77,000 Steam Accounts Compromised Monthly, Says Valve

77,000 Steam Accounts Compromised Monthly, Says Valve

Steam Logo - Social

Trade delay implemented as problem of account hijacking grows.

Steam accounts have long been a target of thieves, and the issue is only getting worse as the service continues to grow, now affecting as many as 77,000 accounts monthly. A new post from Valve addressing the problem has provided some insight into how pervasive account theft is and new steps the company is taking to protect users.

As new features have been introduced to Steam, most notably Steam Trading which allows transfer of digital goods between users in a barter system, user accounts have only become more attractive for hackers and phishers. With the addition of Steam Trading Cards, now practically every active Steam account now has some worth to a thief and is a potential target.

Valve states that the company initially assumed most compromised users had their accounts stolen due to being new and unfamiliar with the service or otherwise technically unsophisticated. That view has changed in the face of the new economic reality where any account can be worth something, and Valve claims that hackers have become indiscriminate about who they target.

Steam has long offered a measure to protect accounts in the form of the Steam Guard Mobile Authenticator (a feature of the Steam smartphone app that requires a second approval for account logins on unfamiliar devices), but Valve reports that a majority of users haven't enabled the feature. The company has historically restored items lost to theft with duplicates, but doing so can significantly impact the value of rare items in the marketplace, making it a less than ideal option.

While Valve has considered simply removing the trading feature, as it accounts for a minority of digital item exchanges compared to the Steam Marketplace (where Valve also gets to take a cut of every transaction), they have instead opted to implement a delay on trades that represent a potential risk.

Going forward, items in a trade will be held by Valve for up to 3 days before being released to their new owner, allowing time for a compromised account holder to discover and cancel the in-progress trade. If the two users have a history of being friends on the service (a minimum of one year), that delay will be reduced to 1 day. Users can eliminate this delay entirely by activating the Steam Guard Mobile Authenticator and turning on trade confirmations, which will lift the restriction after 7 days.

If you have Steam and you have a smartphone, there are very few good reasons not to enable Steam Guard on your account (and I only say that because I'm sure someone out there can think of one or two). Keep your stuff safe, people.

Source: Valve

Permalink

My only complaint about Steam Guard is that I can't use Authy for it. I try to use Authy for as many two-factor authentication systems as possible, and it's frustrating every time a company implements something their own way that isn't compatible with any existing standards.

P.S. Thanks

P.P.S. But I use Steam Guard anyway, because I like having a non-compromised account.

Really wish steam would let me make my account secure but there isnt a version of the app for Windows Phone so i guess i'm just out of luck.

It's still much better than that piece of shit Origin, where someone can change your e-mail and password without asking you for confirmation, and if you don't react fast enough the password reset link will time-out. I didn't want to fuck around with customer service because I only had a 5$ worth of stuff there (from Humble Bundle, which all went to charity anyway - fuck you, EA), but needles to say I won't be using that pathetically insecure service ever again.

Is... is this another reason to finally geting a smart phone or something?

Other than that, I kinda like this new trade delay... because it could lead to some Steam Chat small talk and shit...

Major_Tom:
It's still much better than that piece of shit Origin, where someone can change your e-mail and password without asking you for confirmation, and if you don't react fast enough the password reset link will time-out. I didn't want to fuck around with customer service because I only had a 5$ worth of stuff there (from Humble Bundle, which all went to charity anyway - fuck you, EA), but needles to say I won't be using that pathetically insecure service ever again.

It won't change your mind, but I can tell you that added guards to your accounts if you enable them. Its a simple phone verification that sends a 6 digit code, but its something...better then nothing I guess. Mine got taken the same way cause I didn't have that enabled the link expired but EA has a, surprisingly, very good customer support that was thorough enough to get me my account back.

Thousands a month? If thats the case, why trust them with your credit card info?

I wonder if they claimed "77,000 a month" so as to ease people into escrow trading and give over their mobile phone numbers.
https://www.youtube.com/watch?v=q5NlXCMvSIA
https://www.youtube.com/watch?v=hWHXE3_xDMk
https://www.youtube.com/watch?v=QnGyLaHZ-jw

I hated the trading, it took away from the games and made them micro-economy simulators to fuel DLC instead of focusing on the fun of the game.

I get enough sales-calls as it is. I'm not giving my number to valve only for them to give it to a "harmless" third party, who then sell it to someone else.

First, it's things like this that prevent me from trading anything. It's just not secure enough and everytime I have ever had an interaction with someone it felt so... unstable. It's really completely anonymous.

I don't see a reason not to have them authenticate via text unless you don't have a cell phone, which is not unreasonable. I hate authenticators though. Feel like more trouble than they are worth if you get text messages and email notifications.

As soon as the Steam two-factor auth was released, I pounced on it like a starving lion on a plump zebra.

