Steam Account Lost - Recovering it, but where did I go wrong?

[ThundyUK]

Hi folks,

 

Sorry if this in the wrong forum please feel free to move it

 

As the title says someone somehow got into my Steam account, and whilst I’m recovering it I am a bit unsure how it happened so I was hoping if I ran a timeline for you, you could tell me where I likely went wrong, or if I even haven’t gone wrong & if it’s something more sinister.

 

Yesterday evening I was playing Rust on my brother’s spare PC on my Steam account whilst my PC was getting set up. This was all fine, and no issues. When my PC was set up I logged out and then logged back into my PC and began playing Rust. This was about 8pm in the evening UK time. I used the Steam QR code scanner on my phone  to quick log in – this is the first time I’ve ever used the Steam Guard / Authenticator app to do this, though I’ve had it installed for some time.

Nothing odd happened, just playing with some mates on usual Rust servers.

 

The next morning about 11am I was playing again and then some kind of notification came up on my PC from Steam, but I didn’t see what it was. Rust then closed, and Steam kicked me out. I tried to log back in immediately but it stated my password was wrong.

 

I checked my Gmail account, and there was an email stating that there had been a new login from a Russian Oblast – this was from noreply@steampowered.com – I was a bit suspicious at this point so scrutinised the email closely, and the domain too. Both were 100% genuine, no spelling errors, and the domain is the same as I’ve received before (steampowered.com) and given I’d just been kicked out of Steam it made sense that they’d alert me.

At this point, I tried to reset my password however when I did this by using the reset password using my email address option, Steam informed me that my email was not recognised.

 

So clearly the people who hacked my account had already changed the registered email address!

 

I received an email at this point stating as such – I’m paraphrasing but basically it said the email associated with your account has been changed. Again, the email looks 100% genuine, no errors in spelling, and the domain once again steampowered.com (noreply@steampowered.com is the sender). On this email, there is a link to follow should this not have been me who removed the email. As the email looks 100% genuine, and is the right domain I click this link (I think this might have been a mistake but I don’t know as I thought domains couldn’t be faked?). This then prompts me to reset my account with the Steam Guard (authenticator) app on my phone, and sends me a code. I try reset the account using this code but it doesn’t work. I get a bit hazy here – but the next thing that happens is the Steam App on my phone also kicks me out, and I get an email saying that the phone number associated with my Steam account has been changed.

 

And that it’s, I’m completely locked out with no possible self-service recovery.

 

So, what happened?

 

Like, how did someone in Russia log in whilst I was logged in from within the UK then within a matter of five minutes change my password, email, and phone number?

 

How were they able to log in in the very first instance as I have 2FA enabled (as in, they might have got my username and password, but why didn’t it stop them logging in and kicking me off Rust without asking THEM for the 2FA code, even if I got phished later).

 

And where did I go wrong?

 

Thanks for the advice.

 

It’s happened, I’m sorting it out, but I’m just puzzled as to what happened (especially they logging in whilst I was online and superseding my session without access to 2FA via the app)

 

Cheers

[BeefSupreme]

Have you clicked any links sent to you by other players on Rust? Have you logged into any websites using "Login with Steam" recently? Bypassing your 2FA is strange, unless they got access from you somehow. Did you hover your mouse over the hyperlinks in those emails to see if they were actually going to steampowered.com? Spoofing email addresses is really easy, so if you're suspicious of an email it's always better to go directly to the website instead of clicking links within the email. Fake landing and login pages are also not very difficult to create with the time and know-how.

[Stahlmann]

Without having physical access to your phone they shouldn't be able to bypass Steam Guard. Even if they don't physically have your phone, they need access to your phone number and it's received messages to get rid of Steam Guard. The login from Russia might not mean much, could be a VPN location after all.

 

So if you didn't give your phone to someone else recently, I'm puzzled how they bypassed 2FA.

[BrandonLatzig]

Given enough time, luck and just sheer determination, anything is possible. You can do everything right but still lose. Just have ways to recover it, always keep your receipts and be on (relatively) good terms with support

[ThundyUK]

On 3/14/2024 at 11:23 PM, BeefSupreme said:

Have you clicked any links sent to you by other players on Rust? Have you logged into any websites using "Login with Steam" recently? Bypassing your 2FA is strange, unless they got access from you somehow. Did you hover your mouse over the hyperlinks in those emails to see if they were actually going to steampowered.com? Spoofing email addresses is really easy, so if you're suspicious of an email it's always better to go directly to the website instead of clicking links within the email. Fake landing and login pages are also not very difficult to create with the time and know-how.

