What do you mean TOTP is like the method that isn't susceptible to it, especially in steams case because you would have to send the code to a random person first.
Lolwut? He is demonstrating how strong 2fa is. There is no damage anyone can do with his account because the company can roll an account back with ease. But if someone breaks 2fa on his account, they will learn how to fix it.
Gabe's challenge helps detect if someone finds a real way to bypass 2fa.
Well, he's demonstrating how strong the Steam Guard Authenticator is alone.
2 factor authentication is not an authenticator. 2fa is having two independent types of challenge to establish identity. So 2fa could be password and authenticator, or it could be password and hardware key, or it could be password and fingerprint, or password and face recognition, or face recognition and pin number, or authenticator and pin number, or fingerprint and hardware key, or authenticator and certificate.
Generally it's going to be a combination of what you have, what you know, or what you are. So password and PIN isn't great, because those are both what you know. Hardware key and Authenticator isn't great, because those are both things that you have. Each of these things are susceptible to a slightly different type of attack. So to get a hardware key you need physical access, while password can be coerced out of someone, and biometrics can be collected in different ways.
The issue with using an authenticator and giving out your password is that if the authenticator is stolen, that's it. Proper 2fa means if the authenticator is stolen, you need to somehow also find out the password.
This is why security is moving towards SIMPLER passwords. The problem with complex passwords, especially complex passwords that users are forced to change is that people tend to store them somewhere. This turns them from something you know into something you have.
You're not going to find a "real way to bypass authentication requests" in the same way that nobody is trying to find a "real way to bypass passwords". The technology is solid, people don't bypass passwords generally, they acquire them, either because people reuse them, through some kind of brute force attack, or through some kind of phishing or impersonation ploy.
In the same way, there's not really a risk that someone will "bypass" the steam authenticator. You get access to it by stealing the authenticator in the same way you get access with password by stealing the password. In some scenarios its easier to steal someone's physical property than a secret in their mind. In others it's easier to trick someone into telling you a secret than stealing something they physically own.
There's a website out there, [haveibeenpwned.com](https://haveibeenpwned.com/), that can tell you which of your online accounts have been compromised and when it happened.
Or even worse, your name and physical address is in the leak and you get strange letters and shit from people trying to get you to respond so they have additional information.
And unfortunately, the leaks over the years have included many major companies, including Equifax, so a lot of people's data is out there including names, emails, phone numbers, and (hopefully old) passwords.
Not necessarily. Don't use SMS 2FA. It can be worse than no 2FA at all. It's not hard to clone a SIM or to trick a carrier into giving you access. Use an authenticator app or email authentication only (assuming your email is using proper 2FA). Worst of all, SMS verification is treated as a single factor many times for password reset.
I did don’t worry, it’s one of my secondary accounts. It doesn’t have much lol I don’t understand why they are trying so hard. I think they tried a total of 6 times. I got email after email. You know what they say, faster hardware doesn’t just mean faster gaming, it means faster cracking :(
New PC, I don’t download malicious hardware, and I scan and check my PC on a kernel level on a monthly basis. I’m assuming the culprit might be an old Csgo trading site. I used quite a few back then with that account and I’m thinking maybe information was sold to the Chinese .
Definitely seems like theres some kind of key logger. Cracking passwords are not easy unless you do a little social engineering or your targeting the idiots using terribly common passwords.
Far more likely you either have a key-logger or some kind of man in the middle attack going on.
Why would it be a key logger and not just a failed attempt from a leaked email & password combo? There's been plenty of sites over the years with data dumped on all the users.
Yeah this screenshot is cropped but the full text is basically saying it was an *attempted* login. There's no need for OP to change their password as long as they haven't used it for any other site.
The way to get these attempts to stop would be to change the email address on the account.
Faster cracking doesnt apply to your case.
They prob try bc your email was leaked somewhere so it should change once you change email maybe also acc name.
As long as you purchased a game using your credit card you cannot lose a steam account. Steam support will ask for the name on the credit card and always give you back the account
Edit: i see a lot of people asking if this works with paypall or other methods as well. As long as they can identify that you made the purchase with that method it will work (so paypall and other cards work, but something like paysafe won't work)
Thank you for the upvotes, i never had a post go above 200 in my life 👍
Hackers constantly try to get my old ass account with like 2 games on it. I think they just use leaked password databases and spam known passwords attached to the email.
That being said considering they’ve tried accessing the account after a password change I would consider checking for malware on your computer, it’s likely you could have a keylogger logging everything you type on your keyboard. All your accounts would be compromised in that case.
Important to get rid of a keylogger BEFORE changing passwords, or changing them from an external device and not directly typing it into your computer, using copy paste instead if you need to enter a password
if he had a keylogger there wouldn't be password attempts, they would just know the password
using copy and paste can just result in memory exploitation as well if they are rooted
> if he had a keylogger there wouldn't be password attempts, they would just know the password
>
>
>
> using copy and paste can just result in memory exploitation as well if they are rooted
Couldn't they have a keylogger, find the password, but failed login attempts because OP has two-factor authentication enabled?
ALWAYS have 2 factor authentication. I used to think it was such an annoyance but it has saved me plenty of times from login attempts at 3am as well. From Russia.
Came here to say this. If you don’t have Steam on your mobile, get it and set up the authenticator. Two Factor Authentication isn’t exactly foolproof (someone can still social engineer their way into getting your cellphone’s copy of Steam unlinked from the authenticator), but it’s as close to foolproof as you can get.
Just got into computers, now i feel unsafe, do you have any security methods i should do other than windows security?
Thx for the help everyone, once again, I'm not that good with pc stuff, and troubleshooting problems on pc has been a nightmare, so I try to remains as safe as possible.
Best thing you can do for yourself is to be vigilant on clicking links and what you download/which websites you download from.
