BEWARE STEAM ACCOUNTS BEING HACKED!

[SRS13Rastus]

Trying to get this as much exposure as possible.

Had my Steam account hacked 2 days ago but was able to recover it and change my password.

So far I know of at LEAST 7 people this has hit.

A message is sent asking you to vote for their CSGO team with a link to a page requiring you to link your Steam account.

Any chance you could add summat about this in a vid to help spread the word?

Takes the p!$$ that this happens and Steam never does ANYTHING pro-active, just waits for people to complain and try to recover their accounts.

It's quite frankly disgusting that Steam apparently doesn't care about anything other than the contents of our wallets as this happens year after year...

 

Thanks,

SRS13Rastus.

[PlayStation 2]

Very old scam, no shock that it's still as strong as ever.

[WereCatf]

Just now, SRS13Rastus said:

A message is sent asking you to vote for their CSGO team with a link to a page requiring you to link your Steam account.

This is not a new thing, this has been happening for a decade already.

1 minute ago, SRS13Rastus said:

Takes the p!$$ that this happens and Steam never does ANYTHING pro-active, just waits for people to complain and try to recover their accounts.

It's quite frankly disgusting that Steam apparently doesn't care about anything other than the contents of our wallets as this happens year after year...

What do you expect them to do? They already warn you not to log into such sites, they warn against these kinds of scams. They can't just go and magically take down sites they don't own, so there isn't all that much they can do!

[PorkishPig]

If you want to help protect others from being phished, here's some things you can do:

• Report the URL to Safe Browsing at https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
• Email the abuse contact of the domain registrar, you can look this up at https://lookup.icann.org/lookup
• Report the Steam user, see https://support.steampowered.com/kb_article.php?ref=1927-RTSV-6909

[Coolmaster]

This is just being smart on the internet. Why would you give your Steam password to something that isn't Steam?

[Spotty]

9 minutes ago, SRS13Rastus said:

So far I know of at LEAST 7 people this has hit.

A message is sent asking you to vote for their CSGO team with a link to a page requiring you to link your Steam account.

Don't provide your steam login details to anyone or login to any websites other than store.steampowered.com

Use multi factor authentication

Never use the same passwords across multiple sites

Don't click on links sent to you by people you don't know

[WhitetailAni]

What's a Steam account? /s

 

EDIT:
Too slow - I blame 802.11b-like speeds.

[piratemonkey]

Just now, ragnarok0273 said:

What's a Steam account?

idk I think it's an account a steam train conductor uses

[AndreiArgeanu]

52 minutes ago, SRS13Rastus said:

Takes the p!$$ that this happens and Steam never does ANYTHING pro-active, just waits for people to complain and try to recover their accounts.

It's quite frankly disgusting that Steam apparently doesn't care about anything other than the contents of our wallets as this happens year after year...

Steam or Valve isn't at fault for mistakes you made. Just have 2 factor authentication on your email and steam account and you would have been fine, even if you shared the same password (though you shouldn't share the same password for different accounts anyway).

[Marques_Brownlee]

These scams have existed forever for pretty much every well-known site where account trading/theft is profitable

[YoMz]

don't share your login details for any website on any other website... it's not just Steam, it's everywhere... you really can't blame them if you're the one who gave your details willingly in the first place... it's the end of 2020 already, don't get baited by freebies and giveaways that ask for your login details...

[Arika]

2 hours ago, SRS13Rastus said:

Takes the p!$$ that this happens and Steam never does ANYTHING pro-active, just waits for people to complain and try to recover their accounts.

It's quite frankly disgusting that Steam apparently doesn't care about anything other than the contents of our wallets as this happens year after year...

 

Why is this Steam's responsibility? there is going to be literally thousands of people doing things exactly like this to obtain your account information. how do you expect them to do anything more than they already do?

I would say that 2FA is pro-active. if people don't use it, not steam's fault.

 

 

Also per steam's ToS (which is pretty stock standard and....you know....common sense)

Quote

C. Your Account

When you complete Steam’s registration process, you create a Steam account ("Account"). Your Account may also include billing information you provide to Valve for the purchase of Subscriptions, Content and Services and any physical goods offered for purchase through Steam (“Hardware”). You may not reveal, share or otherwise allow others to use your password or Account except as otherwise specifically authorized by Valve. You are responsible for the confidentiality of your login and password and for the security of your computer system. Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision. Unless it results from Valve’s negligence or fault, Valve is not responsible for the use of your Account by a person who fraudulently used your login and password without your permission. If you believe that the confidentiality of your login and/or password may have been compromised, you must notify Valve via the support form (https://support.steampowered.com/newticket.php) without any delay.

If you're logging onto non-steam websites using your steam account info, that counts as negligence. Why should steam be responsible for fixing stupid people's negligence?

 

2 hours ago, SRS13Rastus said:

this happens year after year...

And yet those 7 people you know still fall for it. That's on them. 

[Mark Kaine]

2 hours ago, WereCatf said:

This is not a new thing, this has been happening for a decade already.

 

2 hours ago, handymanshandle said:

Very old scam, no shock that it's still as strong as ever.

