• Light/Dark
  • Ever wanted an RSS feed of all your favorite gaming news sites? Go check out our new Gaming Headlines feed! Read more about it here.

Your Steam Account May Not Be as Secure as You'd Hope

Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
That title might scare some of you, as it should as I just had the shit scared out of me. I've reached out to Steam on this matter already and am awaiting a response and will update as soon as I have more information on what happened but aaanyway.

The password on my Steam account was changed. Well, that might be a fairly normal thing to happen if you've got an easy to guess password, right? Well, that's not necessarily the problem here. What is the problem is that I've got 2FA enabled via the app, and if that's not there it's supposed to verify things through my email before changes are made/I'm signed into a new device. However, my password was changed with the app popping off OR an email coming through for verification OR an email coming through to let me know that my credentials had changed. I already checked what logs I could (Valve does not keep a log of IPs that has signed into your account for whatever reason, so basically just my email logs). I was thankfully able to catch this fast af and get everything locked down again but that doesn't change the fact that somewhere along the line 2FA just bombed. It didn't work. I'm awaiting on a response from support, but seeing this when I return to my PC from grabbing a drink sure gave me an awful fright, considering the account is 10 years old and has 1,100+ games on it.

EswQm8z.png


Edit:
I can't confirm what happened just yet. I have verified a few things here that I can rule out.
  • My email account was not compromised. I already checked to make sure (verified logs, login locations, etc. I also have access to exchange information for that, meaning any email that would have come through even if it had been deleted, I'd have a log of. Nothing. The account was not accessed.
  • My application did not generate a notification indicating an attempted sign in throughout the day. I've checked notification logs already.
  • I was not SIM swapped. I did not lose functionality of my phone at any point in time, and even called in to verify that no changes had been made.
Also, in regards to why I bring this up now with so much uncertainty as to what happened, is because this may or may not be a big, widespread issue. I'd like to bring my instance to attention now, rather than later in case it is a problem. I will update with more information as soon as it rolls in. Until then, I will do the best to answer you questions.

Update: 12/11/18 @ 9:48EST
I've got a response from Valve telling me to reset my password, which wasn't helpful. I've sent a response back to that and have asked for more information on whatever I could get. Hopefully I will have some answers by the end of the day.
 
Last edited:

sheaaaa

Banned
Oct 28, 2017
1,556
This is so weird cos Steam is so strict with their 2FA and recovery code stuff, to the point of annoyance.
 
woolyninja

woolyninja

Member
Oct 27, 2017
1,028
I don't understand? If I try to login on a new computer I have to enter in my two-factor authentication code. It's always the case. If I don't it then would always, ALWAYS email me? So how did your password get changed if neither of those happened? Did someone also hack your email account?
 
chaobreaker

chaobreaker

One Winged Slayer
Member
Oct 27, 2017
5,536
2FA is a joke. Anyone could call your phone company and dupe CS into transfering your number to their SIM.
 
tunnel visionary

tunnel visionary

Member
Oct 13, 2018
130
With things like these, it's user error until demonstrated otherwise. I'd have to see a systemic occurrence of a problem before adopting OP's stance.
 
Keldroc

Keldroc

Member
Oct 27, 2017
11,968
woolyninja said:
I don't understand? If I try to login on a new computer I have to enter in my two-factor authentication code. It's always the case. If I don't it then would always, ALWAYS email me? So how did your password get changed if neither of those happened? Did someone also hack your email account?
Click to expand...
Click to shrink...

Yeah this has to be a case of more than one of the OP's accounts being compromised. I don't see how else it happens.
 
data

data

Member
Oct 25, 2017
4,715
Interested to see if this is a single case.

Did yougyou generate backup codes and store those securely?
 
nded

nded

Member
Nov 14, 2017
10,554
woolyninja said:
I don't understand? If I try to login on a new computer I have to enter in my two-factor authentication code. It's always the case. If I don't it then would always, ALWAYS email me? So how did your password get changed if neither of those happened? Did someone also hack your email account?
Click to expand...
Click to shrink...
Either Valve has suffered a major security exploit or someone physically accessed the OP's computer or laptop.
 
