Comments
Worst_Support OP t1_j1mflv7 wrote
Of course, the gift card method is just a very easy backup. I had to use it a few years ago before using 2 factor was so common.
brusiddit t1_j1p0edj wrote
Sounds like a way to steal other peoples accounts. Anyone want a free steam gift card code?
MRjubjub t1_j1p3pkc wrote
The real LPT is always in the comments.
bluelonilness t1_j1p5j1o wrote
The real LPT is the gift cards we found along the way
OneThiCBoi t1_j1p7hzz wrote
That's not how it works, the steam support asks you a bunch of options to provide enough proof that you the owner, like email, purchase receipts, etc.. one of them is giving them a wallet/gift card code which you used on that same account.
The code is just another proof.. not a way to steal others accounts.
[deleted] t1_j1pg3d2 wrote
[deleted]
Robobvious t1_j1piup5 wrote
Fraud happens regardless of the systems put in place to prevent it, and successful fraud utilizes those systems to their advantage. So it very well could be a way to steal someone else’s account provided you have enough information.
WynnChairman t1_j1pcrcp wrote
how long ago was a few years ago? I remember getting bothered by it for a long ass time already
Worst_Support OP t1_j1pzbz8 wrote
like 2016-ish?
DigitalSteven1 t1_j1mujoj wrote
Honestly, it doesn't matter how shitty your password is, or if it's been leaked if you have 2fa on. I've gotten probably no less than 40 attempts to log into my account sent to my phone, all of them with the right password, but none of them can get in. Should I change it? Yeah. Am I going to? Probably not.
​
Fun fact, when steam rolled out 2FA, Gabe Newell publicly released his account's username and password. No one ever got into it. He has changed it since then, though.
[deleted] t1_j1nj17v wrote
[deleted]
Dinos_12345 t1_j1nkd9k wrote
Also, password manager. I couldn't tell you any of my passwords if held at gunpoint, I couldn't even give you access to 1password because it also needs the security key which I don't remember by heart either.
RandyDandyHoe t1_j1npkgc wrote
I try to use pass phrases that I can remember for the most important accounts, like my main email, bank account, etc. But otherwise yeah it's just a bunch of random letters, signs and numbers with as many characters as I'm allowed to use, and there's no way I'd ever get onto any of those accounts without Bitwarden.
nsa_reddit_monitor t1_j1o4ln6 wrote
I use Keepass, it has a standard format for password databases so a lot of tools and apps exist to read a Keepass database. I make sure (via various methods) that all my computers and phones and backups have a copy of my password database.
I only have the Keepass password memorized, and a couple of my computers use that password for their full-disk encryption (because if you get past that, I'm screwed regardless of if you have my passwords). Basically, unless you take down my computers, my phones, and a couple backups in undisclosed locations, I won't lose any of my passwords.
So I don't even know my bank or email login. Worst case, I can just go to the bank and have them reset it in person. And my email is hosted on a private server I own (in an undisclosed location), so I could physically go to the datacenter and plug a keyboard in to regain access.
TB_Batman t1_j1pc9d7 wrote
Mine are based on my favorite Runescape quests combined with a number and special letter :3
Low_Requirement3266 t1_j1pdd0a wrote
based
Robobvious t1_j1pix82 wrote
All my passwords are the titles of romcoms.
krkrkrkk24 t1_j1o5mi3 wrote
Password manager 😁 Lastpass literally got hacked a few days ago releasing into the wild users' passwords vaults only encrypted with the master password which can easily be brute forced if weak as well as unencrypted URLs the specific user has visited, just write all your passwords down.
sy029 t1_j1o9qkn wrote
I switched to keepass years ago after the first lastpass hack. It's completely offline.
anonynown t1_j1pbz0d wrote
> which can easily be brute forced if weak
That isn’t how password managers typically work. Your password vault is encrypted with a much longer key stored on your device. The master key is only used to decrypt the actual decryption key which is long and isn’t stored on their servers, and the master key is useless otherwise. This is why you need to approve on your existing device when enrolling a new one, or enter a very long “recovery” key — that’s how the actual decryption key gets to the new device. Even knowing your master password doesn’t enable the attacker to access your vault without extra steps, like using social engineering to get you to reveal your recovery key or approve a new login.
Plokmijn27 t1_j1o905q wrote
for real
ive honestly been waiting for this to happen
cant believe people think password managers are a good idea
either use the same password for everything like a normal person, or write them down in a notebook, or on a file on your PC
the chances of lastpass or whatever other company getting hacked is a million times more likely than hackers breaking into your house and stealing your notebook
sy029 t1_j1o9u2z wrote
Or just use an offline password manager.
flyingroad t1_j1or66z wrote
And also using the same password for everything is dumb.
