You get hacked, and YOU get hacked, everyone gets hacked!
Comment has been collapsed.
So giving the link, you want more people to get hacked?
Comment has been collapsed.
Cared enough to lowkey insult a support member in a topic, where he contributed something, while you not. And you're here as well. So, based on your own comment, no life and not even useful - how does it feel? :D
Comment has been collapsed.
As I already wrote,
You think I care about it? -.-
Comment has been collapsed.
So. What was it though? Was it just some site spoofing the Steam Login page?
Comment has been collapsed.
after I login my account on this website
Comment has been collapsed.
Why should somebody hack a level 6 account? -.- Whats the true story? I never hear something like "I clicked on a link and lost my account" -.-
ps.: If you account was hacked and password was changed, what accoutn is this here on steamgifts? You shouldnt be able to login if your password would be changed.
Comment has been collapsed.
He put his login credentials into a non-steam window. That crap is bound to happen :/
Hack probably isn't the proper term, they just used the information that LonletMoon gave to them.
Comment has been collapsed.
But he should get a message at the steam authentificator. If he also used this code then its not hacking.
Comment has been collapsed.
Yea, that's what I said, hacking is not the correct term. I just assumed he stuck in his authentication code when the fake prompt came up.
Comment has been collapsed.
Yup, My term is wrong, it is not hacking,ExpuedWaffle said the right things
Comment has been collapsed.
i guess the site also triggers the steam guard and ask you for the code, if someone is dumb enough to put their password on the site, giving them the steam guard code is just one step more
Comment has been collapsed.
But the code expires within seconds. I don't think that the scammer was right behind the computer waiting for someone to fall for it.
Comment has been collapsed.
i dont understand how they could possibly use your login info to turn off steam guard? you always need an ew steam guard code to login as far as i know.
Comment has been collapsed.
This. Whenever I see someone say they got "hacked" it never makes sense. There is always more to it.
Comment has been collapsed.
that's why you should always see the link you get before login if u cant see the valve lock next to the link then get out
Comment has been collapsed.
what is that browser called? looks neat
or maybe it's just me using the older chrome theme lol
Comment has been collapsed.
Funny to read that when Steam refused to use HTTPS until really not long ago ^^
(but yeah, I agree)
Comment has been collapsed.
Steam used https on login page since ages, I don't remember if there even existed one point at a time when it didn't - maybe in 2003, but definitely not when I was starting having fun with the platform, and that was good 6 years ago at the very least. I also don't remember if things were different when I was joining the platform 10 years ago, I'm pretty sure https on login page already existed back then.
No, using https everywhere is not always required or possible. The general tip from PurpleAshe stands and is universal across all platforms and all services you can interact with - if you're inputting sensitive details, always ensure that site is not only https, but also signed with trusted SSL certificate that confirms authority.
Comment has been collapsed.
Login in on HTTPS only to then use that session cookie over an unsecure connection is almost useless. A year ago it was still a nightmare to try and force HTTPS everywhere on steam community: https://github.com/EFForg/https-everywhere/issues/12477
Comment has been collapsed.
Under normal circumstances no third-party site will be able to fetch Steam cookies, and if you're talking about OS breach then you don't even need to go that deep, since your machine is already compromised and you have full access to everything, including his session in Steam client. You never talk about security if you assume that attacker has physical access to protected files.
Moreover, session token is verified against IP (and also UserAgent IIRC), so even if you somehow sniffed it through insecure traffic (next to impossible if you're not a LAN attacker), it'd be useless for you. You'd need to spoof entire network communication, and since session token is used only for TCP-based http(s) services, you'd never get past initial SYN/ACK reply. Unless somehow you'd be in charge of doing man-in-the-middle attack in addition to sniffing traffic, but then it's the same case as physical access to protected files. You'd also need a lot of effort for that, but that's irrelevant.
So no, from all the shit that Steam does and everything I have to go through, this one nifty detail with securing only login window wasn't irrational. It worked and wasn't flawed. Extending that secure connection to everything else, while clearly beneficial, was not a requirement to make things secure. The objective was to secure transmission of sensitive login details, since those actually could be sniffed and made use of. MITM attack is possible even with fully encrypted channel, so it's not really beneficial to go this route.
Comment has been collapsed.
My secondary FB account got hacked because FB forced me to add a phone number in the past and I used a temporary phone number. Thanks FB for forcing me to lower my account security :x (no, no way in Hell I'm giving my real phone number to Suckerberg)
Gladly, I noticed promptly and recovered my account in a few seconds from my e-mail.
Comment has been collapsed.
I hope you learnt from your mistake, because if you did it on Steam then you'd probably be vac banned by now, with around 90% odds at least.
Comment has been collapsed.
What mistake? FB doesn't have to require my phone number, it will actually soon be made illegal by GDPR to force people to hand over personal data which are not technically required.
Steam is a different story, they're not even close to being as Big Brother-ish so I don't mind too much giving my real phone number (plus they don't require a phone number, so when I don't want to give it I just don't give it, no need for a phony one ^^).
Comment has been collapsed.
This mistake that you luckily avoided, but not because of logic or knowledge, but pure blind luck.
No, Valve would not reverse that ban, regardless of your reasoning. If you did what you claimed with both services, you'd regret it and blame your stupidity for the rest of your Steam life.