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
woolyninja said:
I don't understand? If I try to login on a new computer I have to enter in my two-factor authentication code. It's always the case. If I don't it then would always, ALWAYS email me? So how did your password get changed if neither of those happened? Did someone also hack your email account?
Click to expand...
Click to shrink...
Doesn't seem like it. I already went in and checked the access logs. Everything was from me. I did another sign in just to make sure they were generating properly, and they were. My IP and location were spot on.
chaobreaker said:
2FA is a joke. Anyone could call your phone company and dupe CS into transfering your number to their SIM.
Click to expand...
Click to shrink...
Sure, in the cases where it's using your mobile phone. In this case, that hasn't been touched and I have steps in place with my provider to avoid that situation happening.
nded said:
Either Valve has suffered a major security exploit or someone physically accessed the OP's computer or laptop.
Click to expand...
Click to shrink...
Can rule out the physical vulnerability. All three machines (my desktop, Surface and phone) are all with me currently and have been all day. I've been home all day.
 
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
EAPidgeon said:
You have somewhere else in the chain that's also most likely compromised OP.
Click to expand...
Click to shrink...
It would have had to either have gone through my mobile app (which hasn't generated notifications all day), or my email (which I've already checked logs on and hasn't been accessed by anyone other than me).
 
Arulan

Arulan

Member
Oct 25, 2017
1,571
This is not something I would post until I found out exactly what happened. You're just making people worried for what could be nothing.
 

Deleted member 3038

Oct 25, 2017
3,569
Arulan said:
This is not something I would post until I found out exactly what happened. You're just making people worried for what could be nothing.
Click to expand...
Click to shrink...

OP mentions that there's 0 physical breach and no log of any email / 2FA breach and you think this isn't a major enough issue to worry about?

This is why I don't use App-based 2FA Now, I have all my U2F codes on my Yubikeys & they're both in safe spots at all times, it's more annoying but it completely negstes Software being the weakest link for me.
 
Mass Effect

Mass Effect

One Winged Slayer
Member
Oct 31, 2017
16,718
Hmm, 2FA stopped people from getting into my Steam account last year.

Thank goodness too. I'm hoping that the system not failing out.
 
Kvik

Kvik

Banned
Oct 25, 2017
889
Downunder.
Yeah, the chink in the armor of 2FA is one can social engineered themselves against unsuspecting customer support to gain access to your account provided that they had sufficient knowledge of your private details, possibly gleaned from social media presence.

One thing I can suggest to avoid this issue is either to get a keyfob like Yubico (of which its integration with Steam 2FA was still kind of spotty, last time I checked), or arrange with the customer support to set up a challenge-response sequence to be attached to your account, in which only upon successful exchange you can modify your account details)
 
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
Kvik said:
Yeah, the chink in the armor of 2FA is one can social engineered themselves against unsuspecting customer support to gain access to your account provided that they had sufficient knowledge of your private details, possibly gleaned from social media presence.
Click to expand...
Click to shrink...
Yeah, we'll have to see what they respond with. The only identifying data that Valve has on file for me (at least from what I can tell) is my current billing address, and that's just from purchases.
 

Deleted member 11413

User requested account closure
Banned
Oct 27, 2017
22,961
Dest said:
Doesn't seem like it. I already went in and checked the access logs. Everything was from me. I did another sign in just to make sure they were generating properly, and they were. My IP and location were spot on.

Sure, in the cases where it's using your mobile phone. In this case, that hasn't been touched and I have steps in place with my provider to avoid that situation happening.

Can rule out the physical vulnerability. All three machines (my desktop, Surface and phone) are all with me currently and have been all day. I've been home all day.
Click to expand...
Click to shrink...
Is it possible you got sim-swapped?
 

Deleted member 3038

Oct 25, 2017
3,569
Nooblet said:
Which is why good 2FAs use authenticatiors and not sms texts
Click to expand...
Click to shrink...
And why even better 2FA systems don't use software-based Auth & use Hardware-based Keyfobs

Seriously, don't use stuff like Authy / Google Auth anymore, that stuff can be stolen very easily & practically gives people free access to any accounts whose 2FA you have stored on it
 

Deleted member 35071

User requested account closure
Banned
Dec 1, 2017
1,656
someone from South Korea tried to get into my account today! I got a popup from my email saying someone was trying to access my account....and it had sent a verification code.