I've had my account compromised twice in a single year, the last one gracing me with at least one fishy e-begging attempt per month. I got sick of waking up in the morning to automated emails telling me my very Canadian account somehow connected to Chinese or Brazilian PCs; so screw it. I never log from anywhere else, so sticking as many hurdles as I can in the way of determined thieves is fine by me.

Makes me wish you could lie about your games list, or hide that specifically while keeping the rest visible.

Phantom Renegade:
Really wish steam would let me make my account secure but there isnt a version of the app for Windows Phone so i guess i'm just out of luck.

They've had email-based multifactor for a while, well before they added it to the Steam mobile app. This will work on any device.

P.S. Thanks

Conrad Zimmerman:
If you have Steam and you have a smartphone, there are very few good reasons not to enable Steam Guard on your account (and I only say that because I'm sure someone out there can think of one or two). Keep your stuff safe, people.

I can give you one very good reason for not enabling it and why I'm not using it right now: because its broken and/or very badly designed based on how you look at it.

What do I mean? Well...part of how the authentication works is that it requires you to get a regularly-changing code from your phone app and input it along with your normal account details when you log in. I know this because I tried it last week. Standard kind of security procedure for these kind of logins, member of my family had a digital authenticator which worked the same way once for logging into his work account remotely. Alls well and good.

Except...it ALSO requires the code to log into the phone app itself if you ever need to do that. Which is fine if you never log out (which is the norm). But if the app ever crashes, or updates, and requires you to log in again then you physically can't log into the app without the damn authentication code which you can only get by being logged into the app in the first place. Genius!

I found this out the very day after I first activated the authentication option. 10/10 implementation there, Valve. I had to spend twenty minutes screwing about jumping through hoops to disable the authenticator just to get my account back.

I'd use it if it wasn't broken. A quick google search indicates other people brought up this exact problem MONTHS ago but Valve has done precisely nothing about it it seems. At least you don't outright lose your account over it.

Lightspeaker:

Conrad Zimmerman:
If you have Steam and you have a smartphone, there are very few good reasons not to enable Steam Guard on your account (and I only say that because I'm sure someone out there can think of one or two). Keep your stuff safe, people.

I can give you one very good reason for not enabling it and why I'm not using it right now: because its broken and/or very badly designed based on how you look at it.

What do I mean? Well...part of how the authentication works is that it requires you to get a regularly-changing code from your phone app and input it along with your normal account details when you log in. I know this because I tried it last week. Standard kind of security procedure for these kind of logins, member of my family had a digital authenticator which worked the same way once for logging into his work account remotely. Alls well and good.

Except...it ALSO requires the code to log into the phone app itself if you ever need to do that. Which is fine if you never log out (which is the norm). But if the app ever crashes, or updates, and requires you to log in again then you physically can't log into the app without the damn authentication code which you can only get by being logged into the app in the first place. Genius!

I found this out the very day after I first activated the authentication option. 10/10 implementation there, Valve. I had to spend twenty minutes screwing about jumping through hoops to disable the authenticator just to get my account back.

I'd use it if it wasn't broken. A quick google search indicates other people brought up this exact problem MONTHS ago but Valve has done precisely nothing about it it seems. At least you don't outright lose your account over it.

I have another good reason. Because even the three day escrow is not enough for me. I only play on Steam about once a week. Three days is four days too short for me to even care. Not that I ever trade anything.

And how exactly do these accounts get hacked? If you're a hermit who only plays single player games and only drops into the market to quickly dump trading cards, plus have a highly secure password, do you really need to worry?

Or is this a case where scammers just get virus'/key loggers onto people's PC's through other avenues and fish out a Steam account if it's there?

Phantom Renegade:
Really wish steam would let me make my account secure but there isnt a version of the app for Windows Phone so i guess i'm just out of luck.

Yeah, I was just checking to see if they had one. Kinda bummed that they don't. :/

OT: I use the email option for steam guard codes. I totally forgot that I had set it up, too; I got a little worried when I read the article and then checked my settings.

I'd install the steam mobile guard in a jiffy if it wasn't such a piece of bloated ad- and spyware.
New games? *message* New price drops? *message* Chat from someone on your friend list? *message*
Sorry, that doesn't do for me. I don't need more crapware on my smartphone.
Valve, do like the Google-Authenticator, a lean piece of software which functions solely to present you with codes for login.

Its a good idea, but why can it not use the google authenticator , its a pain to have multiple authenticator apps for different things . The google app supports having multiple tokens.

Its bloody anoying

symantec one for work
one for my bank
one for gmail
one for blizzard

and now another for steam.

Yeshe:
I
Valve, do like the Google-Authenticator, a lean piece of software which functions solely to present you with codes for login.

You can have multiple things on the google authenticator so there is no need for the app , everyone should just use that .