NEVER use publicly accessible phone number for anything security-related. It's better to not use 2FA at all, rather than using something as shitty as that.
Comment has been collapsed.
So... it would be a mistake to do this on Steam. Doesn't make it a mistake to do this on a secondary FB account 👀
I love your commitment to privacy, too
NEVER use publicly accessible phone number for anything security-related. It's better to not use 2FA at all
It wasn't for anything security-related, it was just because Suckerberg forced me to enter a phone number.
Comment has been collapsed.
It's a security flaw regardless how you look at it and regardless how much you don't care about the account you've just set up. Only because you don't care doesn't make it right to set it up like you did, you can only relate to how much that mistake will cost you, from "I couldn't care less" to "I'd be very happy to find out all my bank funds in a bank of China". The mistake is there, and should be corrected, because it's a security flaw that basically makes your account accessible to anybody having access to that phone number, without even your login details, as phone number is considered one of many authentication methods, especially for account recovery, and it's even stronger than e-mail.
Even using one-time sim card worth 5$ tops would be more secure than this.
Comment has been collapsed.
and it's even stronger than e-mail
It shouldn't be, particularly as FB allows the use of PGP-encrypted e-mails.
Anyway, it turned out great: I had no trouble recovering the account, and was able to delete the phone number without setting a new one. As a bonus I got to pin the (real) phone number of my hacker on my wall 🙃 All-in-all, a pretty fun adventure that would never have happened had I caved in and given my real number in the first place 👀
Comment has been collapsed.
hand over personal data which are not technically required.
A phone number requirement is an attempt to battle against fake FB accounts. So, it's technically required in that sense.
Comment has been collapsed.
The website they went to prompted them for the SteamGuard code, they put it in, the site then immediately used it to log into their account. After that it gets murky.
Comment has been collapsed.
Wow. I mean, those "hackers" should have asked for credit card number & cvv instead.
Comment has been collapsed.
same thing happpened to me in 2009 just show them ur payment screenshot when they will ask and they will change the pass dont worry steam support will retrieve your account.
Comment has been collapsed.
Interesting, you need steam guard to login, then you need it again to change the password?
How many times did they ask for your steam guard code?
Comment has been collapsed.
They would have had to enter it once to log in, again for the password change, and again to disable SteamGuard. Those could all happen in quick succession, with the website saying that the previous attempt didn't work and prompting them for the code again, but does seem strange.
Comment has been collapsed.
If you slightly switch the order and disable SG (SteamGuard) first, then you no longer need it for changing the password, effectively making it 2 tries total.
And chances are, OP didn't even notice when site prompted him to try again. We tend to notice something is out of order once it doesn't work for the second time, not the first one.
Moreover, I'm pretty sure there is a way to do it in one-go without even wasting initial token for logging in, but I'd need to verify that first and I'm too lazy for that. So 2 SG codes are definitely enough, perhaps even 1 when used specific reset option, if Steam permits.
Comment has been collapsed.
Well. the least you can do before logging in to a third-party website is to make sure it has a https:// extension.
Comment has been collapsed.
https:// websites are encrypted by TLS or SSL and thus prevent MITM attacks. This is ofcourse a case of MITM/Phishing.
Comment has been collapsed.
Yes, that's a Phishing attack and TLS/SSL can't prevent that. And MITM is a different kind of attack.
Comment has been collapsed.
Only you can protect yourself from a phishing attack because it isn't active hacking, it's social engineering.
Comment has been collapsed.
https:// websites are encrypted by TLS or SSL and thus prevent MITM attacks.
Yes
This is ofcourse a case of MITM/Phishing.
No it isn't. MITM and phishing are two separate things. Encryption doesn't prevent phishing.
If you wan't to prevent phishing, you need to make sure that the site's certificate is actually from Valve.
Comment has been collapsed.
SSL prevents MITM. It indeed doesn't prevent Phishing though but it's difficult to get an SSL certificate for a phishing site. At the very best, you'd use Comodo to get an extension because they're lazy AF. The thing is SSL can protect your connection, the mobile authenticator too has a harmful website alert feature.
Comment has been collapsed.
Eh no, with letsencrypt around you can get free SSL certs for any amount of domains you own. Everybody can get valid, free, safe and trusted certificate today, hence most common DV (domain validation) certificates do not prove anything, but secure connection between you and the server, and that's everything. However, EV (extended validation) certs actually do, since they're much harder to get and always involve name of the company being visible next to green lock.
https://steamcommunity.com will say "Valve Corp. [US]
https://asf.justarchi.net/STM won't say anything, since it's not EV certificate
Comment has been collapsed.
Yeah, LetsEncrypt and Comodo both provide free SSL certifications.
Comment has been collapsed.
I just got my Steam Account phishing, becausse my friend just send me the link,after I login my account on this website my steam guard was unlocked, and my password has been change, I think my friend account also hacked by hacker, because my other friend also receive the same letter from my account after I was hacked.Now I was pass the case to the steam support and wait their recive letter, hopefully I can take back my account, and I think write it here is don't want other people make a stupid mistake like me.
PS:After I check the coding of the website, I find that it is a simple html format,sh........
Comment has been collapsed.