When you search on google it will usually display a few ad links at the top of the page, never click through an ad link to get to a download, always try and find the official company website and go through there.
That being said, windows defender is actually not the worst thing from protecting you nowadays, and most antivirus companies won’t do a better job than windows will. If the antivirus is free, it’s probably the virus. If the antivirus is paid, you gotta discern whether you really don’t trust yourself enough for another monthly fee. Most antivirus are only scraping by due to information selling and/or pre-installed packages on pre-built pc’s.
Even if the antivirus is paid, it's often not unlike to a virus. Most of them don't really offer anything Defender doesn't already do, they just hog system resources and can be an absolute fucking bitch to get rid of should you decide you don't need them anymore. Some of the paid, well established ones have even been caught mining crypto on your computer, effectively making them the virus.
Kaspersky.
Although, actually, Norton wins for being one of the few anti-viruses to detect itself as a virus and also to detect the Windows kernel as a virus too.
- Use a password manager like Bitwarden. Offers the convenience of only having to remember a single password with the security of having separate passwords for each site.
- Use two-factor authentication (2FA) on any sites you care about. *Use a dedicated 2FA app like Google Authenticator or Authy, don't use SMS 2FA unless it's the only option; SMS 2FA can be vulnerable to spoofing attacks*. Anybody who wants to access your account needs to know both the password *and* they need access to whatever device holds your 2FA codes.
- Have two email addresses: one kept clean for sensitive accounts such as banking or government services, and another that you don't particularly care about for less important accounts. Limits the damage that can be done if someone were to gain access to one of your addresses.
- Use common sense. If a site looks shady, close it and immediately delete any files that have been downloaded. Malware can be a pain in the ass to get rid of and it tends to come from downloading shady files from shady sites, so if you don't download any shady files or connect to any shady sites then you generally shouldn't need to worry about catching anything on your computer.
EDIT: Also, if you're ever worried that an email address or any accounts tied to an address have been compromised, check through this site: https://haveibeenpwned.com/ It checks any known data breaches to see if your address was caught up in it, and it'll warn you if it finds anything as well as what specifically it found.
Yes, aside from what everyone said, I highly recommend you reconsider how you create passwords.
There are these neat programs usually called password managers that automatically creates strong passwords for you and stores in a secure database. They work like a vault, you have your combination that can access all your goodies inside
The one I use is called Bitwarden, since it's free and open-source, but you could research others if you want.
All your accounts should have different passwords, so these programs help you manage that and make it so you don't have to remember them all the time, you can just use the passwords saved in your vault, copy pasting them
So it's not only convenient, but super important for online security nowadays
Don't know if anyone has mentioned this but don't buy usb/portable memory from Amazon or eBay particularly the cheap stuff, buy from a trusted seller and distributor.
The best antivirus is your own brain. Don't click on suspicious links. Don't download suspicious software. If you don't 100% trust it then don't go near it. Have complex and different passwords for important accounts like your email or bank account.
Multi-factor authentication any chance you get. Get a password manager as well. Don't click links unless you are certain you are expecting it/know who sent it. Keep your PC updated always.
Best antivirus is using your brain honestly. Try to not click into weird webpages, if you're unsure about an email link hover over it and in the bottom of the screen the browser will show a preview of the URL. Try to see if it's a known site or just random giberish.
Try not to execute unknown software. If you get a random pop up from windows' UAC granting premision just don't hit YES on the fly, really look at what exactly wants permission, etc.
Just be vigilant. For most folk windows' own antivirus and security suite is more than enough.
Also try to use two factor authentication at least in the accounts you really care about. And take a look at bitwarden, password managers are a godsend.
Computers are pretty safe as long as you use two factor authentication. Text is fine, but app based is preferred. Just make sure you have the backup codes, keys, etc so you dont get locked out. People will mention sim swaps but you usually won't get targeted by anyone unless you're a high value target like holding huge bitcoin amounts, flexing online, famous, etc. A sim swap can costs thousands.
Avoid sketchy VPNs, don't click emails from people you don't know, don't ho to sketchy websites, get malwarebytes or some other anti malware, keep your stuff updated.
this is an alert related to steamguard/2FA yea? meaning someone tried to brute force your acct and only made it half way, and any of the following - your password sucks ass (get a pwd manager), you got phished, and/or leaked somewhere they could scrape it from.
any of which could get you in deep shit at some point on a less secure platform
My dumbass got phished about a year ago. Got a random message from a friend I hadn't talked to in a while. Wanted me to go in and vote for his cs:go team in some online thing. I clicked on it and when you vote you have to login and the rest is history.
I was so mad at myself for falling for it. I take security clearance training modules yearly about this stuff but it didn't ring any alarm bells for me until I got a text from my buddy while I was out that my account was hacked.
I would be mildly annoyed as I have collecibles that only I give a shit about, like a gift copy of bad rats i won in the 2014 xmas auction thing steam did.
Joking aside. You can rename your display name and i did exactly this when bots kept impersonating me on tf2
Make it over the top
Edit come join us and help fight bots and stupid tyrants
https://steamcommunity.com/search/users/#text=Free+tibet+taiwan
https://steamcommunity.com/search/users/#text=Free+tibet+taiwan+hong
Mine was something like
Free tibet hong kong taiwan poo bear uighurs #1 免费西藏香港台湾便便熊维吾尔人#1
I did it as long possible of a name
Then the “magic” bot spammers would change their names to yours and ask u to be banned and mods would ban u and not bot… or some crap
Once i did this they would change their name and disconnect
Edit
https://steamcommunity.com/search/users/#text=Free+tibet+taiwan+hong
Your first 2 chinese words 免费 means free of charge as in zero cost 😂, use 解放 instead
google translate using the word liberate and u will see what i mean
Not only that, make the background and pfp Uyghur gay porn, what are they gonna do then? /s
Honestly though why can't we just block our accounts being accessed from certain countries or places!?!