If one of your accounts get compromised, most likely your other accounts will get compromised.
redyellowblue5031 t1_j1oyuw1 wrote
Exactly. Criminals love people who do this, they even have an attack named after it; credential stuffing.
redyellowblue5031 t1_j1oyrrm wrote
Using the same password everywhere is a fun game if you like credential stuffing.
No system is 100% safe, but if you’re not using a weak master password and also have MFA enabled even with a stolen vault your passwords are safe by all reasonable measures.
krkrkrkk24 t1_j1o9ai9 wrote
Yeah, seriously just the though of password managers putting all user information in a server together is more than enough to be targeted by hackers and its crazy people think its a good idea to just hand your passwords to 3rd party vendors that will claim no responsibility in case of such event
redyellowblue5031 t1_j1oz61j wrote
Managing access is largely about risk vs convenience.
Every major password manager has a plethora of options to mitigate any reasonable risk even if someone got a hold of your vault.
The only way they’re getting in is if you used a weak password to begin with.
SpaceArf t1_j1p6zgc wrote
I really should get my self hosted bitwarden set up on my pi. Just really lazy to do it.
degovial t1_j1o75pq wrote
These "hacking" attempts don't come from brute force, but come from database leaks, most of the times... or social engineering. Creating strong passwords helps against brute force technics and decrypting encrypted databases that were leaked.
Big or small, no one gives a fuck... just use 2FA and sleep better at night lol.
Izzetmaster01 t1_j1noxcz wrote
I had the most random strong password that would be unguessable. Didn't matter. Still got log in attempts. It really doesn't seem to matter dude
Shuski_Cross t1_j1np3x0 wrote
hunter2 is not a strong password...
Izzetmaster01 t1_j1nqwqo wrote
Funny guy you. We're talking literal hf_2J8@f etc. As strong as you can get as it was about 15 characters and purely random
Shuski_Cross t1_j1nz55l wrote
At his point, it seems you have a key logger installed on your pc.
Izzetmaster01 t1_j1nzmo9 wrote
You realise that most people on the internet aren't technologically illiterate. I don't have a key logger. Otherwise I would be complaining about all of my accounts. It just doesn't matter for steam for whatever reason. You're just coming to a really silly assumption
Grievuuz t1_j1o31xs wrote
I don't wanna butt into the conversation, but I do feel the need to correct you.
The internet currently has 4.9 billion users.
Absolutely no fucking chance that more than half of them even know what a keylogger is.
None.
[deleted] t1_j1o3hdd wrote
[removed]
mortenmhp t1_j1ogoni wrote
Sorry to break it to you. If you are getting log in attempts on Steam with 2fa, someone has your password. Either you got phished, your password was reused and leaked from somewhere or you have a keylogger.
Izzetmaster01 t1_j1oh3mi wrote
I don't know how many times I've got to say it. Seeing as though it was the most random password going and wasn't reused. The only plausible thing would be steam leak. But again doesn't even matter with 2FA. I also don't know how obvious I have to make it, before anyone else comments on having a keylogger, that I don't have a keylogger. Because once again, I've only ever had this issue with steam
brusiddit t1_j1p0zo0 wrote
There are 2FA phishing kits around now that make it really easy to phish peoples 2fa codes. The power of MFA is redundancy.
If one of the engines on your plane dies, the first thing you do is go repair the engine, not fly around on only one.
The most important thing i know about infosec is that everything is hackable and no-one is immune to social engineering.
mortenmhp t1_j1w4pzk wrote
Beautiful analogy
Shuski_Cross t1_j1o7egc wrote
I work in IT, surrounded by people who are "technologically literate" and IT "professionals", and I can tell you, 80% struggle to use their laptop docks, and struggle to change the meeting TVs to HDM1. People are reaaaaaallly dumb.
Think of how dumb you think they are, then septuple it. You just catalogued half of the people....
Keyloggers are the simplist, and easiest "viruses" and easily undetectable for 99.9% of IT population.
Edit: That wasn't me calling you dumb, I'm genuinely worried for your account, you shouldn't be getting 2FA for it with a gibberish 15 character password.
complicados t1_j1oxxrl wrote
I have super easy passwords on some of my gmail and other not that important accounts and don’t get login attempts, and yes I’d know because whenever I login to them on my own devices I get notified and need confirmation. You definitely have a key logger… time for malwarebytes or switch to a mac if windows is that difficult to keep secure for you
ZsaFreigh t1_j1p5z8v wrote
Yeah if your email has been "pwned" in a data breach (see haveibeenpwned.com) you'll never stop getting log in attempts from people credential stuffing your email address wherever they can. Which is why you should use different, strong passwords for every site you use, and an extra strong one for your email.
