Hijacked account. How secure is Steam?

[Redgum]

https://support.steampowered.com/kb_...2347-QDFN-4366
Above is a link for how to retrieve a hijacked account


Can you remove your credit card information so when they hijack they cant gift games against your account?

Edit: found my own answer

log in to the steam account https://store.steampowered.com/account and you can delete the "last 4 digit crdit card". (and deleted!)

[Beavis]

Be aware that with the latest trade/buy system in TF2 that aholes a targeting players to click on links to trade items........DO NOT click on any links on Steam chat

[Roosta]

Quote:

Originally Posted by Thermal Ions

You'll probably get the response that the "verify email" option was implemented to provide this additional protection and I recall it being advertised at the time on the Steam News page.

It'd suggest that it should have been more prominently pushed by Valve as not everyone uses Steam as frequently as many of us and / or don't read the news page. How hard would it be for Valve email all users who haven't verified or have steam pop-up a recommendation maybe once a month when unverified users start steam. Through slackness I took a while before doing the verification and never received a targeted prompting either through Steam or via email. I'd imagine there are a good portion of accounts that still haven't verified and thus have to imagine the higher that number, the higher the number of stolen account support tickets Valve would be dealing with.

Spot on!!!!
Neither my Son, (nor myself for that matter) knew about the "Verify Email" option until my nephew showed me last night........
The only email my son got from Steam was to say that his change of email had been processed..etc...etc...
They should send an email with a verification code to the old email address in order for someone to change to a new email address. (The same as they do when you change your password).
All his games were gifts from me using my account with PayPal, so I hope he gets them back.
He is a shattered little man this morning, we've got a SLAK Lan to go to on Saturday, and it looks like he will be using my rig.

Quote:

Originally Posted by Jigoku

On an account with no games, when you try to make a purchase without verifying your email address it will force you to do so before the purchase is allowed to continue. It's a shame it doesn't force this on every account.

Now there's the diddly...
He still hasn't purchased any games...They have all been gifted to him.

[Xavien]

I have a friend who hasnt logged into steam for a year, hes only got one game on it L4D which he bought from a retail so hasnt got his details in steam. He wants to play guardian of light but when he tried logging in it didnt recognise his email address. He swears he has the email correct. When he puts in for a password change steam its sent a new password to the email address but he doesnt get anything. It looks to me that someone has hacked him and changed the details.

Steam are so slow to get back though i think its going to be a week or so before he gets to find out whats happened to his account but reading this does lead me to believe that hes been hacked somehow.

Can anyone explain where i can find the verify email option in steam please

[Redgum]

Xavien - here is the link

https://support.steampowered.com/kb_...AS-1543#verify

Quote:

On Windows

1. Right-click on the Steam icon in the System Tray and select Settings or press the Settings button in Steam's File menu.
2. Click on the Verify email address button.
3. Follow the on-screen instructions.
4. You should then receive an email message from Steam Support.
5. Click the unique link provided in this email message to finish verifying your email address. The web page which then launches will confirm your success.

On Mac

1. Open Steam and click on Steam > Preferences
2. Click on the Verify email address button.
3. Follow the on-screen instructions.
4. You should then receive an email message from Steam Support.
5. Click the unique link provided in this email message to finish verifying your email address. The web page which then launches will confirm your success.

I never received the verification email message from Steam Support. What should I do?

If you do not receive the email message from Steam Support and you are running a Spam filter, check and make sure the message has not been filtered as spam.
If you are still unable to receive the verification email, you will need to contact Steam Support.

[Chief]

A bit of this going around at the moment. A togger had their account hijacked yesterday and it spread through several other toggers as the hijackers send links to everyone on the person's friend list. I received 3 messages from toggers yesterday, written in pretty bad english with a dodgy link.

So don't think you're safe if the message comes from another TOG person, and if you do click a link definitely don't enter any details.

[Drac]

Clicking a link by itself shouldn't be able to steal your password. Never type your steam password into a form field in a web browser - not even the web version of Steam's community website. Even just typing the password and not submitting/sending the form is enough to have a script on the page sneakily send whatever you type to a hackers database after each keystroke.

Do not use simple or generic passwords or anything based on the letters of your login or real name. Hackers can run scripts that test common passwords against the steam community website.

[wHiTeRaSTa]

Yep hows this..last night someone on my friends list sent me a I M saying "White i cant believe what you wrote on the forum : DD" like so, with a link to a bogus steam forum login page. As soon as the message came through his status went to offline. I have now blocked this so called friend. It's strange really seeing as i only have a few non Toggers on my list.
I blocked him and have forgotten the name.....wish i took some time to take down the details though. I do remember that this was one in my list with a ever changing nickname. I'm now going through my list and getting rid of peeps i dont know.

EDIT...I've found the name's that he goes by....
biggles-whiskers up for trade
biggles
TYG|Lord Bigglesbee
A Horse(Bigglesbee)
A Horse
Horses are for winners
{SLAK}Lord Bigglesbee

Check your friends lists guys......

His Steam community profile is..
http://steamcommunity.com/profiles/76561197996810978/

I've since unbloked him...and when i see him online he will be coping a serving from me i tell ya......

[Dreadly]

Unfortunately Biggle's account was hijacked last night and links was being spammed to people in his friends list.

So not his fault, just a victim of a nasty phising attempt.

[Mighty Brush]

Quote:

Originally Posted by Drac

Clicking a link by itself shouldn't be able to steal your password. Never type your steam password into a form field in a web browser - not even the web version of Steam's community website. Even just typing the password and not submitting/sending the form is enough to have a script on the page sneakily send whatever you type to a hackers database after each keystroke.

Not entirely true, if you're worried about a keylogger, the keylogger will capture the entry direct into the Steam client as well. If you've had script injected after manually navigating to the steam website then you've got other serious issues going on (e.g. you've been pwned anyway). I doubt you'll get big use of CSRF or anything against steam. Personally, I'd classify this as acceptable risk.

More specifically never enter your username and password into a web form (for anything) that you did not navigate to manually. If you follow a link you click (even from google) DO NOT enter your username and password. This is why banks always tell you to type the URL to their banking site manually. Never enter your username and password into a web page that is not protected by SSL/TLS - most modern browsers will display either a padlock symbol and/or will change the colour of the URL (green for firefox). If you see any errors pop up about certificates, run for the hills.

You can be attacked by clicking on any given link without first inspecting the URL. If you aren't technically able to check these details, then you shouldn't click links someone has sent you - if they're all "hey check out this cute youtube clip of a kitten falling asleep in a teacup: YouTube - Kitten fall asleep in a teacup" don't click the link, manually go to youtube and search for the clip yourself.

This applies to all forms of communication, email, steam IM, MSN etc.

For those with kids: Make sure you teach your kids never to click on links someone sends them without asking you first. Also make sure you don't have a CC registered against their steam account - always send by gift!