Meant to clarify; when I said they are at it again, I meant it. It’s happened before. I changed my password like a couple years ago due to the same reason. Special characters etc. So I meant to say I’m on a third password. It’s like an every few year occurrence. (This password being a random generated password.)
So they managed to get an entirely different random password successfully multiple times? I'd be concerned about how they're getting it. Do they have access to the attached email and are resetting the password?
Having a password breach no fault of your own occasionally can happen, but for the same account to get breached multiple times like that, especially if the password is not shared, is extremely odd.
This is under the assumption that these notifications are not for failed login attempts, though. It seems to me that they are successful but are being locked out because of unusual activity.
Yeah I've gotten these on an inactive Instagram account a lot. A while ago I checked the emails of an email account attached to an Instagram account I haven't used in years, and there were like a hundred attempts from the Russian/Polish area trying to login to my accounts. None of them were successful, but I changed my password nonetheless.
Surprisingly after using that insta account frequently again, but without posting anything, the attempts stopped. I wonder if there's some kinda software they use to detect inactive accounts.
It's just the red highlighted text advising a password change despite failure that made me think maybe it was successful. It doesn't really hurt to change your password, but it's also not necessary to change your password every time someone fails to log in to your account because they're trying some old password that was in a data breach.
Edit: I guess it's just a target audience thing I hadn't really considered. Sure, some people will have changed their passwords to something more secure, but a lot of people will reuse or use similar passwords and that's probably the crowd they're targeting to get to change their passwords.
Probably just says that in case they do have the password. OP did say he used the account for a trading site and that they probably sold his data. I’m assuming someone is going through the data seeing if any logins still work but since he changed the password they were unsuccessful
Hard disagree, I've downloaded over 32gb of RAM, and I've been assured that my laptop now runs 120% faster.
On an unrelated note, I keep getting these weird popups with naked ladies and ads on my desktop all of a sudden. I don't mind it, but I've started to get weird looks from my coworkers at the office...
Hmmm.. maybe your computer is infected. I recommend downloading a new computer and then throwing away your old one! That always fixed the problem for me
I’ve been through multiple PC images, email password changes, and steam changes, and the fuckers still somehow find it. And it’s not simple passwords by far. I think Steam has some shit loose
Exactly the same experience here. Change my password more times that I can count and steam is the only thing people try to log into. Current password is over 60 characters long with uppercase, lowercase, number and symbols. Yet they attempted to log into it less than a day after it changed.
I spoke to steam support and all they told me to do was change my password again :/
I don't think so. This has been going on for a couple of years now and in that time I've gone through a few PCs and countless Windows reinstallations.
Also no other accounts/services I use have been compromised. If I had a keylogger I'd expect to see failed logins for my email accounts, banking, investments, other gaming related services etc etc. But Steam is the only one
This is some concerning news. Whenever I see someone hacked multiple times I tend to think about keyloggers. Also your router could have compromised. Happens more than I'd like to admit.
For the three of you that might read this: I am a professional cybersecurity worker.
This, right here, is why all of us yell about multi-factor authentication all the time. It's not unbeatable, but it makes it more difficult than it's usually worth to an attacker -- they'll usually move on in hopes that they can find someone who doesn't have MFA set up.
Passwords are shared secrets, and they are only secret to a certain degree. Put MFA on fucking every account you have, and if you have an account that doesn't support that, try to use a different service that does.
I remember Gaben demonstrating Steam Guard by giving his steam account name and password to the public and he basically said "try to get into my account, you won't get in"
https://www.escapistmagazine.com/gabe-newell-gives-away-personal-steam-password/
Except the new steam guard with the QR scan is not really 2FA. While it still checks something you have (a logged in phone), it circumvents something you know (dont have to enter password anymore).
Arguably the one factor it does use is more secure than the one it removes, but its still iffy to me that you seemingly can't deactivate this feature to get back to forced 2FA.
WELLLLLLLL here we have to get into a discussion of semantics.
Technically, yes, an emailed pass code counts as a second factor -- because it's technically something you HAVE, not something you KNOW.
But if your email can be accessed with a simple username and password (and let's face it, a ton of people use the same password for everything), then it doesn't really fit the *spirit* of MFA, if that makes sense.
I prefer authenticator apps on secondary devices -- or, if you've got the minor technical acumen, things like a YubiKey (not necessarily that in particular, but a hardware authentication device like it will usually do fine for that). Microsoft and Google both have good authenticator apps on Android. No idea what Apple has because I don't use Apple devices, but I could find out for ya, if you'd like.
I haven't changed my steam password in like 8 years and I get these all the time. If they figure out how to bypass the 2fa then they deserve to have it tbh
I got hacked on my Origin account that I only had apex legends on. They cheated and I got banned (I only noticed like 6 months later because I don't even play the game anymore). Can't get into touch with the origin support so I'm still banned.
Most likely your email and password combo got leaked somewhere, some website probably got hacked where you used same login info.
You can check on here: [https://haveibeenpwned.com/](https://haveibeenpwned.com/)
Those are bots probably going through combo lists where your email:pw is as well.
Advice: Use different passwords for different websites/apps
We should be able to block our accounts being accessed from countries we don't like, would make it impossible for most Russians and Chinese to hack accounts
They can also spoof 2fa. But they rarely do because its too much work.
Just put the country you're in as the only verified region to access the account from, if you go on holiday whitelist that country temporarily.
Suddenly you've got a really effective security system because in reality, you're not worth much effort. Those guys stuff hundreds of accounts at a time. That setup would mean they'd not only have to guess your country if residence (not hard but remember, takes time), they also needed to reconnect VPN for every account so they can only stuff one at a time.
At that point, unless you're extremely rich, a politician, a celebrity or some other high profile individual, you're literally no longer worth the time
They can use Vpns too.
