Ofc it does not. If you give the key to someone else, that other person can enter. Steam Guard can only be bypassed, if you leaked your information through 3rd party sites or malware stealing your info. It happens all the time, multiple threads daily, because people think a 2fa is a magic tool that will protect you against everything.

My usualy copy/pasta for hijacked people:

Follow all these instructions, otherwise you can't be sure that no one is still on your account:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://steamhost.cn/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://steamhost.cn/twofactor/manage
6. Revoke the API key https://steamhost.cn/steamcommunity_com/dev/apikey (there should be nothing in the APIKEY)

There are only 3 ways for others to get into your account:

1. You either got infected and had malware steal your active session, which means steam thinks it is your own doing. (Or you logged in on another infected machine)

2. You entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

3. Someone else has/had physical access to your devices. (Or you forgot to logout after being in an internet café etc.)

You can't deny all 3 of these, it's impossible to get into your account otherwise.

Stolen wallet or items that way will not be refunded, as it is the users responsibility to make sure their accounts are safe.

Originally posted by Dan5000:

Ofc it does not. If you give the key to someone else, that other person can enter. Steam Guard can only be bypassed, if you leaked your information through 3rd party sites or malware stealing your info. It happens all the time, multiple threads daily, because people think a 2fa is a magic tool that will protect you against everything.

My usualy copy/pasta for hijacked people:

Follow all these instructions, otherwise you can't be sure that no one is still on your account:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://steamhost.cn/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://steamhost.cn/twofactor/manage
6. Revoke the API key https://steamhost.cn/steamcommunity_com/dev/apikey (there should be nothing in the APIKEY)

There are only 3 ways for others to get into your account:

1. You either got infected and had malware steal your active session, which means steam thinks it is your own doing. (Or you logged in on another infected machine)

2. You entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

3. Someone else has/had physical access to your devices. (Or you forgot to logout after being in an internet café etc.)

You can't deny all 3 of these, it's impossible to get into your account otherwise.

Stolen wallet or items that way will not be refunded, as it is the users responsibility to make sure their accounts are safe.

Yeah, I get it — Steam Guard isn’t magic. If you hand over your login or get hit with malware, it won’t protect you. In my case I did log into a third-party site once (Rustly), and I guess that was basically me giving away the keys.

I’ve already gone through all the steps you listed: malware scans, new Steam + email passwords, 2FA on email, deauthorized all devices, revoked the API key. Everything should be clean now, but the damage is permanent — my Rust account is gone for good with an EAC ban.

Lesson learned the hard way: Steam Guard can only do so much, and one mistake with a shady site can cost you years of progress.

Originally posted by iheb ab:

Originally posted by Dan5000:

Ofc it does not. If you give the key to someone else, that other person can enter. Steam Guard can only be bypassed, if you leaked your information through 3rd party sites or malware stealing your info. It happens all the time, multiple threads daily, because people think a 2fa is a magic tool that will protect you against everything.

My usualy copy/pasta for hijacked people:

Follow all these instructions, otherwise you can't be sure that no one is still on your account:

1. Scan for malware https://www.malwarebytes.com/
2. Check that the email and phone number on the Steam account are still yours.
3. Deauthorize all other devices https://steamhost.cn/twofactor/manage
4. Change passwords from a trusted/clean device.
5. Generate new backup codes for your Mobile App https://steamhost.cn/twofactor/manage
6. Revoke the API key https://steamhost.cn/steamcommunity_com/dev/apikey (there should be nothing in the APIKEY)

There are only 3 ways for others to get into your account:

1. You either got infected and had malware steal your active session, which means steam thinks it is your own doing. (Or you logged in on another infected machine)

2. You entered your login + Steam Guard code somewhere you were not supposed to. (Scanning the QR code to login does the same)

3. Someone else has/had physical access to your devices. (Or you forgot to logout after being in an internet café etc.)

You can't deny all 3 of these, it's impossible to get into your account otherwise.

Stolen wallet or items that way will not be refunded, as it is the users responsibility to make sure their accounts are safe.

Yeah, I get it — Steam Guard isn’t magic. If you hand over your login or get hit with malware, it won’t protect you. In my case I did log into a third-party site once (Rustly), and I guess that was basically me giving away the keys.

I’ve already gone through all the steps you listed: malware scans, new Steam + email passwords, 2FA on email, deauthorized all devices, revoked the API key. Everything should be clean now, but the damage is permanent — my Rust account is gone for good with an EAC ban.

Lesson learned the hard way: Steam Guard can only do so much, and one mistake with a shady site can cost you years of progress.

