What is the point of 2FA or Steam mobile authenticator if you can do this?
Yesterday while I was working, steam send me an SMS says
"Steam: Support has removed this number from the account *****. Contact us if you didn't request this."

I was confused but I add my phone number back via my Steam app and change my password and I dig through my email and found this :

Email: ******@gmail.com
Ticket: HT-4P7R-5K27-?,;:
Your help request: My two-factor device is lost or broken
Related to: Steam
Message from you on Jul 26 @ 8:55am | 1 day and 7 hours ago

Steam Account Username: *****
First Email Used: *****@g***m
Phone Number Used on Account: *******XXXX
Type of Card: ****
Last 4 of Card: ****
Name on Card: **************ATN
CD Key: **********************************************************************KKGK
Good day!
My name is takoon
I am a Steam customer
My account in Steam login is *****
Some time ago I bought myself a new phone and gifted my old one to a friend
I forgot that I have steam authenticator there.
Can you please delete it from my old device so I can connect the new one?
Thanks in advance and have a good day

And a reply from steam :
Message from Steam Support on Jul 26 @ 3:28pm | 1 day ago
Hello,

Thank you for contacting Steam and the information you provided.

After investigation, we have confirmed that you are the account owner.

I've removed the authenticator from your account. Please note that doing this also removed your phone number.

You will need to re-enable it from your device if you would like to use it again. We strongly encourage you to make use of the authenticator to safeguard your account. Please remember to record your recovery code should you enable it again.

Please note, that Steam Guard resets apply a 15-day cooldown for trading and Market transactions to your account. Steam Support is unable to remove this restriction.

For more information and answers to common questions, please visit our Steam Guard Mobile Authenticator FAQ.

Steam Support
Jillian

So Support did removed my phone number based on some random dude sending them a ticket.

After I add my phone number back and change my password
I reply them this :
Message from you on Jul 26 @ 3:35pm | 1 day ago
Unfortunately I didn't change my phone or bought a new one. I'm currently changing my E-mail password and Steam password and also re-install my authenticator with my previous unchanged phone number.

The e-mail that you got might be from a scam of hacker I think.
Message from you on Jul 26 @ 3:48pm | 1 day ago
Can you track how the ticket was sent to you? I check my e-mail and there were no mail sent from me. Also my steam guard didn't even picked up any log in attemp when this happened which normally were.

Support reply me back :
Message from Steam Support on Jul 26 @ 10:05pm | 18 hours ago
Hi,

It doesn't look like your account's security has been compromised.

If you believe someone has access to your account or you'd like to change your password.

As we can see here, you've already reset your password and re-add your phone number to the account.

If you're concerned about security, check out our Security Recommendations article. We also highly recommend that you enable a Steam Guard Mobile Authenticator.

If you have any further questions, please let us know - we will be happy to assist you.

Steam Support
Belle

I felt relieved and think everything is done but to my surprised TODAY my phone number was removed by Support again!
Here is what in a log of that ticket :

Message from you on Jul 27 @ 10:31am | 6 hours ago
Help me delete the number and change the email address to tranrobert7401@outlook.com ( for safety )

I'm not censoring whoever this email is because it clearly not mine and it has clear malicious intention

But despite having all the previous log steam Support reply :
Thank you for your reply.

I've updated your account's email address to match the address that you provided.

I've also removed the authenticator from your account. Please note that doing this also removed your phone number.

You will need to re-enable it from your device if you would like to use it again. We strongly encourage you to make use of the authenticator to safeguard your account. Please remember to record your recovery code should you enable it again.

Please note that Steam Guard resets apply a 15-day cooldown for trading and Market transactions to your account. Steam Support is unable to remove this restriction.

For more information and answers to common questions, please visit our Steam Guard Mobile Authenticator FAQ.

If you have any questions, please let us know at any time.

Steam Support
Doris

Nice job Doris now anything that might GUARD me from any hacking attemp is gone and you just perfectly handing them a way to change my password freely.
The only way to top that is you changing my password and E-mail them yourself or post it on some open thread.

I mean if you follow the conversation form the start Doris should have notice that it's super weird and fishy to remove authenticator 2 day in a row and add it back again immediately with also change my email in the 2nd time to but he/she did it anyway.

I'm closing the ticket now because obviously talking to them and hope that they will realise when the attacker attemped to gain access to account and tracking them or banning them is never gonna happen.