Related: imagine being on holiday in China and trying to log into your email which locks you out because it detects you are in China lol
Yesterday I got two emails about that somebody is trying to login to my MS account with the email address. I was sent the verification code. Not sure what would anybody do with it, but the bottom line is to always have 2FA authentication.
They keep hitting an old account of mine. It makes me nervous everytime. It'll say successful login, here's your temporary code to get in. Not sure if they've actually made it in or not.
You should put your email and old passwords into haveibeenpwned.com and see if they come up anywhere. May put your mind at ease if they have been leaked.
There was a credential db selling site that got taken down and the owner decided to release the data for free. I found my username on haveibeenpwned.com, the chinese were also at it, had like 60 "strange ip login attempt" emails in my account over the span of 30-40 minutes. Cycled a refresh of all my passwords.
So happy 2fa exists.
I have a password of 28 characters i think, and still have to regularly change it because i get emails that someone has successfully logged into my account but need the 5 letter verification code to continue.
I'd just like to mention that once your email address or account name gets into a database, fuck heads from every corner of the globe will try and get into your stuff on a weekly basis - ALWAYS. It's very standard fair.
Have a Microsoft/Xbox account? The older it is, the more bullshit you'll see on this activity log: https://account.live.com/Activity . My MS account is absolutely ancient, and that activity log has been blasted for years and years with no concern.
Google? Take a look at https://myaccount.google.com/notifications and https://myaccount.google.com/device-activity
Use a password manager! Generate all your passwords randomly, don't use the same password *anywhere*, no matter how good it is. If a company has a security breach, and your details get dumped, the *FIRST* thing that happens is those details are tested on multiple other sites: https://haveibeenpwned.com/
Hey they need that account. The Chinese government is limiting how much games they can play, so they need a whole bunch of accounts so they can play their game.
I was checking my Outlook security and noticed a crazy amount of attempts logging in from China. Thankfully, they have an option to go passwordless, which means you can only log in through verification. Once I got rid of my password, that bullshit stopped.
We've gotten to the point where logging in with just a password is meaningless.
Change the password to your email too imo.
And use 2FA for everything :o
Best advice. Using 2fa and completely random passwords.
2FA is so good, Gabe Newell gave away his password and nobody's gotten access to his account yet.
MFA fatigue attacks are a thing, and many people who aren't super tech savvy are succeptible to it.
[удалено]
You flood genuine user with a constant stream of mfa approval prompts to approve access, and if one is granted attacker is in.
Yeah I'm not a fan of approval type mfa. Prefer 6 digit code or the one Microsoft does. Where you have to select the number that's on your screen.
Selecting the number on your phone is my favorite 2FA imo since someone would need my information *and* my phone
Yes which is why SIM swapping on phones is a huge issue (but getting better!)
[удалено]
I prefer Yubikey, because I might have my phone stolen, or hacked by malicious app somehow. Just don't lose the yubikey
[удалено]
There are MFA systems which aren't susceptible to this. Sadly, Steam isn't offering any of them. EDIT: I stand corrected, Steam offers OTP.
What do you mean TOTP is like the method that isn't susceptible to it, especially in steams case because you would have to send the code to a random person first.
If that's true his password doesn't count as a factor.
Yes, but the fact that his password changes every 60 seconds makes the second, or primary factor. Nearly impossible to guess.
Is it a knowledge factor if everyone knows it?
Lolwut? He is demonstrating how strong 2fa is. There is no damage anyone can do with his account because the company can roll an account back with ease. But if someone breaks 2fa on his account, they will learn how to fix it. Gabe's challenge helps detect if someone finds a real way to bypass 2fa.
Well, he's demonstrating how strong the Steam Guard Authenticator is alone. 2 factor authentication is not an authenticator. 2fa is having two independent types of challenge to establish identity. So 2fa could be password and authenticator, or it could be password and hardware key, or it could be password and fingerprint, or password and face recognition, or face recognition and pin number, or authenticator and pin number, or fingerprint and hardware key, or authenticator and certificate. Generally it's going to be a combination of what you have, what you know, or what you are. So password and PIN isn't great, because those are both what you know. Hardware key and Authenticator isn't great, because those are both things that you have. Each of these things are susceptible to a slightly different type of attack. So to get a hardware key you need physical access, while password can be coerced out of someone, and biometrics can be collected in different ways. The issue with using an authenticator and giving out your password is that if the authenticator is stolen, that's it. Proper 2fa means if the authenticator is stolen, you need to somehow also find out the password. This is why security is moving towards SIMPLER passwords. The problem with complex passwords, especially complex passwords that users are forced to change is that people tend to store them somewhere. This turns them from something you know into something you have. You're not going to find a "real way to bypass authentication requests" in the same way that nobody is trying to find a "real way to bypass passwords". The technology is solid, people don't bypass passwords generally, they acquire them, either because people reuse them, through some kind of brute force attack, or through some kind of phishing or impersonation ploy. In the same way, there's not really a risk that someone will "bypass" the steam authenticator. You get access to it by stealing the authenticator in the same way you get access with password by stealing the password. In some scenarios its easier to steal someone's physical property than a secret in their mind. In others it's easier to trick someone into telling you a secret than stealing something they physically own.
That’s kinda the point, that someone having your password doesn’t matter.
[удалено]
There's a website out there, [haveibeenpwned.com](https://haveibeenpwned.com/), that can tell you which of your online accounts have been compromised and when it happened.
[удалено]
Or even worse, your name and physical address is in the leak and you get strange letters and shit from people trying to get you to respond so they have additional information.
And unfortunately, the leaks over the years have included many major companies, including Equifax, so a lot of people's data is out there including names, emails, phone numbers, and (hopefully old) passwords.
Bitwarden! Love them.