The valid Rustly.com uses the OpenID protocol for secure federated login. No details of your password or method of login to your Steam account is shared. During the process of doing the OpenID, you should have been redirected to an URL that begins with:
steamhost.cn/steamcommunity_com/openid/login?

It might be that you were at a website that look/felt like Rustly and signed into a fake phishing login that used a steam looking domain name. But that wouldn't have been the official Rustly website then.

The problem with Steam Guard is it does not do any verification of the domain. It is completely blind to if you are on the official site or a phishing site.

The solution to this problem has been Passkey. Adoption of passkey has been slow which includes Valve not yet supporting it.

If you are looking for more information to try to appeal to Facepunch or to provide to Steam to stop this from happening to someone else, I would recommend going through your browser history. Someplace in that history is probably an incorrectly spelled rustly.com website which is what got your authentication information used in phishing.

Originally posted by Fluke:

Originally posted by iheb ab:

Yeah, I get it — Steam Guard isn’t magic. If you hand over your login or get hit with malware, it won’t protect you. In my case I did log into a third-party site once (Rustly), and I guess that was basically me giving away the keys.

I’ve already gone through all the steps you listed: malware scans, new Steam + email passwords, 2FA on email, deauthorized all devices, revoked the API key. Everything should be clean now, but the damage is permanent — my Rust account is gone for good with an EAC ban.

Lesson learned the hard way: Steam Guard can only do so much, and one mistake with a shady site can cost you years of progress.

The valid Rustly.com uses the OpenID protocol for secure federated login. No details of your password or method of login to your Steam account is shared. During the process of doing the OpenID, you should have been redirected to an URL that begins with:
steamhost.cn/steamcommunity_com/openid/login?

It might be that you were at a website that look/felt like Rustly and signed into a fake phishing login that used a steam looking domain name. But that wouldn't have been the official Rustly website then.

The problem with Steam Guard is it does not do any verification of the domain. It is completely blind to if you are on the official site or a phishing site.

The solution to this problem has been Passkey. Adoption of passkey has been slow which includes Valve not yet supporting it.

If you are looking for more information to try to appeal to Facepunch or to provide to Steam to stop this from happening to someone else, I would recommend going through your browser history. Someplace in that history is probably an incorrectly spelled rustly.com website which is what got your authentication information used in phishing.

Yeah, that actually makes a lot of sense. I probably didn’t land on the real Rustly but on a phishing lookalike site. At the time it felt legit, but if it was a fake domain then I basically handed over my login details without realizing it.

You’re right about Steam Guard too — it doesn’t verify domains, so if you type your info into the wrong page, it can’t protect you. Passkeys sound like a much better system, shame Valve hasn’t rolled that out yet.

I’ll definitely dig through my browser history to see if I can find the exact phishing site. If I can show that to Steam or Facepunch, maybe it’ll at least help prove I wasn’t the one cheating.

All third party skin trading/gambling sites are scams.

Originally posted by Callahan420:

All third party skin trading/gambling sites are scams.

Yeah, you’re right. I learned that the hard way — I logged into Rustly once and that’s what ended up costing me my account. Steam Guard can’t save you if you hand over your info on a shady site. One mistake and I lost 800+ hours, 50+ skins, and all my Rust DLC. Never again.

Are you kidding me? I'm beginning to think phones aren't so secure..

Surely you can appeal the ban, since it's not your fault.

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Are you kidding me? I'm beginning to think phones aren't so secure..

Surely you can appeal the ban, since it's not your fault.

It's not the security that's the issue, it's the account owner giving away their login information by logging into 3rd party sites.

I'm not sure if Facepunch would reverse the ban, even on appeal, as they will hold the account owner responsible for the breach, just as Valve does.

Originally posted by datCookie:

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Are you kidding me? I'm beginning to think phones aren't so secure..

Surely you can appeal the ban, since it's not your fault.

It's not the security that's the issue, it's the account owner giving away their login information by logging into 3rd party sites.

I'm not sure if Facepunch would reverse the ban, even on appeal, as they will hold the account owner responsible for the breach, just as Valve does.

Love to believe that - with their automated flagging system, I'm sure we'll all sleep a lot better.. pfft!

https://www.youtube.com/watch?v=G9QTgcJk2wM

Genuinely though, I'd love to believe security is not an issue. Funny, I've heard a bit different.

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Originally posted by datCookie:

It's not the security that's the issue, it's the account owner giving away their login information by logging into 3rd party sites.

I'm not sure if Facepunch would reverse the ban, even on appeal, as they will hold the account owner responsible for the breach, just as Valve does.