I hope closing the ticket my prevent them for having access to any movement further.

I'm posting this out of frustration from how easy it could get to bypass your 2FA.
Really DISAPPOINTED.

Will update later wether this matter is really resolved or not.

PS. I'm posting from my phone so I'll try post my screenshot of that ticket later.
Last edited by EradicateR; 27 Jul @ 6:14am
< >
Showing 1-13 of 13 comments
eram 27 Jul @ 3:14am 
remove your personal info from the post
Originally posted by eram:
remove your personal info from the post
Thanks, I'm removing my info and leaving only 'not my info' right now.
Originally posted by EradicateR:
So Support did removed my phone number based on some random dude sending them a ticket.
It's more likely that they did this because of a message coming from one of your known and secured devices. Assumingly an API key gone rogue.

Originally posted by EradicateR:
Nice job Doris now anything that might GUARD me from any hacking attemp is gone and you just perfectly handing them a way to change my password freely.
First: your password is still there. And once again you're conveniently leaving out information, such as the fact that all this transpired from already known ("registered") contact information.
The person removing the authenticator would need to prove ownership of the account. This means they have your information.


Do ALL of these. Every single one.

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours
3. Deauthorize all other devices https://steamhost.cn/twofactor/manage
4. Change passwords from a trusted/clean device
5. Generate new backup codes for your Mobile App https://steamhost.cn/twofactor/manage
6. Revoke the API key https://steamhost.cn/steamcommunity_com/dev/apikey (there should be nothing in the APIKEY)
7. Make sure your steam recovery email account is secure

Then do similar for your email address you use with Steam, because your information from somewhere...
They should run this across a bank or something.

I would like an optionally 15 day lock down on starting games if Steam support is this easy to use to bypass security.
Last edited by McFlurry Butts; 27 Jul @ 4:18am
If you really kept personal info in the post before you redacted it then no ♥♥♥♥ you got hacked like that.
Originally posted by ShelLuser:
First: your password is still there. And once again you're conveniently leaving out information, such as the fact that all this transpired from already known ("registered") contact information.

And that's a problem 'Only password remain'. Password which can be resetted by an e-mail.
If the process were happen whehile I was asleep and attacker is awake my ID might just gone forever.
Originally posted by $$ rubique $$:
If you really kept personal info in the post before you redacted it then no ♥♥♥♥ you got hacked like that.
My frustration got ahead of me and I do regret that.
Kargor 27 Jul @ 4:44am 
Originally posted by ShelLuser:
Assumingly an API key gone rogue.

API keys have limited "power"; I tend to assume these cases are a simple "fake login" situation, where the attacker got an actual login key.

I'm still confused about posts claiming that items have been traded away without them knowing; even a login key cannot do that. Likewise, certain changes to an account WILL trigger 2FA as well.
The point of Steam guard is the same as every other 2FA, it provides an extra code. It's not a magical shield or anything.

Originally posted by EradicateR:
Originally posted by ShelLuser:
First: your password is still there. And once again you're conveniently leaving out information, such as the fact that all this transpired from already known ("registered") contact information.

And that's a problem 'Only password remain'. Password which can be resetted by an e-mail.
If the process were happen whehile I was asleep and attacker is awake my ID might just gone forever.
As long as you keep your stuff safe, nobody can reset your password.

The problem is the user, nothing else.
You did something like going onto a dodgy website or falling for a scam which does not surprise me when you posted your personal information on a public forum then took ages to edit it out, do you know whats really baffling though? You edited out your personal information but left your steam account name there...Come on man, Jfc.
Last edited by Amber Baal; 27 Jul @ 6:22am
Originally posted by Amber Baal:
You did something like going onto a dodgy website or falling for a scam which does not surprise me when you posted your personal information on a public forum then took ages to edit it out and do you know whats really baffling? You edited out your personal information but left your steam account name there...Come on man, Jfc.
Thanks for pointing out, I do miss that one.
Assuming you aren't being fooled with some kind of fake tickets in your email, and these are actual support requests in the Steam client, that you can see when you click "View My Recent Steam Support requests" under the Steam Support menu, then there is only so much Valve can do in the case that your phone is hacked. They're sending these requests from your phone or a clone of its Steam app data.

Your mistake in this case was connecting your zephyr to the internets.
< >
Showing 1-13 of 13 comments
Per page: 1530 50