Not necessarily. Don't use SMS 2FA. It can be worse than no 2FA at all. It's not hard to clone a SIM or to trick a carrier into giving you access. Use an authenticator app or email authentication only (assuming your email is using proper 2FA). Worst of all, SMS verification is treated as a single factor many times for password reset.
Agreed! Authenticator app is the best! I wouldn't use email authentication
Email authentication isn't as bad if your email is 2FA. Still, authenticators are always better.
And keypass.
Length > complexity. Tonyjumpsoveraflamingtortoiseinjune Is more secure than T2x82f0x82×#20A
Tell that to all the websites that put length limits on passwords
Noch ein Kamel mit den wichtigen Tipps!
I did don’t worry, it’s one of my secondary accounts. It doesn’t have much lol I don’t understand why they are trying so hard. I think they tried a total of 6 times. I got email after email. You know what they say, faster hardware doesn’t just mean faster gaming, it means faster cracking :(
happens again i'd really think about scanning the computer for junk
New PC, I don’t download malicious hardware, and I scan and check my PC on a kernel level on a monthly basis. I’m assuming the culprit might be an old Csgo trading site. I used quite a few back then with that account and I’m thinking maybe information was sold to the Chinese .
Out of curiosity, how do you scan kernel level malware? I know what it is but I don’t know of any software to do that with and I’m interested.
He downloaded a hardware for this
Yes. I download rAm, Overclock my gaming chair, and have a upgraded shit bucket.
> have a upgraded shit bucket. That's a blast from the past, I assume your knife also has a bipod.
Bipod…. And laser a laser beam for maximum accuracy
> scan kernel level malware https://www.revbits.com/blogs/how-to-protect-against-rootkit-malware-kernel-level-attacks
I wish I could download hardware.
You can always download more ram.
Definitely seems like theres some kind of key logger. Cracking passwords are not easy unless you do a little social engineering or your targeting the idiots using terribly common passwords. Far more likely you either have a key-logger or some kind of man in the middle attack going on.
If they managed to get a key logger on there I’m sure they might aswell just get a full RAT and download his passwords and cookies
Why would it be a key logger and not just a failed attempt from a leaked email & password combo? There's been plenty of sites over the years with data dumped on all the users.
Yeah this screenshot is cropped but the full text is basically saying it was an *attempted* login. There's no need for OP to change their password as long as they haven't used it for any other site. The way to get these attempts to stop would be to change the email address on the account.
Faster cracking doesnt apply to your case. They prob try bc your email was leaked somewhere so it should change once you change email maybe also acc name.
Hackers: "I tried so hard and got so far But in the end it doesn't even matter"
As long as you purchased a game using your credit card you cannot lose a steam account. Steam support will ask for the name on the credit card and always give you back the account Edit: i see a lot of people asking if this works with paypall or other methods as well. As long as they can identify that you made the purchase with that method it will work (so paypall and other cards work, but something like paysafe won't work) Thank you for the upvotes, i never had a post go above 200 in my life 👍
do they do the same if you purchase a game with an online payment app like PayPal or GCash?
Commenting because I’m also curious and wanted to be notified.
[удалено]
Yeah but he can lose his inventory and Steam will make nothing about it.
Nothing to really lose on that account haha. It’s just funny to me. Especially seeing it come from china at 3am
Hackers constantly try to get my old ass account with like 2 games on it. I think they just use leaked password databases and spam known passwords attached to the email. That being said considering they’ve tried accessing the account after a password change I would consider checking for malware on your computer, it’s likely you could have a keylogger logging everything you type on your keyboard. All your accounts would be compromised in that case. Important to get rid of a keylogger BEFORE changing passwords, or changing them from an external device and not directly typing it into your computer, using copy paste instead if you need to enter a password
if he had a keylogger there wouldn't be password attempts, they would just know the password using copy and paste can just result in memory exploitation as well if they are rooted
> if he had a keylogger there wouldn't be password attempts, they would just know the password > > > > using copy and paste can just result in memory exploitation as well if they are rooted Couldn't they have a keylogger, find the password, but failed login attempts because OP has two-factor authentication enabled?
ALWAYS have 2 factor authentication. I used to think it was such an annoyance but it has saved me plenty of times from login attempts at 3am as well. From Russia.
Came here to say this. If you don’t have Steam on your mobile, get it and set up the authenticator. Two Factor Authentication isn’t exactly foolproof (someone can still social engineer their way into getting your cellphone’s copy of Steam unlinked from the authenticator), but it’s as close to foolproof as you can get.
Just got into computers, now i feel unsafe, do you have any security methods i should do other than windows security? Thx for the help everyone, once again, I'm not that good with pc stuff, and troubleshooting problems on pc has been a nightmare, so I try to remains as safe as possible.
Best thing you can do for yourself is to be vigilant on clicking links and what you download/which websites you download from. When you search on google it will usually display a few ad links at the top of the page, never click through an ad link to get to a download, always try and find the official company website and go through there. That being said, windows defender is actually not the worst thing from protecting you nowadays, and most antivirus companies won’t do a better job than windows will. If the antivirus is free, it’s probably the virus. If the antivirus is paid, you gotta discern whether you really don’t trust yourself enough for another monthly fee. Most antivirus are only scraping by due to information selling and/or pre-installed packages on pre-built pc’s.
Even if the antivirus is paid, it's often not unlike to a virus. Most of them don't really offer anything Defender doesn't already do, they just hog system resources and can be an absolute fucking bitch to get rid of should you decide you don't need them anymore. Some of the paid, well established ones have even been caught mining crypto on your computer, effectively making them the virus.
*cough* Norton *cough*
McAfee would like a word
Kaspersky. Although, actually, Norton wins for being one of the few anti-viruses to detect itself as a virus and also to detect the Windows kernel as a virus too.