RandyDandyHoe t1_j1nprn1 wrote
Some platforms send log in attempts if the password is wrong, pretty sure. If you have a simple username then that might be the issue
Izzetmaster01 t1_j1nqxmg wrote
Steam doesn't do that....
EveryChair8571 t1_j1nt6li wrote
During lockdown the attempts on my accounts everywhere for everything were bananas
hecking-doggo t1_j1nz0bz wrote
My password is pretty iffy and I've had no attempts to hack my steam. Probably cuz I don't have much that hackers would want
Plokmijn27 t1_j1o98bp wrote
password strength has nothing to do with login attempts
login attempts are tracked regardless of whether or not someone put in the correct password
sy029 t1_j1o9mim wrote
I don't know if steam has a problem with it, but your biggest enemy is actually the employees themselves.
There's plenty of stories where someone got enough personal info to just call support for some website, reset the password, and be handed the keys.
jacobFunkhouser t1_j1oac53 wrote
There are ways to get your 2fa especially if it goes to your phone number. Probably won’t happen to a steam account but people have been known to figure out ways to sim swap or trick people into sending the code.
ContemplatingPrison t1_j1ogla7 wrote
Happens with my Venmo. I finally decided to change my password. But for days I was getting attempts to log in.
Which is fine I always delete my bank account and or card info when I am done using those types of account. I rarely use them.
I hate having my cards or account attached to a bunch of apps or services.
That_Ganderman t1_j1ol3ht wrote
2fa, 15+ character password, and not a fool about where I put my credentials into = I’ve never been hacked.
It’s really not that hard I don’t understand how people get hacked so often.
Another tip is if you’re going to use passwords multiple times, never use your important password(s) for sites that you don’t have a lot of trust in, security-wise.
GoodPointSir t1_j1p7c8i wrote
you'll still need it if you:
Break your phone and lose 2fa, and lose your recovery codes.
Still a very likely possibility, in fact it has happened to be before.
ProtonByte t1_j1q84z8 wrote
Helped a friend of mine recover it's account when he lost the 2-fac Auth. Sometimes it just happens...
ZsaFreigh t1_j1n0mnv wrote
Who gets their steam account hacked these days? I can't even log in without a 2FA code that resets every 5-10 seconds.
MassExplosion213 t1_j1nkrxc wrote
It's not really password leaks for the most part nowadays. It's phishing campaigns, which show a fake Steam login page and also ask for 2FA. They then immediately log in (automatically) and save the token, which is what keeps you logged in. They then follow up by changing the password and removing all your devices.
sparoc3 t1_j1ofc90 wrote
My steam was hacked with a shit load of other websites where I have activated 2FA were hacked as well, the insane thing is I never even recieved the 2FA mails. But the hackers just changed PW and even email in some case. I'm sure it wasn't a key logger because the pw were just saved and I never put it in.
ZsaFreigh t1_j1oj7mr wrote
If your email shared a password with any of those accounts on compromised sites they would have access to your emails too, and be able to get to the 2FA and delete the email before you even knew it arrived. With Steam Guard though, it's not connected to email or a phone number, it's an app on your mobile device, so the only way to get in would be to physically steal your device first. Edit: or trick you into giving them the 2FA code, as another user said.
sparoc3 t1_j1okkx4 wrote
>If your email shared a password with any of those accounts on compromised sites they would have access to your emails too, and be able to get to the 2FA and delete the email before you even knew it arrived.
Nope, it was different. That's what got me so perplexed. Maybe they just stole all pw saved on browser still doesn't explain lack of 2fa mail.
And how does one get tricked in to giving 2fa lol. The same kind of people who share CC details with strangers.
One of my other email was hacked too, and the hacker is still trying to get in, it was a burner account so I don't care but steam keeps sending me 2fa mail which was conspicuously absent for my main account.
Steam guard is too much of a PITA cuz steam just keeps kicking the account off from phone and I had to re-login every time, I had it for a couple of months but then went back.
stoneagerock t1_j1os2dr wrote
Download Authy, or one of the plethora of other mobile Authenticator apps. Unfortunately can’t stop you from getting your creds phished by a fake page.