Baresark:
First, it's things like this that prevent me from trading anything. It's just not secure enough and everytime I have ever had an interaction with someone it felt so... unstable. It's really completely anonymous.

I don't see a reason not to have them authenticate via text unless you don't have a cell phone, which is not unreasonable. I hate authenticators though. Feel like more trouble than they are worth if you get text messages and email notifications.

I will not give my number to any company. Receiving spam emails can be easily dismissed, but being called by someone I'm not expecting can ruin my whole day.

Lightspeaker:
Except...it ALSO requires the code to log into the phone app itself if you ever need to do that. Which is fine if you never log out (which is the norm). But if the app ever crashes, or updates, and requires you to log in again then you physically can't log into the app without the damn authentication code which you can only get by being logged into the app in the first place. Genius!

What wonderful design. I don't usually like to leave apps running when I'm not using them so this would probably break the entire service.

Another reason to add to my list of reasons why the Steam Trading Card bullshit is stupid. I like Steam and the simplicity of it. But I never got into the card thing and consider them to be worthless outright. As I've said before, if earned like achievements, I could see the value in them and would actively go out of my way to get them. But trading and paying money for worthless cards that raise your Steam level that has no real tangible benefits aside from cosmetic crap is a big waste of time when I could just play the games I bought on steam... you know... what steam is originally for.

OT: I've noticed lots of random people friending me and sending me links lately. Minute I get a link I immediately block them. If I don't know you I'm not falling for your stupid trick.

well, there is only way to prevent that. make people actually secure their accounts. no authentication process will help if the person using it is stupid.

ChaoGuy2006:
Thousands a month? If thats the case, why trust them with your credit card info?

uh, you dont need to? I pay for stema games via Paypal, which requires me to sign into paypal every time i need to make a purchase. Steam only sees my email adress as paypal adress, which it already knows as my steam registration email adress anyway.

alj:
Its a good idea, but why can it not use the google authenticator , its a pain to have multiple authenticator apps for different things . The google app supports having multiple tokens.

this baffles me beyond belief. the whole point of having an authenticator is that it is unique and cannot be leaked out. using same authneticator for everything is same thing as using same password for every website. its just a stupid idea to begin with.

IamLEAM1983:
As soon as the Steam two-factor auth was released, I pounced on it like a starving lion on a plump zebra.

I've had my account compromised twice in a single year, the last one gracing me with at least one fishy e-begging attempt per month. I got sick of waking up in the morning to automated emails telling me my very Canadian account somehow connected to Chinese or Brazilian PCs; so screw it. I never log from anywhere else, so sticking as many hurdles as I can in the way of determined thieves is fine by me.

Makes me wish you could lie about your games list, or hide that specifically while keeping the rest visible.

Do they target accounts with more games? I've gotten many ads from compromised accounts that send me phishing links. I typically report them and tell the bot on the other end to kill them-self (Hey, one day maybe the fuckers doing it will read it and follow my very detailed instructions), to the point where steam notifications are actually annoying, because most of them are bots adding me to try to phish me, and it's just yet another bit of messing around in Steam's awful browser.

Loonyyy:
Do they target accounts with more games?

I don't honestly know; what I've mostly had to deal with is person-to-person attempts at phishing or e-begging. "You have so many games, I thought you'd be more generous!" is a pretty common hook, a pathetic attempt at guilt-tripping your mark. The type I've had to deal with usually involves kids from Eastern Europe - or scammers claiming to be kids - who figure I'll pull a Post-Christmas Ordeal Ebenezer Scrooge and buy them 80$ games in exchange for TF2 hats. Since we're in Christmastime, I'm expecting one of these somewhere between now and the New Year.

As for my two hijacking instances, I figure the hackers assume that there's enough pedigree to my account for the illicit users to settle with using what I have. I never linked my credit card info with my Steam account, but I did have to ask Valve to remove a credit card that wasn't mine.

So yeah. I learned to change my password twice a year the hard and painfully annoying way.

Multiple post please delete

Strazdas:

this baffles me beyond belief. the whole point of having an authenticator is that it is unique and cannot be leaked out. using same authneticator for everything is same thing as using same password for every website. its just a stupid idea to begin with.

It does not work like that , its one app but each service you sign up for has its own key. The key is only ever shared the one time you register it , there is no way to bypass it.[/quote]

What options do those of us without a smartphone have? I know it can text me if I forget my password but that's the extent of their protection as far as I know.

Calculator time: Steam says 77,000 accounts a month are compromised. So: 924,000 a year.

Steam also says it has 125 million active accounts (google search that one). that means that annually they have .007% accounts compromised. A 7th of a percent.

That means that you have a chance of 7 in 1000 of being randomly compromised on Steam. I will bet the odds go up if you are in to CSGO or TF2, though.

Damn double post!!!!!

Have a Steam account, but not a smartphone (at least not one that can handle that app). Guess I'll just stick to e-mail authentication for now...

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here