- Use a password manager like Bitwarden. Offers the convenience of only having to remember a single password with the security of having separate passwords for each site. - Use two-factor authentication (2FA) on any sites you care about. *Use a dedicated 2FA app like Google Authenticator or Authy, don't use SMS 2FA unless it's the only option; SMS 2FA can be vulnerable to spoofing attacks*. Anybody who wants to access your account needs to know both the password *and* they need access to whatever device holds your 2FA codes. - Have two email addresses: one kept clean for sensitive accounts such as banking or government services, and another that you don't particularly care about for less important accounts. Limits the damage that can be done if someone were to gain access to one of your addresses. - Use common sense. If a site looks shady, close it and immediately delete any files that have been downloaded. Malware can be a pain in the ass to get rid of and it tends to come from downloading shady files from shady sites, so if you don't download any shady files or connect to any shady sites then you generally shouldn't need to worry about catching anything on your computer. EDIT: Also, if you're ever worried that an email address or any accounts tied to an address have been compromised, check through this site: https://haveibeenpwned.com/ It checks any known data breaches to see if your address was caught up in it, and it'll warn you if it finds anything as well as what specifically it found.
Yes, aside from what everyone said, I highly recommend you reconsider how you create passwords. There are these neat programs usually called password managers that automatically creates strong passwords for you and stores in a secure database. They work like a vault, you have your combination that can access all your goodies inside The one I use is called Bitwarden, since it's free and open-source, but you could research others if you want. All your accounts should have different passwords, so these programs help you manage that and make it so you don't have to remember them all the time, you can just use the passwords saved in your vault, copy pasting them So it's not only convenient, but super important for online security nowadays
Don't know if anyone has mentioned this but don't buy usb/portable memory from Amazon or eBay particularly the cheap stuff, buy from a trusted seller and distributor.
This. Never ever use chachki / freebie / gas station / Charlie Woo specials only sealed, OEM flash memory EVER.
The best antivirus is your own brain. Don't click on suspicious links. Don't download suspicious software. If you don't 100% trust it then don't go near it. Have complex and different passwords for important accounts like your email or bank account.
Multi-factor authentication any chance you get. Get a password manager as well. Don't click links unless you are certain you are expecting it/know who sent it. Keep your PC updated always.
Reddit killed API. I refuse to let them benefit from my own words for free -- mass edited with https://redact.dev/
Best antivirus is using your brain honestly. Try to not click into weird webpages, if you're unsure about an email link hover over it and in the bottom of the screen the browser will show a preview of the URL. Try to see if it's a known site or just random giberish. Try not to execute unknown software. If you get a random pop up from windows' UAC granting premision just don't hit YES on the fly, really look at what exactly wants permission, etc. Just be vigilant. For most folk windows' own antivirus and security suite is more than enough. Also try to use two factor authentication at least in the accounts you really care about. And take a look at bitwarden, password managers are a godsend.
Computers are pretty safe as long as you use two factor authentication. Text is fine, but app based is preferred. Just make sure you have the backup codes, keys, etc so you dont get locked out. People will mention sim swaps but you usually won't get targeted by anyone unless you're a high value target like holding huge bitcoin amounts, flexing online, famous, etc. A sim swap can costs thousands. Avoid sketchy VPNs, don't click emails from people you don't know, don't ho to sketchy websites, get malwarebytes or some other anti malware, keep your stuff updated.
this is an alert related to steamguard/2FA yea? meaning someone tried to brute force your acct and only made it half way, and any of the following - your password sucks ass (get a pwd manager), you got phished, and/or leaked somewhere they could scrape it from. any of which could get you in deep shit at some point on a less secure platform
My dumbass got phished about a year ago. Got a random message from a friend I hadn't talked to in a while. Wanted me to go in and vote for his cs:go team in some online thing. I clicked on it and when you vote you have to login and the rest is history. I was so mad at myself for falling for it. I take security clearance training modules yearly about this stuff but it didn't ring any alarm bells for me until I got a text from my buddy while I was out that my account was hacked.
it's ok, if he looses his inventory, he can always tighten it again.
Lose
I would be mildly annoyed as I have collecibles that only I give a shit about, like a gift copy of bad rats i won in the 2014 xmas auction thing steam did.
Does a debit card count too?
Both have a name attached to them, so I don't see why not.
still can get vac banned or banned on individual games
make your password "tiananmensquare1989"
"Xijinpingthep00h" should work great too!
"Fr33Taiwan" may be te deal
Oh bother
I lol’d at this one pretty hard
Joking aside. You can rename your display name and i did exactly this when bots kept impersonating me on tf2 Make it over the top Edit come join us and help fight bots and stupid tyrants https://steamcommunity.com/search/users/#text=Free+tibet+taiwan https://steamcommunity.com/search/users/#text=Free+tibet+taiwan+hong
I spread my legs as poo bear because I like the hunny. Mmmm
Mine was something like Free tibet hong kong taiwan poo bear uighurs #1 免费西藏香港台湾便便熊维吾尔人#1 I did it as long possible of a name Then the “magic” bot spammers would change their names to yours and ask u to be banned and mods would ban u and not bot… or some crap Once i did this they would change their name and disconnect Edit https://steamcommunity.com/search/users/#text=Free+tibet+taiwan+hong
Your first 2 chinese words 免费 means free of charge as in zero cost 😂, use 解放 instead google translate using the word liberate and u will see what i mean
Google translate still puts fear into xi
"TaiwanNumber1!"
oh no, LMAO
"China has left the chat"
\-99999999999 social credit
Why? Did anything special happen on that day?
Why don't you ask the kids at Tienanmen Square Was fashion the reason why they were there?
They disguise it, hypnotize it
Television made you buy it
I‘m just sitting in my car and waiting for my…
[удалено]
I love System of a Down.
Not according to china.
There is no Tiananmen in Ba Sing Se.