 

people are "linking" their accounts all the time, of course it is a huge security risk and you should ask yourself why that's even a thing... 

 

This isn't only steam its basically every "service" nowadays, linking accounts is something people do without thinking and there's usually little to no confirmation that it's a safe thing to do. 

 

1 hour ago, AndreiArgeanu said:

Steam or Valve isn't at fault for mistakes you made. Just have 2 factor authentication on your email and steam account and you would have been fine, even if you shared the same password (though you shouldn't share the same password for different accounts anyway).

I'm pretty sure they gave them their Steam password directly... which is what you have to do "linking" accounts and why it's a big risk (people are apparently unaware of) 

 

 

[PlayStation 2]

1 minute ago, Mark Kaine said:

people are "linking" their accounts all the time, of course it is a huge security risk and you should ask yourself why that's even a thing... 

 

This isn't only steam its basically every "service" nowadays, linking accounts is something people do without thinking and there's usually little to no confirmation that it's a safe thing to do. 

Keep in mind that how most legitimate sites handle Steam integration is simple: they're only supposed to get a simple token that tells the site that you used your account to integrate it into said site. Ideally, it's a token that confirms your account and nothing else. I won't claim to 100% know what that information entails outside of acknowledging it's your account, but that's what it's supposed to be.

Any site claiming to be Steam (or claiming to offer Steam integration) and requires you to log into your Steam account when you're already signed into Steam in said browser isn't legitimate period.

[WereCatf]

1 minute ago, Mark Kaine said:

I'm pretty sure they gave them their Steam password directly... which is what you have to do "linking" accounts and why it's a big risk (people are apparently unaware of)

No. When you link accounts, you're only granting a token to the service to access the other service; you're not giving them your actual credentials. What that token permits and how easy it is to revoke depends on the service and, in some cases, the tokens have an expiration-date assigned to them as well.

[Mark Kaine]

14 minutes ago, handymanshandle said:

Any site claiming to be Steam (or claiming to offer Steam integration) and requires you to log into your Steam account when you're already signed into Steam in said browser isn't legitimate period.

 

14 minutes ago, WereCatf said:

When you link accounts, you're only granting a token to the service to access the other service

you're right that's how it ideally should be - but in my experience rarely is. for example :

linking my youtube account to steam : steam would connect to youtube somehow, then youtube asks for my *password* and only after typing my password the accounts are now "linked"... 

 

 

The only way I know this isn't a scam is that it actually works and I can indeed access my youtube videos through Steam now... 

 

I guess you could somehow check the URL of the site you're logging into but to my recollection that isn't even necessarily shown, it's just a window that basically claims "we are youtube"... 

 

same thing with GeForce experience btw, yes there's a Google log in screen, but no URL, no browser, no way to check this is actually the site it's claiming to be (until after the fact) 

 

I get what you're saying but this token thing only happens if you're using a browser where you're actually logged in already, as soon you're using any kind of "app" this stops being a thing and it's all just the darkest wild wild west... ¯\_(ツ)_/¯

 

[WereCatf]

2 minutes ago, Mark Kaine said:

I guess you could somehow check the URL of the site you're logging into but to my recollection that isn't even necessarily shown

Use a better browser. Firefox does show the URL.

[Mark Kaine]

2 minutes ago, WereCatf said:

Use a better browser. Firefox does show the URL.

read it again, there isn't necessarily a "browser" involved, depending on what app you use. 

 

There are hundreds of services / apps that work that way... you can only "link accounts" by typing your username and password into an obscure window... This shouldn't be a thing, but it is, and it's a high security risk companies like Google, Steam, etc don't seem to care about at all, and is often the *only* way to link accounts too (in case of GeForce Experience for example) 

 

"Use another browser" isn't a solution therefore. 

[LogicalDrm]

-> Moved to PC Gaming

 

This is hardly anything new or special. So no reason for it to be in General Discussion.

[WkdPaul]

As others have said, this isn't new, and there's nothing a company can do to stop phishing. This falls under users using common sense.

 

General tips on securing an account (in no particular order) ;

 

• Use a short phrase for a password (longer is better) rather than just a few characters
• DO NOT reuse passwords (this is often how people get their whole digital life stolen)
• Enable 2FA / MFA, always ! (if available)
• Avoid shortened links (to give you an idea, these types of links aren't allowed here)
• Take a GOOD look at the URL (HTTPS, domain name**, etc..)
• If you're already logged in to a site, then click on a link and it asks to login again, DON'T !!! Go to the previous point, and have a look at the URL

 

** lots of people don't understand domain names, for exemple, linustechtips.com is the domain name, you can have subdomain ; help.linustechtips.com or support.linustechtips.com are subdomains, but linustechtips.com.help isn't part of LTT domain, the ACTUAL domain is the LAST part of the address ; com.help, that's often how phishing is done, they create a subdomain with the name the user is expecting, under their main domain (so the first part you see is what you're expecting, like ; google.com.bsdomain.com)

Edited December 28, 2020 by wkdpaul

[Guest]

Of course it has something to do with cs go gaming

[b1k3rdude]

I never vote for anything on steam, would have never linked my steam account and lastly I only play SP games. I have no interest what so ever in some old crap like CsGo.