All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Chappi3 20 Aug @ 4:47am
Session Hijacks Security Breach
Hi everyone,

I recently had an issue where my Steam Wallet funds were spent without my knowledge on overpriced Community Market items. What’s concerning is that:

I had Steam Guard enabled.

There were no new device logins.

I received no email or mobile alerts.

Steam Support confirmed my account was compromised, but said Community Market purchases “cannot be refunded.”

After running full malware scans (Windows Defender + Malwarebytes), checking startup processes, and monitoring network activity, I found no evidence of malware or suspicious outbound connections on my PC. All Steam traffic went only to verified Valve/Akamai servers.

This strongly suggests a session hijack — attackers can reuse an existing Steam login session (token/cookie) without triggering Steam Guard or login notifications. This would explain how purchases can be made silently, even with Steam Guard enabled.

🔎 The problem:

Selling items requires a confirmation step.

But Community Market purchases use wallet funds instantly with no extra confirmation.

If a session is hijacked, attackers can drain wallet balances without the account owner ever being notified.

💡 Suggestion:
Add an optional setting (or default) where Steam Guard confirmation is required for Community Market purchases, just like it is for trades. This would protect against session hijacks and give users a chance to block fraudulent transactions before money is lost.

Given that reports of this kind of issue have been circulating since at least 2021, I think it’s time this was addressed.

Thanks for reading, and I hope Valve takes this feedback seriously — it would help protect all of us.
< >
Showing 1-2 of 2 comments
pckirk 20 Aug @ 4:49am 
Account security is 100 % on the account user.

You gave away all 3 keys to the door of your account, you were phished on your pc. That is the only way it can happen. This is on the user, not steam.

How? by either logging into a known scam site or any off steam item sell sites, fake steam log-in websites, or by tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.
Last edited by pckirk; 20 Aug @ 4:58am
#1
Nx Machina 20 Aug @ 5:01am 
https://steamhost.cn/subscriber_agreement

C. Your Account (snipped)

You are responsible for the confidentiality of your login and password and for the security of your computer system. Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision.
#2
< >
Showing 1-2 of 2 comments
Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Date Posted: 20 Aug @ 4:47am
Posts: 2
Start a New Discussion

Discussions Rules and Guidelines