Support NeoGAF

[Wowfunhappy]

Edit: by TF2 I meant Counterstrike. Oops.

I don't like Steam. My reasons for this are long-running and really beside the point of this topic—I hate the UI, I don't like having my games tied to an external online service, and I dislike the idea of my games being connected to a social network.

So for many years now, I have avoided using Steam whenever possible. When avoiding Steam isn't possible (aka, Steam-exclusive titles), I use a "private" account, with zero friends and a username that I don't use anywhere else.

My public account has not been used in any serious capacity for many years. Because I don't really care about this account, I didn't have Steam guard enabled, and was using an admittedly less-than-ideal password. I figured that if I lost access to the account, it wouldn't be a huge loss. It never occurred to me that someone would use my account to harm others in my name.

So today, I logged onto my public Steam account today to leave a comment in a Steam forum thread about mini metro, and noticed that my avatar had been changed. Further investigation revealed that I had sent PM's to a bunch of Counterstrike players asking to trade with them, and subsequently scammed them (or at least attempted to scam—I can't tell for sure[/url]

I then immediately reset my password, and enabled Steam guard.

I've never played Counterstrike in my life, nor have I ever initiated a trade in Steam, so I don't fully understand how these systems even work. It's fairly easy to see what happened, but it leaves me wondering if there's anything else I need to do. Do I "owe" anything to the people who were ripped off? Is there anything I can do to help them? And is there anything else I should do/check to protect my security?

Thanks!

 

[60EffPeeEss]

As far as has been made apparent to me in the past, the liability for lost trade items is with the person who handed them over. You shouldn't owe anyone anything.

 

[Mesoian]

You're fine. Just take it as a lesson about always enabling 2 step verification in this modern world and always use strong passwords.

 

[flipswitch]

Edit: by TF2 I meant Counterstrike. Oops.

I don't like Steam. My reasons for this are long-running and really beside the point of this topic—I hate the UI, I don't like having my games tied to an external online service, and I dislike the idea of my games being tied into a social network.

So for many years now, I have avoided using Steam whenever possible. When avoiding Steam isn't possible (aka, Steam-exclusive titles), I use a "private" account, with zero friends and a username that I don't use anywhere else.

My public account has not been used in any serious capacity for many years. Because I don't really care about this account, I didn't have Steam guard enabled, and was using an admittedly less-than-ideal password. I figured that if I lost access to the account, it wouldn't be a huge loss. It never occurred to me that someone would use my account to harm others in my name.

So today, I logged onto my public Steam account today to leave a comment in a Steam forum thread about mini metro, and noticed that my avatar had been changed. Further investigation revealed that I had sent PM's to a bunch of Counterstrike players asking to trade with them, and subsequently scammed them (or at least attempted to scam—I can't tell for sure[/url]

I then immediately reset my password, and enabled Steam guard

I've never played Counterstrike in my life, nor have I ever initiated a trade in Steam, so I don't fully understand how these systems even work. It's fairly easy to see what happened, but it leaves me wondering if there's anything else I need to do. Do I "owe" anything to the people who were ripped off? Is there anything I can do to help them? And is there anything else I should do/check to protect my security?

Thanks!

Steam guard should have been on, no excuses, especially with the steam issues from last week.

 

[Wowfunhappy]

Steam guard should have been on, no excuses, especially with the steam issues from last week.

Thing is, I use this account maybe once every three months at most, whenever I want to make a couple of forum posts. When I had Steam guard turned on, I'd have to verify via email pretty much every time I wanted to log in.

I mean, I don't use two-step verification on Neogaf either.

This isn't to say I shouldn't have had Steam-guard turned on, but I don't think choosing not to was entirely unreasonable for such a low-priority account. When Steam was hacked last week, the possibility of an account a hardly-ever use being broken into didn't even cross my mind.

 

[epmode]

Thing is, I use this account maybe once every three months at most, whenever I want to make a couple of forum posts. When I had Steam guard turned on, I'd have to verify via email pretty much every time I wanted to log in.