I wasn't able to log in at first. I don't think the person could change my password......maybe i had changed it from the last time i logged in on chrome (it had been awhile).

i changed my email password. Then was able to use a verification code to log in to Steam and change that password too
 

Deleted member 1849

User requested account closure
Banned
Oct 25, 2017
6,986
Okay, I find it really interesting that this comes up today, because yesterday I received a popup on Steam stating that my credentials had been changed somewhere else. I have 2FA.

I changed my password, my email password and switched the email associated with my account just to be safe.
 
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
Nappael said:
Okay, I find it really interesting that this comes up today, because yesterday I received a popup on Steam stating that my credentials had been changed somewhere else. I have 2FA.

I changed my password, my email password and switched the email associated with my account just to be safe.
Click to expand...
Click to shrink...
Hey hey, dope. I mean, that's not good but I'm glad there's another case out there with something very similar happening. Hopefully whatever response I get is able to shed some light on the situation. Are you able to check sign-in logs on you email to see if that had been accessed outside of you?
 
XR.

XR.

Member
Nov 22, 2018
6,576
I've been getting hundreds of log-in attempts/password resets from unauthorized IPs/locations during the past year, which resulted in Steam changing my password without notifying me about it. Can't reassure you this is the case for you, but it's a possibility.

After my account username incl. my personal details were leaked during the Steam cache leak in 2015 I've contacted Valve and requested to change my username but they repeatedly refuse. It's just something I've got to live with, I guess, but it's infuriating considering every other service offers this security measure.
 
Last edited:
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
senj said:
If it can clone the 2FA seed from the app, it won't need to prompt for a request somewhere else.
Click to expand...
Click to shrink...
Even if that were/had been the case, Steam failed to notify me of an account change outside of that box popping up when you should receive an email (as I did when I personally changed the password) when the account credentials/general changes to your account are made.
Also, while I get what your saying, if someone tried to log into my account, the app would still generate the number and it'd have popped up on my phone would it not? You attempt to sign in and it automatically and basically instantly hits my phone with a notification with the code at the time.
kWR3HUl.png
 
GuitarGuruu

GuitarGuruu

Member
Oct 26, 2017
6,465
Annecdotally someone tried to change my password the other day for my Steam account and my 2FA locked them out.
 
Spyware

Spyware

Member
Oct 26, 2017
2,455
Sweden
I get that message sometimes when I have been logged in on another computer at the same time, but I am able to just log back in and nothing has been changed. But your password was actually changed?
 
OP
OP
Dest

Dest

Has seen more 10s than EA ever will
Coward
Jun 4, 2018
14,022
Work
Spyware said:
I get that message sometimes when I have been logged in on another computer at the same time, but I am able to just log back in and nothing has been changed. But your password was actually changed?
Click to expand...
Click to shrink...
It was. I attempted to sign in with my password and was unable to get in on both the application and the web browser. I was thankfully able to get it reset, though.
 
GrrImAFridge

GrrImAFridge

ONE THOUSAND DOLLARYDOOS
Member
Oct 25, 2017
9,659
Western Australia
Did you actually confirm that your password was changed? That message pops up when something causes your session to expire and doesn't necessarily mean your account has been compromised (in my case, I've only ever seen it when connecting to or disconnecting from a VPN). I suspect that's what happened here given you didn't receive any sort of notification about changes to your account and there's nothing out of the ordinary in your session history.

Edit: D'oh, never mind, I'm blind and missed your post above.
 
Last edited:

Deleted member 1849

User requested account closure
Banned
Oct 25, 2017
6,986
Dest said:
Hey hey, dope. I mean, that's not good but I'm glad there's another case out there with something very similar happening. Hopefully whatever response I get is able to shed some light on the situation. Are you able to check sign-in logs on you email to see if that had been accessed outside of you?
Click to expand...
Click to shrink...
Sorry for the late reply, but there is no sign of any strange behavior in my email account. All logs look clean.
 
Mifec

Mifec

Member
Oct 25, 2017
17,703
Ah I see Steam is competing with Epic finally. As in Epic accounts get compromised and send intrusion emails a lot.
 
Bjones

Bjones

Member
Oct 30, 2017
5,622
Some companies automatically reset your password if they think something odd is going on. If your email wasn't changed I would worry too much about it.
 
You must log in or register to reply here.