply not a good or fair advice, unless you have prove that it actually lessens security. And that is certainly not the case, even in your example. It may not have helped to secure your account as intended, but it didn't make it more vulnerable.

7 years ago
Permalink

Comment has been collapsed.

It shows a misunderstanding of what allowed this to happen.

7 years ago
Permalink

Comment has been collapsed.

The only time I've seen a failure to ask for 2-step is during browser transactions where identification was previously provided.

7 years ago
Permalink

Comment has been collapsed.

+1

7 years ago
Permalink

Comment has been collapsed.

21 is the amount of wallet credit they stole they took well over a hundred dollars in cards and tf2 items

Also my phone never touches anyone elses hands and no one else knows my password also it was off at the time as in it didn't have any texting or calling privileges necessary for this

7 years ago
Permalink

Comment has been collapsed.

Have you ever used the "remember password" option on Steam App or a browser to access your account? Though it was supposed to work only on "trusted" devices, that's the easiest way to bypass the mobile authentification.

7 years ago
Permalink

Comment has been collapsed.

the browser pop up or does steam offer this in the thing?

7 years ago
Permalink

Comment has been collapsed.

You can set this in the steam client on log in.

7 years ago
Permalink

Comment has been collapsed.

And steamcommunity.com has this option if you log in with your browser, too.

7 years ago
Permalink

Comment has been collapsed.

Sure you didn't use that fishy steam card giveaway/ref link site?

7 years ago
Permalink

Comment has been collapsed.

As far as I know once you disable SteamApp you have a trade hold again (I know since I changed mobiles and had to do it) so I am sorry to say but there is something weird in what you are saying.
From what you said the only way they could have done anything is through your mobile..

And on the side note:
"You can remove two factor authentication from your account by opening the Steam Mobile App, navigating to the Steam Guard menu item, and selecting "Remove Authenticator". This will bring you to a confirmation window, where you can confirm your choice by selecting "Remove Authenticator" again."

One more thing that states you got your mobile jacked

7 years ago
Permalink

Comment has been collapsed.

You can change your mobile without a trade hold (if you still have access to the old one): Install Steam on the new phone, when ask enter the code from the old phone and voilà you can use your new phone wihtout any hold.

7 years ago
Permalink

Comment has been collapsed.

It gives you a trade hold of a few days (2 if I remember) not 7. At least it did for me when I changed my mobile a few months ago (did like you said) :)

7 years ago
Permalink

Comment has been collapsed.

No hold for me, I've done it one month ago when I go back to Android, I guess I was lucky :D

7 years ago
Permalink

Comment has been collapsed.

Must be XD
But anyway they didn't move the app to new phone according to him but disable it, so there would be a trade hold for that :)

7 years ago
Permalink

Comment has been collapsed.

D:

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

7 years ago
Permalink

Comment has been collapsed.

Don't have to be a dick about it... The man just lost $20

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

7 years ago
Permalink

Comment has been collapsed.

I can't figure it out I hadn't installed anything I had spent the previous 2 days watching 12 oz mouse on adult swims website I didn't give any information to anyone I logged into some accounts I use all the time that link to steam but thats about it that I can think of

7 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 6 years ago.

7 years ago
Permalink

Comment has been collapsed.

check your PC for any spy-ware or any web browser application that requests to read your data on all websites. I'm pretty sure you are hacked by spyware

7 years ago
Permalink

Comment has been collapsed.

What really seems strange to me,you say, that the hacker removed your 2FA und stole your cards and stuff. How's that even possible? Last time I had to remove my mobile authenticator due to some technical issue, there was a full trade lock for 15 days after removing it. So when remvoing 2FA, one should not be able to trade or sell even a single trading card worth only a cent, right?

7 years ago
Permalink

Comment has been collapsed.

Yep, as I said they had to have his mobile for this thing to be done as he is stating..

7 years ago
Permalink

Comment has been collapsed.

++++++++++++

7 years ago
Permalink

Comment has been collapsed.

That's what I don't understand I checked the times on trades most are around 10 minutes before the email saying authenicator was removed but the email takes time to reach my account and the last few are 10 minutes past the date

7 years ago
Permalink

Comment has been collapsed.

well, you only get the market notification when an item is sold... so if they put all items up at once before taking them, this scenario seens plausible:

  1. add everything to trade / sell
  2. revoke 2FA
  3. confirm all trades
7 years ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.