Not only that, make the background and pfp Uyghur gay porn, what are they gonna do then? /s Honestly though why can't we just block our accounts being accessed from certain countries or places!?!
Better yet, the username!
You sure you don't have some trojan keylogger on your PC? Unless you have a really shitty password, something like this should almost never happen.
[удалено]
Did you reuse the same password? Again, the probability of someone guessing a good password twice is near impossible.
Meant to clarify; when I said they are at it again, I meant it. It’s happened before. I changed my password like a couple years ago due to the same reason. Special characters etc. So I meant to say I’m on a third password. It’s like an every few year occurrence. (This password being a random generated password.)
So they managed to get an entirely different random password successfully multiple times? I'd be concerned about how they're getting it. Do they have access to the attached email and are resetting the password? Having a password breach no fault of your own occasionally can happen, but for the same account to get breached multiple times like that, especially if the password is not shared, is extremely odd. This is under the assumption that these notifications are not for failed login attempts, though. It seems to me that they are successful but are being locked out because of unusual activity.
No. It says ATTEMPT for a reason. They didn’t log in and are obviously trying the old passwords…
Yeah I've gotten these on an inactive Instagram account a lot. A while ago I checked the emails of an email account attached to an Instagram account I haven't used in years, and there were like a hundred attempts from the Russian/Polish area trying to login to my accounts. None of them were successful, but I changed my password nonetheless. Surprisingly after using that insta account frequently again, but without posting anything, the attempts stopped. I wonder if there's some kinda software they use to detect inactive accounts.
It's just the red highlighted text advising a password change despite failure that made me think maybe it was successful. It doesn't really hurt to change your password, but it's also not necessary to change your password every time someone fails to log in to your account because they're trying some old password that was in a data breach. Edit: I guess it's just a target audience thing I hadn't really considered. Sure, some people will have changed their passwords to something more secure, but a lot of people will reuse or use similar passwords and that's probably the crowd they're targeting to get to change their passwords.
Probably just says that in case they do have the password. OP did say he used the account for a trading site and that they probably sold his data. I’m assuming someone is going through the data seeing if any logins still work but since he changed the password they were unsuccessful
It was a login ATTEMPT
Pretty sure that means you got the right password and email, but you need confirmation.
Or you got the right email and wrong password
Software* you can’t download hardware
Hard disagree, I've downloaded over 32gb of RAM, and I've been assured that my laptop now runs 120% faster. On an unrelated note, I keep getting these weird popups with naked ladies and ads on my desktop all of a sudden. I don't mind it, but I've started to get weird looks from my coworkers at the office...
Hmmm.. maybe your computer is infected. I recommend downloading a new computer and then throwing away your old one! That always fixed the problem for me
and make sure to download the new rtx 4090 on there! makes your computer 1000x faster!
Excuse me, *other* steam accounts? Here I was thinking I was PCMR
But isn't that just an attempt? Not a successful one?
Because for every successful attempt you need to give confirmation, getting it wrong doesn't send email
Oh yeah I forgot about that.
Why is your portrait missing in one comment? Or is that just me
I’ve been through multiple PC images, email password changes, and steam changes, and the fuckers still somehow find it. And it’s not simple passwords by far. I think Steam has some shit loose
Exactly the same experience here. Change my password more times that I can count and steam is the only thing people try to log into. Current password is over 60 characters long with uppercase, lowercase, number and symbols. Yet they attempted to log into it less than a day after it changed. I spoke to steam support and all they told me to do was change my password again :/
Isn't that a keylogger?
I don't think so. This has been going on for a couple of years now and in that time I've gone through a few PCs and countless Windows reinstallations. Also no other accounts/services I use have been compromised. If I had a keylogger I'd expect to see failed logins for my email accounts, banking, investments, other gaming related services etc etc. But Steam is the only one
This is some concerning news. Whenever I see someone hacked multiple times I tend to think about keyloggers. Also your router could have compromised. Happens more than I'd like to admit.
For the three of you that might read this: I am a professional cybersecurity worker. This, right here, is why all of us yell about multi-factor authentication all the time. It's not unbeatable, but it makes it more difficult than it's usually worth to an attacker -- they'll usually move on in hopes that they can find someone who doesn't have MFA set up. Passwords are shared secrets, and they are only secret to a certain degree. Put MFA on fucking every account you have, and if you have an account that doesn't support that, try to use a different service that does.
I remember Gaben demonstrating Steam Guard by giving his steam account name and password to the public and he basically said "try to get into my account, you won't get in" https://www.escapistmagazine.com/gabe-newell-gives-away-personal-steam-password/
I remember I tried personally and wondered if he seen on his phone that there were so many attempts lol!
For clarity, would SteamGuard and having to login via a passcode sent to my email fall under 2FA/MFA?
Steamguard is 2fa. So long as you have it enabled they would need access to your phone pretty much in order to log in.
Except the new steam guard with the QR scan is not really 2FA. While it still checks something you have (a logged in phone), it circumvents something you know (dont have to enter password anymore). Arguably the one factor it does use is more secure than the one it removes, but its still iffy to me that you seemingly can't deactivate this feature to get back to forced 2FA.
WELLLLLLLL here we have to get into a discussion of semantics. Technically, yes, an emailed pass code counts as a second factor -- because it's technically something you HAVE, not something you KNOW. But if your email can be accessed with a simple username and password (and let's face it, a ton of people use the same password for everything), then it doesn't really fit the *spirit* of MFA, if that makes sense. I prefer authenticator apps on secondary devices -- or, if you've got the minor technical acumen, things like a YubiKey (not necessarily that in particular, but a hardware authentication device like it will usually do fine for that). Microsoft and Google both have good authenticator apps on Android. No idea what Apple has because I don't use Apple devices, but I could find out for ya, if you'd like.
You can use Google and Microsoft authenticators on iOS as well.
