My steam account keeps getting hacked

ShadowAUS · Aug 21, 2019

Horns said:
What software do people recommend for scanning for a keylogger?

MalwareBytes Anti-Rootkit + normal MalwareBytes scan
MalwareFox

As well as those just follow normal security procedures. Run a decent AV, if you don't want to pay than Bitdefender's free AV is relatively lightweight, simple and what I recommend. Keep MalwareBytes on your PC and run a scan every week or so. That should keep 98% of nasties off a Windows installation. If you notice anything strange past all that and you have a basic idea of what you're doing, i.e you would be classed as a "power user" than Tron is love, Tron is life.

gebler · Aug 21, 2019

Something unusual is going on, and although it could point to some kind of security breach allowing the attacker to intercept your new password, it could also be some kind of technical problem giving you the wrong impression of what's going on. Two such possibilities:

1. The password change through the app didn't actually "take" (propagate properly within Valve's system), so the old one is still in effect. The second Steam Guard message could then be explained as just another attempt with the same username+password combination. You say that you haven't actually logged in to your Steam account on your PC with the new password - doing so would confirm or disprove this possibility.

2. If the Steam Guard message came soon after your password change, it could actually refer to a login attempt before you made the change, or before it had propagated through Valve's systems. Emails can sometimes be delayed when a server in the delivery chain is temporarily down, with eventual delivery once the system is up again (but there could be hours or sometimes even days between retransmission attempts). Check the date in the email header - if it's before or close to the time you actually changed the password (even if you got the email later), that could explain things. If this is the explanation, the second Steam Guard message was an anomaly, and you should not get any more of them.

CatAssTrophy · Aug 21, 2019

Also make sure those "login attempt" emails are actually valid. A lot of fishing comes in the form of faux "2 step verification" alert emails.

Horns · Aug 21, 2019

ShadowAUS said:
MalwareBytes Anti-Rootkit + normal MalwareBytes scan
MalwareFox

Thanks. Will check them out.

Sotonian · Aug 21, 2019

Also check https://haveibeenpwned.com/ it lists any emails that have been publicly compromised, also a section for passwords on there

Theef · Aug 21, 2019

2-factor exists for Steam

gebler · Aug 21, 2019

CatAssTrophy said:
Also make sure those "login attempt" emails are actually valid. A lot of fishing comes in the form of faux "2 step verification" alert emails.

That was my first thought, but the message quoted seems to be the normal Steam Guard message, which doesn't provide any link for changing the password, which would be the likely action for the receiver of the phishing message. But do check the links provided - they should go to steamcommunity.com (for the IP address link) or steampowered.com (for the recovery link and the help link).

NattyBo · Aug 21, 2019

I did check, the emails are legit.

NattyBo · Aug 21, 2019

gebler said:
Something unusual is going on, and although it could point to some kind of security breach allowing the attacker to intercept your new password, it could also be some kind of technical problem giving you the wrong impression of what's going on. Two such possibilities:

1. The password change through the app didn't actually "take" (propagate properly within Valve's system), so the old one is still in effect. The second Steam Guard message could then be explained as just another attempt with the same username+password combination. You say that you haven't actually logged in to your Steam account on your PC with the new password - doing so would confirm or disprove this possibility.

2. If the Steam Guard message came soon after your password change, it could actually refer to a login attempt before you made the change, or before it had propagated through Valve's systems. Emails can sometimes be delayed when a server in the delivery chain is temporarily down, with eventual delivery once the system is up again (but there could be hours or sometimes even days between retransmission attempts). Check the date in the email header - if it's before or close to the time you actually changed the password (even if you got the email later), that could explain things. If this is the explanation, the second Steam Guard message was an anomaly, and you should not get any more of them.

1. Almost certain the change "took" - I got an email confirming the change yesterday when I did it.

2. The times don't check out

Kaah · Aug 21, 2019

Same for me, I change my pw every months but keep receiving mail about access from a new computer with IP from all over the world. I just received 3 mail in the last 18 hours. My PC is clean, I just changed my HDD and reinstalled Windows 10.