Love to believe that - with their automated flagging system, I'm sure we'll all sleep a lot better.. pfft!

Responsibility for account security has ALWAYS been on the account owner. If you give away your login information, knowingly or not, that is YOUR fault and YOU are the reason the account was hijacked.

People's accounts don't just get randomly hacked, because if it was so easy to do, these hackers would be targeting a lot more than just random Steam accounts.

I sleep easy every night knowing my account is safe, because I have been responsible with the security of it.

Originally posted by iheb ab:

Even with Steam Guard Mobile Authenticator enabled, my account was still hijacked.

Because during the phishing process the malicious website will use your acquired login data to trigger the 2FA, which will have Steam send you the necessary data to authorize the new login coming from the malicious website. And then you authorize the malicious website to access your account - a second time. That is how it works. That is why you have to pay attention.
And the way how you avoid it is simply to never type your login data into any website other than the real Steam URL that you typed in yourself.

Originally posted by iheb ab:

Lesson learned the hard way: Steam Guard can only do so much, and one mistake with a shady site can cost you years of progress.

The thing is you can lose all your real world savings if you don't understand how phishing works, as these attacks are not limited to Steam. Mails, letters, phone calls, QR codes, messages, Discord... the dangers are everywhere.

Originally posted by datCookie:

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Love to believe that - with their automated flagging system, I'm sure we'll all sleep a lot better.. pfft!

Responsibility for account security has ALWAYS been on the account owner. If you give away your login information, knowingly or not, that is YOUR fault and YOU are the reason the account was hijacked.

People's accounts don't just get randomly hacked, because if it was so easy to do, these hackers would be targeting a lot more than just random Steam accounts.

I sleep easy every night knowing my account is safe, because I have been responsible with the security of it.

Look mate, I don't really have any interest in chatting with you (because of other conversations), sorry.

You're saying this chap has signed in to 3rd party sites? Either you know something I don't or I missed that part in the OP.

Either-way, it's real bummer, sounds unfair. There's probably likely ways to prove it, I'd guess. No point in engaging in conjecture, you can just ask or tell the OP, instead of me..

I don't want a back-n-forth about Steam security. I've heard from multiple videos, Steam security isn't that great, I chose to believe it's good like Microsoft's and that sometimes folk make mistakes.

Good day sir.

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Look mate, I don't really have any interest in chatting with you (because of other conversations), sorry.

You're saying this chap has signed in to 3rd party sites? Either you know something I don't or I missed that part in the OP.

Either-way, it's real bummer, sounds unfair. There's probably likely ways to prove it, I'd guess. No point in engaging in conjecture, you can just ask or tell the OP, instead of me..

I don't want a back-n-forth about Steam security. I've heard from multiple videos, Steam security isn't that great, I chose to believe it's good like Microsoft's and that sometimes folk make mistakes.

Good day sir.

You missed that part, but it wasn't in the OP.

Originally posted by iheb ab:

Originally posted by Callahan420:

All third party skin trading/gambling sites are scams.

Yeah, you’re right. I learned that the hard way — I logged into Rustly once and that’s what ended up costing me my account. Steam Guard can’t save you if you hand over your info on a shady site. One mistake and I lost 800+ hours, 50+ skins, and all my Rust DLC. Never again.

Here above they admit to logging into a 3rd party site...

Originally posted by datCookie:

Originally posted by 𝓁 λ 𝓂 𝒷 𝒹 𝒶🌴:

Look mate, I don't really have any interest in chatting with you (because of other conversations), sorry.

You're saying this chap has signed in to 3rd party sites? Either you know something I don't or I missed that part in the OP.

Either-way, it's real bummer, sounds unfair. There's probably likely ways to prove it, I'd guess. No point in engaging in conjecture, you can just ask or tell the OP, instead of me..

I don't want a back-n-forth about Steam security. I've heard from multiple videos, Steam security isn't that great, I chose to believe it's good like Microsoft's and that sometimes folk make mistakes.

Good day sir.

You missed that part, but it wasn't in the OP.

Originally posted by iheb ab:

Yeah, you’re right. I learned that the hard way — I logged into Rustly once and that’s what ended up costing me my account. Steam Guard can’t save you if you hand over your info on a shady site. One mistake and I lost 800+ hours, 50+ skins, and all my Rust DLC. Never again.

Here above they admit to logging into a 3rd party site...

Solid. I haven't read that part. I'm just back in - I just had an issue, had to dive out the door..

Cheers ears!

Same logic when buying an antivrus protection, it cant stop you from clicking the file and downloading it.