Save your account credentials and this won't happen.

 

[UnrealEck]

Do I "owe" anything to the people who were ripped off?

Of course you don't. You didn't scam them, someone else did.

 

[Wowfunhappy]

Save your account credentials and this won't happen.

Unless I clear my cookies, reinstall/change OS's, or use a new device.

It sounds like none of these things should happen very often, but they always do for one reason or another.

 

[joecanada]

Of course you don't. You didn't scam them, someone else did.

if you got a bunch of hate mail you could just reply and send a note to them saying hey sorry I was hacked.

 

[Netherscourge]

Welcome to the internet.

This isn't Steam's fault, it's the nature of the internet.

I would strongly suggest that if you have the same email/password that you had for Steam being used with any other account too, you immediately change those also.

Because that's the #1 way hackers get into people's accounts these days. NOT through viruses or trojans or backdoor exploits - through people using the same login credentials for multiple accounts.

So simple yet so overlooked by everyone.

 

[epmode]

Unless I clear my cookies, reinstall/change OS's, or use a new device.

I'm talking about the program, not the website. I figured you were as well.

 

[flipswitch]

When you get your account back, chose a ridiculous hard password that you want be able to remember. ( Be sure to note it down somewhere in a secure place).

 

[phants]

When you get your account back, chose a ridiculous hard password that you want be able to remember. ( Be sure to note it down somewhere in a secure place).

Or use a service like LastPass. Then you can have a crazy strong unique password for every service and not need to write them down anywhere.

 

[flipswitch]

Or use a service like LastPass. Then you can have a crazy strong unique password for every service and not need to write them down anywhere.

I don't trust them

 

[Haunted]

Because I don't really care about this account, I didn't have Steam guard enabled, and was using an admittedly less-than-ideal password.

If you've used this weak password on other sites as well, I would immediately change it on those accounts, even if they're not tied to the same username/e-mail as that Steam account.

Steam Guard is an absolute must. Two-factor authentication is the minimum bit of security an account that has access to financials should have these days.

 

[Wowfunhappy]

When you get your account back, chose a ridiculous hard password that you want be able to remember. ( Be sure to note it down somewhere in a secure place).

I didn't actually lose access to my account—the account thief never actually changed my password. I have done so myself.

What I really need to do is get a proper password manager, although I worry about what will happen if I switch to a new device or OS.

 

[jellies_two]

I actually don't understand how a less than ideal password can be a problem.

Stay with me on this. I can already hear "because it's easy to guess"

Say your password is letmein or password1 or one of 100 other dumb passwords. Why wouldn't steam lock the account up if it gets more than three incorrect guesses in a row?

If it does do that, then steam guard isn't as necessary even IF you pick a bozo password. If it does not do that, then steam has a security issue letting people peck away at accounts over time, until they hit the right password.

Or the alternative: OPs password (and steam login name) was used on other sites and a site got compromised. Is this the explanation?

 

[Leafhopper]

Steam guard should have been on, no excuses, especially with the steam issues from last week.

No one lost passwords from that. Either way yes, Steam Guard should have been on.

 

[Haunted]

Do I "owe" anything to the people who were ripped off?

This is the equivalent of leaving your car open with the ignition running and someone else using it to wreck shit. Yes, you were lackadaisical with your security and insurance obviously won't pay out, but in the end it was the car thief who did it.

 

[Wowfunhappy]

Or the alternative: OPs password (and steam login name) was used on other sites and a site got compromised. Is this the explanation?

It's very possible—my system is to have different "tiers" of passwords depending on how important the account is to me. IE, I don't use the same password on a random forum account as I do my bank account, with additional tiers in between those two extremes.

Don't want to say too much more than that because I worry that doing so would be a security risk in and of itself, but suffice to say this Steam account was not high on the priority list.

Steam Guard is an absolute must. Two-factor authentication is the minimum bit of security an account that has access to financials should have these days.

I don't store CC information in Steam.

I'm talking about the program, not the website. I figured you were as well.