Sidebuster · Aug 21, 2019

NattyBo said:
1. Almost certain the change "took" - I got an email confirming the change yesterday when I did it.

2. The times don't check out

Another vector could be a man in the middle attack. Do you have open wifi? Packets can be captured doing that, though I imagine they would be encrypted if going through https

NattyBo · Aug 21, 2019

Kaah said:
Same for me, I change my pw every months but keep receiving mail about access from a new computer with IP from all over the world. I just received 3 mail in the last 18 hours. My PC is clean, I just changed my HDD and reinstalled Windows 10.

Yeah the first one was from Chile, today it was Ukraine. And I barely use my Steam PC these days, and never use it for anything BUT steam, so I'm more worried my iPhone is compromised

NattyBo · Aug 21, 2019

Sidebuster said:
Another vector could be a man in the middle attack. Do you have open wifi? Packets can be captured doing that, though I imagine they would be encrypted if going through https

Yesterday when I changed my PW, I did it via 5G on my phone at work. My home WiFi is secure and I have the PC connected directly to it via cable anyway.

Kaah · Aug 21, 2019

NattyBo said:
Yeah the first one was from Chile, today it was Ukraine. And I barely use my Steam PC these days, and never use it for anything BUT steam, so I'm more worried my iPhone is compromised

Honestly at this point I'm pretty sure it is tied to my Steam account, and not a malware on my PC or phone (I never use Steam on it). Don't know how though. But if changing my pw and a clean install of windows 10 isn't helping I have really no idea.

Sidebuster · Aug 21, 2019

NattyBo said:
Yesterday when I changed my PW, I did it via 5G on my phone at work. My home WiFi is secure and I have the PC connected directly to it via cable anyway.

So you've tried to change the password only on the phone? Have you tried changing it on the PC with steam? That could give you an indication of what's happening if that works.

NattyBo · Aug 21, 2019

Sidebuster said:
So you've tried to change the password only on the phone? Have you tried changing it on the PC with steam? That could give you an indication of what's happening if that works.

I'm gonna change it on the PC tonight to a randomized PW and then see what happens

ymgve · Aug 21, 2019

The Turbanator said:
Make sure the emails are from [email protected] and not some proxy email masquerading as steam.

This is bad advice in general, the "from" email field can easily be spoofed.

Though it sounds like the emails are legit in this case, and something strange is going on. I don't think it's an Iphone keylogger (Unless you have a habit of jailbreaking your phone and installing software from other sources than the App store), the theory that it's just some delayed mails catching up sound more plausible.

spineduke · Aug 21, 2019

Horns said:
What software do people recommend for scanning for a keylogger?

Usually if theres a keylogger installed, theres a serious risk of other trojans being installed as well - and there's no guaranteed clean fix, some of them self-replicate and are quite difficult to remove entirely. Once you're infected, just do a format/wipe.

New Username · Aug 21, 2019

Edit: Deleted post

Tunesmith · Aug 21, 2019

OP, change your Steam account email, and see if the notices stop.
If they continue, they are faked phishing attempts, the "From:" field in an email is easily spoofed.

You could also be dealing with a delayed email notice situation if you're being brute forced, there could be 100s of attempts in a short time frame that may have caused queuing of emails.

Also, make sure to deauthorize any other active logged in sessions.

Nightfall said:
Passphrases are actually more secure. If done right.

If done right is the key word here. In order for passphrases to have enough entropy to be considered secure compared to a pure generated string you'll end up with a collection of random words no person can easily remember. This comic strip has actually made them less secure since it came out 7 years ago and as such should be avoided in majority of cases.

Use complex passwords over passphrases.

NattyBo · Aug 21, 2019

Tunesmith said:
OP, change your Steam account email, and see if the notices stop.
If they do, they are faked phishing attempts, the "From:" field in an email is easily spoofed.

You could also be dealing with a delayed email notice situation if you're being brute forced, there could be 100s of attempts in a short time frame that may have caused queuing of emails.

If done right is the key word here. In order for passphrases to have enough entropy to be considered secure compared to a pure generated string you'll end up with a collection of random words no person can easily remember. This comic strip has actually made them less secure since it came out 7 years ago and as such should be avoided in majority of cases.