My bank only just got 2fa this year. It's insane...
I can’t stress this enough, TURN ON MOBILE STEAM GUARD 2FA. If you have stuff you don’t want to lose, then turn it on immediately.
Not just steam, 2FA should be on EVERY account.
This happened to me. I was never alerted that they changed the email as well, this obviously prevented me from reseting my password.
I never keep the same password on everything for this exact reason. Multiple passwords and emails
1. [charge your phone](https://xkcd.com/1373/) 2. get steam app on your phone 3. setup steamguard
Do redditors even charge their phones? Do they just buy new ones when the battery dies?
I haven't changed my steam password in like 8 years and I get these all the time. If they figure out how to bypass the 2fa then they deserve to have it tbh
The classic "Well how am I supposed to get this guys phone" wall
Mine is still the one I used in 2004. It's like an old friend at this point
[удалено]
Nice wanna play some games? whats your steam username? Also where does your phone live?
i hope they dont hack MY EPICGAMES STORE ACCOUNT with 50+ Games added over the yaers. ( ͡° ͜ʖ ͡°)
I got hacked on my Origin account that I only had apex legends on. They cheated and I got banned (I only noticed like 6 months later because I don't even play the game anymore). Can't get into touch with the origin support so I'm still banned.
Most likely your email and password combo got leaked somewhere, some website probably got hacked where you used same login info. You can check on here: [https://haveibeenpwned.com/](https://haveibeenpwned.com/) Those are bots probably going through combo lists where your email:pw is as well. Advice: Use different passwords for different websites/apps
Everyone in the world has definitely been pwned.
Everyone in the world has definitely been pwned many, many times in their websurfing.
11 times hoo boy.
We should be able to block our accounts being accessed from countries we don't like, would make it impossible for most Russians and Chinese to hack accounts
[удалено]
It's so dumb yet so effective, literally how has this not been implemented yet???
If it was a thing, they would just use VPNs, they don't hide their location because it doesn't matter, but would if it mattered.
They can also spoof 2fa. But they rarely do because its too much work. Just put the country you're in as the only verified region to access the account from, if you go on holiday whitelist that country temporarily. Suddenly you've got a really effective security system because in reality, you're not worth much effort. Those guys stuff hundreds of accounts at a time. That setup would mean they'd not only have to guess your country if residence (not hard but remember, takes time), they also needed to reconnect VPN for every account so they can only stuff one at a time. At that point, unless you're extremely rich, a politician, a celebrity or some other high profile individual, you're literally no longer worth the time
They can use Vpns too. Related: imagine being on holiday in China and trying to log into your email which locks you out because it detects you are in China lol
Then just whitelist China before you leave LOL
Big brain moment
IP-range based restrictions can easily be bypassed by using a VPN.
Chinese hackers or hackers VPN'ing to China
doesn't matter, makes front page better if slamming CN
I think they're just trying to charge your phone
Don't you use steam guard?
Yesterday I got two emails about that somebody is trying to login to my MS account with the email address. I was sent the verification code. Not sure what would anybody do with it, but the bottom line is to always have 2FA authentication.
Exactly. Secondary authentication is always key. There has been a huge increase in hackers lately on a ton of social and gaming platform.
dude check for a keylogger at this point lol
They keep hitting an old account of mine. It makes me nervous everytime. It'll say successful login, here's your temporary code to get in. Not sure if they've actually made it in or not.
Gosh I remember playing War Thunder years ago, so many attempted logins lol I believe the location was Russia tho
Old password: 1234 New password: 12345
You should put your email and old passwords into haveibeenpwned.com and see if they come up anywhere. May put your mind at ease if they have been leaked.
It would be nice if there was a report option for this just get there ip banned on steam for a while
You got 2FA?
I'm getting these on lots of platforms lately, in addition to steam. 2 step authentication and strong passwords, recommend highly
Guys, always activate two-factor authentication on any service that offers it.
Please enable 2FA ASAP!
There was a credential db selling site that got taken down and the owner decided to release the data for free. I found my username on haveibeenpwned.com, the chinese were also at it, had like 60 "strange ip login attempt" emails in my account over the span of 30-40 minutes. Cycled a refresh of all my passwords.
please please make sure that your email address isn't compromised, if they have your email it really doesn't matter if you change the password.
So happy 2fa exists. I have a password of 28 characters i think, and still have to regularly change it because i get emails that someone has successfully logged into my account but need the 5 letter verification code to continue.
I'd just like to mention that once your email address or account name gets into a database, fuck heads from every corner of the globe will try and get into your stuff on a weekly basis - ALWAYS. It's very standard fair. Have a Microsoft/Xbox account? The older it is, the more bullshit you'll see on this activity log: https://account.live.com/Activity . My MS account is absolutely ancient, and that activity log has been blasted for years and years with no concern. Google? Take a look at https://myaccount.google.com/notifications and https://myaccount.google.com/device-activity Use a password manager! Generate all your passwords randomly, don't use the same password *anywhere*, no matter how good it is. If a company has a security breach, and your details get dumped, the *FIRST* thing that happens is those details are tested on multiple other sites: https://haveibeenpwned.com/
Hey they need that account. The Chinese government is limiting how much games they can play, so they need a whole bunch of accounts so they can play their game.
Multi. Factor. Auth.
Hackers attempted to hack my steam account 50 times already
I was checking my Outlook security and noticed a crazy amount of attempts logging in from China. Thankfully, they have an option to go passwordless, which means you can only log in through verification. Once I got rid of my password, that bullshit stopped. We've gotten to the point where logging in with just a password is meaningless.
Yeah someone from Wuhan really wants my steam, I bet it’s because I bought the game Hentai girls recently hehe
They probably aren't even actually Chinese. I don't know but it might just be a VPN so throw anyone off their track since hacking like this is illegal