 

Hi there, sorry for the delay.

 

No, I never click any links anyone sends me. In fact my older brother tells me never to even open a link in an email and to go the site in question - even if it 's looks 110% genuine. The same with a phone number - hang up on it, Google it,  find out who it was !

 

I even do won't browse the internet on my PC to help keep it safe. 

 

Here's the email  (attached) - it's hard to show but if you look at the bottom left there is the URL sent to me by Steam - it looks genuine to me.

 

I clicked the link which is -  https://help.steampowered.com//en/wizard/HelpWithLogin and seems legit. It all went wrong then. 

 

 

Like @Stahlmann said above, I don't understand how they've gained access to the 2FA.

[ThundyUK]

I've just noticed there's two / after the Steampowered part of the URL is that anything?

[ThundyUK]

Well, just by way of an update and a PSA really.

Steam support are asking for photographic evidence of a physical copy of a CD key I've activated a game on Steam with.

 

I barely even remember games coming in boxed and CDs - and I've certainly never activated one on Steam, but support will not under any circumstances reinstate my account without one. They're asking for something I cannot possibly provide so my account, and the probably thousands I've spent on it, are gone forever.

 

Everyone be warned.

 

*edit*

 

It's emerging that in March that Valve have had a data-breach, leaking account details of many people. Support are responding by banning the affected accounts from the community areas, and locking the ability sell items on the marketplace. They're also reportedly asking people for CD keys and bank card details going back - in some cases - 20 years. The majority of people obviously can't provide this and therefore are not able to unlock their accounts. There's reportedly a huge backlog in support cases and the Steam support team are becoming increasing flippant with people. 

 

I don't think this will change anything for me to be honest.

 

 

[Stahlmann]

Tbh this support Email seems like a scam again. Asking for 3rd party game keys isn't something I'd think official Valve support would do.

 

There is also an account specific Steam recovery key that is supposed to be the last bastion of saving an account if someone else breached it. They show it to you when you set up the 2FA.

[ThundyUK]

4 hours ago, Stahlmann said:

Tbh this support Email seems like a scam again. Asking for 3rd party game keys isn't something I'd think official Valve support would do.

 

There is also an account specific Steam recovery key that is supposed to be the last bastion of saving an account if someone else breached it. They show it to you when you set up the 2FA.

 

Aye, but the problem is Steam Guard was also logged out on my phone when they took over the account, and I think that's where it's meant to be? I can't get into it though.

 

Rumours are abounding now that Steam Guard itself was compromised there are almost one million tickets filed with support.

It makes sense too to me - of my six close friends and family, I'm the only one using Steam Guard and I am also the only one who lost my account. Even my siblings in the same house as me are unaffected.

 

Steam Support have really left me feeling let down and bereft here. I can even prove that I was logging in from the same static IP I always use when at this  house, and my siblings are still using it too. Of which one of them has sent me gifts on Steam. The level of proof I am the rightful owner is beyond insane, and yet here we are - asking me for a CD key that I've never had.

 

https://store.steampowered.com/stats/support/ - almost a mil tickets now

 

PS The support email is legit, at least, it's being managed from the true Steam website so if it's hacked, all of Steam is. Would not surprise me at this point actually

[BeefSupreme]

On 3/18/2024 at 2:10 AM, Stahlmann said:

Tbh this support Email seems like a scam again. Asking for 3rd party game keys isn't something I'd think official Valve support would do.

On 3/17/2024 at 4:09 AM, ThundyUK said:

Well, just by way of an update and a PSA really.

Steam support are asking for photographic evidence of a physical copy of a CD key I've activated a game on Steam with.

Sorry for MY late response this time, I'm not on the forums very frequently lol. That being said, I've had nearly the exact same interaction with Steam Support in the past, it is a legit request and they do it pretty often to verify account ownership. 

 

@ThundyUK have you EVER purchased a Humble Bundle or any other CD key digitally online? I also thought fulfilling their request would be impossible until I realized I had a ton of CD keys from like 2014 saved on my Humble Bundle account. Even if you never officially made an account, you might be able to find the keys by digging through your email.