Use complex passwords over passphrases.

I believe I could use my work email. Will try that. So far I've only gotten two total notices over a day and a half or so. and I don't believe they're spoofed.

Westbahnhof · Aug 21, 2019

Cheers and Beers said:
No, they aren't. Passphrases are more memorable than comparable length random passwords, but have substantially less entropy. If you are not a security expert, you should consider choosing not to share security advice from comics as though you are one.

Where is the comic wrong?

Broken Hope · Aug 21, 2019

Chances of your phone being compromised are low.

riotous · Aug 21, 2019

Are you sure the emails are actually real and coming from Steam?

One common phishing attempt is sending people emails telling them they need to change their password, including a link that is to a fake page that looks like a real one.

New Username · Aug 21, 2019

Edit: Deleted post

5taquitos · Aug 21, 2019

Cheers and Beers said:
The comic is not comparing randomly generated passwords to passphrases, it is comparing choosing a single dictionary word and tweaking it with symbols to passphrases. If the sum of the observation is "padding out the length of a password can contribute more to security than simply adding a symbol", then the comic's thrust is correct. But that's not why it's being posted. It's being posted to argue against someone using a more secure password in favor of a less secure password.

The claim that the four words chosen were "randomly chosen" is also incorrect and overstates the entropy of the passphrase. My guess would be the rule that generated this password has perhaps 9 or 10 bits of entropy per word. These are plainly within the most commonly known nouns and adjectives in the case of correct. If that math is correct, the password generated is between 16 and 256 times less secure than the comic claims.

Finally, the guess rate per second was incorrect when the comic is made. Server-side verification services typically lock out after 5 or 10 guesses, certainly after 1,000. The risk is not server-side validation attempts against any password, it's local cracking of password hashes or mass cracking of dumped databases. In local hash attacks, depending on the method of cryptographic hashing, a hash rate of 10,000-500,000 hashes per second is more likely on a standard desktop. With insecure or fast hashes, effective cracking rates in the tens of millions per second are possible. On a custom rig with multiple GPUs and insecure hash functions, it is possible to get into the billions of hashes per second. This is without incorporating rainbow tables.

Separate from the comic, it is extremely easy to calculate the amount of entropy in a randomly generated password. If you do not know how to do this, it's probably bad for you to believe the comic just because it has a cute art style. If you do know how to do this, simply do it. Using a full set of characters, numbers, and a reasonable amount of symbols, I get about 200 bits of entropy in a 32-character random password, so approximately 1.46 * 10^48 times more secure than the passphrase in the comic.

Solid receipts

ShadowAUS · Aug 21, 2019

Cheers and Beers said:
/snip

To add on to this, here are a couple of useful and simple resources for gauging the strength of a password, don't take it as gospel but it's a good base line.
Rumkin PassCheck
PWS.de

big_z · Aug 21, 2019

most likely spoof emails even though the address looks legit or someone has access to your email. I know Hotmail/outlook lets you check where you logged in from and would assume other email providers have a similar system so that would be worth checking.

Tunesmith · Aug 21, 2019

NattyBo said:
I believe I could use my work email. Will try that. So far I've only gotten two total notices over a day and a half or so. and I don't believe they're spoofed.

I'm on mobile so apologies, what I meant to say was, by changing emails you'll find out if the emails are real or fake;
- if additional notices arrive to your old email, then they're likely phishing attempts and are being sent to your email address that's on a list of compromised steam accounts.
- if additional notices arrive to your new email, and you have actually changed your password, then they're real and you might be dealing with a man-in-the-middle intercept of some sort (very rare but they can happen).

Westbahnhof · Aug 21, 2019

Cheers and Beers said:
The comic is not comparing randomly generated passwords to passphrases, it is comparing choosing a single dictionary word and tweaking it with symbols to passphrases. If the sum of the observation is "padding out the length of a password can contribute more to security than simply adding a symbol", then the comic's thrust is correct. But that's not why it's being posted. It's being posted to argue against someone using a more secure password in favor of a less secure password.