For that you need something like a FIDO2 key that supports key domain binding
sparoc3 t1_j1oul5b wrote
Naah I wasn't phised, I downloaded Adobe Reader crack and then nearly every account of mine was compromised. There's no way they went and reset every account, they must have simply extracted it from browser.
Now I'm using authy tho.
stoneagerock t1_j1pz3ku wrote
Sounds like you got tricked into downloading a keylogger.. only once!
sparoc3 t1_j1pzevt wrote
Idk if you followed the comment thread, I never entered any password everything was saved.
hitemlow t1_j1ortms wrote
> Steam guard is too much of a PITA
Ah ha! So you don't have 2FA enabled if you disabled Steam Guard.
sparoc3 t1_j1osnxv wrote
Both are different, steam still sends 2FA on mail, guard is only sent on phone.
hitemlow t1_j1ot238 wrote
Having email confirmation is basically worthless if your email was compromised. SMS is only slightly better in that they have to hack 2 devices or do a SIM swap scam. If you're not using Steam Guard through the app, you don't have 2FA.
sparoc3 t1_j1ots5c wrote
>Having email confirmation is basically worthless if your email was compromised.
That doesn't mean it's not 2FA.
My gripe is how the fuck did they get my steam password at all.
>If you're not using Steam Guard through the app, you don't have 2FA.
Two factor authentication simply mean 'two' means of authentication, first is password and the second is the code received on email.
Steam guard is an additional thing that necessitates you should be in possession of a particular phone. It's more than 2FA and more secure can said to be 3FA.
Every site on this world sends you code on mail/phone number when 2FA is activated.
dear_hearts t1_j1yc039 wrote
Same, my steam was hacked. I wasn’t phished because I’ve never put my steam acct or pass into browser and I don’t have any malware. My steam pass was unique to steam and they got in despite me having 2FA.
Steam support said it is possible to get in without 2FA but they would have to have my password and login. I also have a notification on my iPhone saying that password was in a data breach but Steam denied a breach and said I must have used the password somewhere else.
They didn’t even change my password, only user name and language which is how I noticed because my steam sale emails started coming in Thai.
sparoc3 t1_j1yc3rc wrote
I had like $5 in wallet, fuckers spent it on skins.
dear_hearts t1_j1ydbou wrote
I didn’t have anything in mine because it was linked to my PayPal (which I guess they didn’t have access to) But they logged in and out 5 times over a few days from two different locations in China.
I’m just annoyed with steam for being so shady about 2FA. Also why would anyone go into my account, change the language to Thai and the username to something in Chinese?
[deleted] t1_j1o6b30 wrote
[removed]
XOIIO t1_j1nq45h wrote
LPT set up two factor with your phone.
045675327 t1_j1n3jup wrote
Still have a card with my half life 2 code on it, came with my ATI 9600xt graphics card.
aggr1103 t1_j1pnbst wrote
I still have my original HL2 CDs as well as a retail copy of counter strike and the orange box. Just in case I need them to get back into my account.
zivlynsbane t1_j1nqmnx wrote
2auth has come in clutch. Make sure you have it on whenever possible, sure it’s a hassle of putting in a 6 digit pin that gets sent to your messages but beats being hacked freely.
NimbleVaseline t1_j1nsq22 wrote
LPT: Enable 2FA and have unique passwords
pm_me_your_rigs t1_j1o7up4 wrote
Is there even an option in Steam to turn off 2 fa?
hitemlow t1_j1orzqr wrote
Unfortunately it's necessary when you change phones. You have to turn off Steam Guard, deauthorize your old phone, log in on your new phone, and reactivate Steam Guard.
Though there are people that just leave it off and that's frankly their own damn fault.
-SpiderBoat- t1_j1nr6ay wrote
That's a bit scary. What if you buy a game from a reseller website. Can that reseller then recover your account using that code and some social engineering?
Ally_Nyan_Art t1_j1pvff8 wrote
That's my thought. Or even a code giveaway where first to enter code gets it.
CharlyXero t1_j1pz8n9 wrote
Nah. When you try to recover your account with those methods, the Support Team usually checks the IP and other things to see if it looks suspicious.
aMac_UK t1_j1nj9mi wrote
Accounts don’t get “hacked”. People just have terrible passwords or security.
Necrowanker t1_j1nk38h wrote
You surely know what they mean when they say "hacked". No one thinks someone got into their accounts through sheer IT skills lol
aMac_UK t1_j1nl5c3 wrote
I mostly just object to people using the term “hacked” because it absolves blame on their part.