Haven't logged into this account via the Steam client in years, as far as I can remember.

 

[Glorified G]

I don't like having my games tied to an external online service

Even though this is not the topic of the thread, you can play your Steam games offline once you have downloaded them.

 

[andshrew]

When you get your account back, chose a ridiculous hard password that you want be able to remember. ( Be sure to note it down somewhere in a secure place).

Heh, not sure if this is a joke post? How about you chose a password that is easy to remember and not something so unnecessarily complex that you need to write it down.

The most important thing is to use unique passwords for each service and enable two step where possible. Complexity of the password is somewhat irrelevant if you're tricked into handing it over.

 

[fertygo]

I actually don't understand how a less than ideal password can be a problem.

Stay with me on this. I can already hear "because it's easy to guess"

Say your password is letmein or password1 or one of 100 other dumb passwords. Why wouldn't steam lock the account up if it gets more than three incorrect guesses in a row?

If it does do that, then steam guard isn't as necessary even IF you pick a bozo password. If it does not do that, then steam has a security issue letting people peck away at accounts over time, until they hit the right password.

Or the alternative: OPs password (and steam login name) was used on other sites and a site got compromised. Is this the explanation?

qwerty123 is the most used password, maybe OP use that.

 

[FriedConsole]

Just call Steam's excellent customer support.

 

[MUnited83]

Is there anything I can do to help them?

Well, you could check your trade history and see to what account the items were traded to. If it was all to the same guy, assume that is the account of the guy who broke into your account and inform the people that said they were scammed by your account.

Heh, not sure if this is a joke post? How about you chose a password that is easy to remember and not something so unnecessarily complex that you need to write it down.

The most important thing is to use unique passwords for each service and enable two step where possible. Complexity of the password is somewhat irrelevant if you're tricked into handing it over.

Reminder that that comic isn't really all that accurate, considering most people trying to break in into other people's account use dictionary-based attacks.

 

[Wowfunhappy]

Well, you could check your trade history and see to what account the items were traded to. If it was all to the same guy, assume that is the account of the guy who broke into your account and inform the people that said they were scammed by your account.

Where can I find this? (On the Steam website, not the client)

 

[MUnited83]

Where can I find this? (On the Steam website, not the client)

Go to inventory. Click the button "More" and then "View Inventory History".

 

[Wowfunhappy]

Go to inventory. Click the button "More" and then "View Inventory History".

Thanks, but...

 

[Nzyme32]

Well, you could check your trade history and see to what account the items were traded to. If it was all to the same guy, assume that is the account of the guy who broke into your account and inform the people that said they were scammed by your account.


Reminder that that comic isn't really all that accurate, considering most people trying to break in into other people's account use dictionary-based attacks.

Yeah. You should definitely report what has happened and the trade info for the sake of making sure nothing bounces back to you personally when you didn't do anything.

Where can I find this? (On the Steam website, not the client)

You should check several things:

• Go to inventory (under your profile name / tab) > click the "more" button > look at you inventory history, which includes trading and gifting history
• Go to the community market (under community tab) > check your market listing history
• Go to your account details (under your Steam account name at the top right of the client) > check your purchase history and license activations

Thanks, but...

Then I have no idea - check a few times just to make sure the page loaded properly. Check the other things out to be safe. Perhaps messages were sent but nothing happened? You should perhaps also check your Steam community forum post history. I can't remember how to do that though

 

[MUnited83]

Thanks, but...

Interesting. And the Gift history, as well as the market history? I'm guessing he might have been selling items on the market with your account and then buying stuff to gift to his real account.

 

[spannicus]

You are criminal shame! Sorry, that sucks been through it before myself. Hopefully you get it sorted out.

 

[Wowfunhappy]

Go to the community market (under community tab) > check your market listing history

[Go to your account details (under your Steam account name at the top right of the client) > check your purchase history and license activations

Nothing out of the ordinary, except for this:

I'm not sure what this means. Fwiw, I'm quite sure I did not log into Steam during the month of December.

 

[Gaogaogao]

I don't trust them

why?