The claim that the four words chosen were "randomly chosen" is also incorrect and overstates the entropy of the passphrase. My guess would be the rule that generated this password has perhaps 9 or 10 bits of entropy per word. These are plainly within the most commonly known nouns and adjectives in the case of correct. If that math is correct, the password generated is between 16 and 256 times less secure than the comic claims.

Finally, the guess rate per second was incorrect when the comic is made. Server-side verification services typically lock out after 5 or 10 guesses, certainly after 1,000. The risk is not server-side validation attempts against any password, it's local cracking of password hashes or mass cracking of dumped databases. In local hash attacks, depending on the method of cryptographic hashing, a hash rate of 10,000-500,000 hashes per second is more likely on a standard desktop. With insecure or fast hashes, effective cracking rates in the tens of millions per second are possible. On a custom rig with multiple GPUs and insecure hash functions, it is possible to get into the billions of hashes per second. This is without incorporating rainbow tables.

Separate from the comic, it is extremely easy to calculate the amount of entropy in a randomly generated password. If you do not know how to do this, it's probably bad for you to believe the comic just because it has a cute art style. If you do know how to do this, simply do it. Using a full set of characters, numbers, and a reasonable amount of symbols, I get about 200 bits of entropy in a 32-character random password, so approximately 1.46 * 10^48 times more secure than the passphrase in the comic.

Geeze, thanks for the information, but while I can't put my finger on it, but you're coming off incredibly condescending.
Especially the bolded part. No reason for that kind of thing when I'm just coming in to ask for clarification.

I agree that the comic in this context wasn't helpful, but what the comic actually states, like you pointed out, has the right idea, even if the math is shaky

Tunesmith · Aug 21, 2019

The math in the comic actually checks out, but the available compute power these days make passwords much quicker to crack compared to 7 years ago when this comic was made.

New Username · Aug 21, 2019

Edit: Deleted post

Slai-Man · Aug 21, 2019

Keyser S said:
If not, try the top one as anything else can be brute forced

how? or you mean guessed?

Evolution of Metal · Aug 21, 2019

I get these emails periodically, I stopped changing the password.

There is no fucking way someone is guessing my password... Once, ok - possible. 2-4 times in a year - no way. It is either a fake email, or nothing you can do in terms of changing the password. It is also never multiple-emails about the login attempt.

IDreamOfHime · Aug 21, 2019

Nightfall said:
Passphrases are actually more secure. If done right.

Every time I see this I wonder how many people have correct horse battery staple as their password, haha

NattyBo · Aug 21, 2019

Ok, I changed the email associated with the account, and changed my account password to a random string of characters that I made up for now, until I set up a pass manager. both changes made via steam for iPhone app. Let's see what happens..

ShadowAUS · Aug 21, 2019

IDreamOfHime said:
Every time I see this I wonder how many people have correct horse battery staple as their password, haha

You would be surprised, sadly.
Fun fact when you put "correcthorsebatterystaple" in howsecureismypassword.net you get this -

riotous · Aug 21, 2019

Pass phrases are better than the typical passwords people use; that's about all that comic should really get across.

ShadowAUS said:
You would be surprised, sadly.
Fun fact when you put "correcthorsebatterystaple" in howsecureismypassword.net you get this -

Add the spaces and it says "15 octillion years", or change staple to something like maple (with no spaces) and you get 7 octillion.

correcthorsebatterystaple is probably on a list of common passwords, that's not the entropy causing it to be instant.. it's the popularity of the comic and whoever coded that site has it on a list.

Rookhelm · Aug 21, 2019

could it be that some external service (like when you log into some other app or site using your google or twitch account), but 2 factor is breaking it, so it just keeps reattempting?

is that a thing with Steam?

Hentailover · Aug 21, 2019

OP, this has been mentioned, but I had similar issue. Kept getting these messages. Couldn;t figure out why. Turns out I had some old long forgotten steam account attached to my email and obviously I was changing stuff for my proper one, and obviously none of those changes affected hackers trying to log into abandoned one. Getting rid of that acc helped. Problem never returned since.