I was “hacked” and not “I use the same easily guessed password everywhere and my security questions are easily looked up facts” or “I entered my details into a random website and I don’t have two-factor authentication enabled”
PyroDesu t1_j1nxrx1 wrote
Security questions are pretty much always about easily looked up facts. Social media has rendered them non-secure if they're used as intended.
(I personally put "answers" that are the same alphanumeric-symbolic garbage as my passwords, and save them in the notes section of my password manager entry.)
Necrowanker t1_j1nz3jm wrote
Non sequitur answers are your best friend here I think. At least for me
Aggressive_Chain_920 t1_j1ny6ln wrote
Hacked is a wide term nowadays. It has a different meaning than it originally did.
Necrowanker t1_j1nlhz2 wrote
I don't think people are taught enough about cyber security to bother with semantics but I get you. I try to encourage people to put 2fa on but it mostly falls on deaf ears
[deleted] t1_j1nmzvd wrote
[removed]
[deleted] t1_j1okygz wrote
[removed]
HYPERBOLE_TRAIN t1_j1nn7el wrote
Sounds a bit like a superiority complex, if I’m being honest.
Mataskarts t1_j1nq8zt wrote
This is one of the rare cases where it's a valid one.
Use 2FA ffs, not doing so is plain stupid.
Necrowanker t1_j1nzj95 wrote
You're right but people should still be aware that their accounts can still be breached through other methods, such as certain kinds of malware and phishing attacks. 2fa helps so much but it's not invincible
Mataskarts t1_j1nzvga wrote
2fa sorta eliminates the pure malware risk unless somehow you get both your phone AND PC infected with the same one designed solely to get steam accounts.
But yeah phishing and social engineering are by far the most common ways of "hacking" or stealing steam accounts. If you can't bypass the systems - just ask the user nicely for all the info instead. Or threaten their family, that works too.
[deleted] t1_j1o06zl wrote
[removed]
cryospam t1_j1o1n9d wrote
So if I had the inclination to and was able to figure out how to steal someone's account, I should use a gift card on it so I can re-steal it back when the other person grabs it from me.
Good idea.
/s
keepthetips t1_j1md2hu wrote
Hello and welcome to r/LifeProTips!
Please help us decide if this post is a good fit for the subreddit by up or downvoting this comment.
If you think that this is great advice to improve your life, please upvote. If you think this doesn't help you in any way, please downvote. If you don't care, leave it for the others to decide.
[deleted] t1_j1nihmc wrote
[removed]
[deleted] t1_j1nkfsx wrote
[removed]
[deleted] t1_j1nokx8 wrote
[removed]
AmenoMiragu t1_j1nx8wg wrote
Sounds like you can buy a gift card for yourself for this occasion
[deleted] t1_j1ox6m6 wrote
[deleted]
Polydipsiac t1_j1p2tfn wrote
Know there’s a phishing scam going on where someone will say they accidentally reported your profile for a marketplace transaction
Kilbo_Fragginz t1_j1pi7mm wrote
Somewhat related to this: keep game activation codes as well. Managed to recover my old account by giving steam support my Skyrim code. Enabled 2FA afterwards ofc.
des1737 t1_j1pihzu wrote
I've seen a guy few days ago, who locked comments on his profile and placed gift codes in there. stupid ass move
jeverboy t1_j1piulg wrote
Kids remember use 2FA and never ever, ever use your passwords on multiple sites/Accounts nad if you cannot be arsed to do that, please at least have a unique password got your email account. If your email account gets hijacked because you got phished on another account that has the same password, you are then in for a lot of fuckery.
Whane17 t1_j1pj8t0 wrote
15 years on Steam I just got my first one of these for Christmas and it only has 10 numbers on it. I need to get in touch with support to find out WTF and get my 20$ LOL
CoverSuch4933 t1_j1q4ptr wrote
Better yet give ME the code to hold on for you
[deleted] t1_j1qeqld wrote
[removed]
MissChief04 t1_j1u4c8v wrote
This and the oldest information on your account. For example the very first email address, phone number registered on the account or payment method.
If your account has been hacked before and then you add the gift card after the fact (after you got your account back), it's not going to be that reliable proof for support. Steam account ownership always goes to the account creator. There are multiple users who got denied access after getting hacked because the info provided is too recent. So best possible way to prove ownership is providing the oldest info possible
Competitive_Oil_7787 t1_j2e33ag wrote
Start the new year with a FREE Amazon gift card when you subscribe to Phones on a Budget. Learn more at www.phonesonabudget.com
Snagmesomeweaves t1_j1mf29k wrote
Better yet, use 2 factor authentication…. And a long pass phrase…..