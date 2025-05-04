I like to think that I have pretty decent cybersecurity practices. I use MFA or 2FA on everything I can, passkeys on every service that supports them, have authenticators set up for Blizzard, Microsoft, Steam, and other accounts, but I still got hacked on Steam. Or more precisely, I got phished on Steam, sent to a fake Counter-Strike 2 event page, and tricked into putting in what I thought were Steam OpenID login details. Except, of course, they weren't.

Or maybe they were. I do remember a notification on Steam Guard, but again, I thought it was a legit Steam OpenID page, and nothing on the page gave me any indication it wasn't. It was in a normal browser window, not a Steam Browser. It had the usual Sign in with Steam button, and I don't even remember putting my password or username in, because it's the browser I always use for Steam purchases, so it already had login session cookies.

Don't sign in to Steam on third-party sites, whether to check your Steam Spend, Time To Beat, vote on eSports tournaments, or for any other purpose. And no, those DMs about $50 Steam Gift Cards aren't real either. Sorry.

Thinking about it now, it might have only been session cookies that got hijacked, as the hackers messaged most of my friends list before I managed to get control back from Steam Support, but didn't seem to be able to change any settings like email or password, or remove Steam Guard. I got lucky in that respect, as there was no money or skins in my account to be transferred out, but I do have 1,300 games or so and DLC, adding up to a horrendous total amount of value.

Here's what happened, so you know what to look for, and how realistic those phishing sites are.

All it took was a couple of clicks

The phish looked so real, and it even seemed to use Steam's OpenID login

It was the beginning of January 2024, and I was probably nursing a hangover from New Year's Eve when I got a message on Steam from an old friend. They wanted me to vote for their friends in a CS2 tournament so they'd have a chance of winning a prize or something like that. I didn't think much of it at the time; we were always asking each other to click on stuff to win prizes, but I feel differently now.

I clicked through, clicked on my OpenID login button, and must have tapped on Steam Guard on my phone because every sign-in for Steam gets authenticated that way. I was slightly confused when the tournament voting page didn't work as it should have, but I assumed it was either AdBlock or the Eero security settings, didn't think much about it, and went to bed.