Chestbridge · Aug 21, 2019

ShadowAUS said:
You would be surprised, sadly.
Fun fact when you put "correcthorsebatterystaple" in howsecureismypassword.net you get this -

That's weird, when I put it in it says "188 QUADRILLION YEARS".

Qikz · Aug 21, 2019

Keyser S said:
Alphanumeric unique - hfb7bfg39gfgb
or just "Mycatiswondrerful123" ?

If not, try the top one as anything else can be brute forced

That's bad advice. The top one can be brute forced if given long enough.

The best thing to do is use completely unrelated words in a string together, I believe a lot of security experts came out and agreed with this. It's impossible to dictionairy attack it or if it was it would take hundreds of years of attempts.

DonkeyTrampolineWatermelonLimo is much more secure than 50m3th1ngL1k37th15

DC5remy · Aug 21, 2019

I haven't been on steam in years and still get emails saying "someone is trying to use your login"

Adam_Roman · Aug 21, 2019

Don't use your email for 2FA, use the Steam app since you already have it. If they have your steam account username and password your email's probably just as insecure. I had a friend lose his Steam and Origin accounts from email 2FA because they got in his email account and changed shit from there.

NattyBo · Aug 21, 2019

Adam_Roman said:
Don't use your email for 2FA, use the Steam app since you already have it. If they have your steam account username and password your email's probably just as insecure. I had a friend lose his Steam and Origin accounts from email 2FA because they got in his email account and changed shit from there.

If they had my email they'd already have the account because that's where the 2FA was set up. But I'm using the full steam guard mobile thing now.

Flandy · Aug 21, 2019

Cheers and Beers said:
As I said in my post, the math in the comic only checks out if you believe that the four words listed represent a uniform random sample of words from a 2,048 word (11 bit) dictionary. The chosen words all seem substantially more common and familiar than the output of such a sample would generate, leading me to believe the effective mental dictionary being drawn from is closer to 9 or 10 bits of entropy per word. As a tip: if you read "pick four random dictionary words" and you interpret it as "I looked around my office and saw houseplant pen telephone artwork", you have less entropy than the comic is suggesting. The manner of calculating entropy depends on the cardinality of the simplest possible ruleset used to generate the data.

Also, the post concludes that "passwords should be easy to remember". This is incorrect and one of the most harmful things about the comic. We should be convincing users to switch to systems that do not require them to remember passwords.

What if you make it using Dice?

Shoichi · Aug 21, 2019

Your iPhone likely isn't compromised. It's not as open as Android and isn't as vulnerable as long as your keeping away from sideloading apps not approved from the app store on there.

If you are having 2FA set up on email and Steam. Along with changing pw's on both its either a late notification, virus/malware on pc, or a phishing attempt

trineo_feo · Aug 21, 2019

Cheers and Beers said:
No, they aren't. Passphrases are more memorable than comparable length random passwords, but have substantially less entropy. If you are not a security expert, you should consider choosing not to share security advice from comics as though you are one.

I don't think you understand the comic. The point is that long simple-worded passwords are more secure than shorter gibberish passwords.
Like "sd4Dg%tGT4e" is less secure than "TwoMumsFlewToPlayBasketballAndCookedAStable". And the latter is easier to remember.

ShadowAUS · Aug 21, 2019

riotous said:
Pass phrases are better than the typical passwords people use; that's about all that comic should really get across.

Add the spaces and it says "15 octillion years", or change staple to something like maple (with no spaces) and you get 7 octillion.

correcthorsebatterystaple is probably on a list of common passwords, that's not the entropy causing it to be instant.. it's the popularity of the comic and whoever coded that site has it on a list.

I know? I was just pointing out that it was a fun fact that they had coded it in to the site as a reply to someone wondering how common it was. The actually entropy is something around 93 bits.

iRAWRasaurus · Aug 21, 2019

I get these emails randomly for my 2nd steam account which has noting on it nor been used for a few years.

My steam account keeps getting hacked

Alt Account

Fraud & Player Security

Fraud & Player Security

Fraud & Player Security

Community Resettler

Community Resettler