Hackers stealing CSGO skins through iOS vulnerability, Steam API
Most serious skin collectors and players have thier Steam account protected by two-factor authentication, but it turns out that having the securty feature on Steam isn't enough. The hijacking of two high-profile accounts in the past year show that a user's inventory isn't always as secure as they think it to be.
On November 28, professional CSGO player Paytyn "Junior" Johnson woke up to find that almost his entire inventory had been cleaned out. He'd been the victim of one of two possible attacks that allowed hackers to access not only his Steam account, but also bypass Steam Guard, the platform's two-factor authenticatior located on a user's phone. But thanks to a simple backup option, Junior may have lost out on a hefty number of skins.
Hackers access pro's Steam account, steal skins
Hackers are rumored to be able to gain access to Steam accounts using the backup images of iPhones, allowing them to empty an account's inventories through a pretty serious flaw. The entire purpose 2FA is to have a second chance to regain control of a compromised account, so users are partly to blame as well. Here's how it works.
I wake up getting spammed notifications my steams been hacked, I was able to logon and deauthorize the account and changed every password I have, in a span of 5 minutes of me changing everything somehow all of my skins (around 20k) got sent through to another account without 1/2— Paytyn (@1juniorcs) November 27, 2020
Many players use Apple's iCloud storage to store photos and contacts, but they can also decide to back up both apps and their settings to the cloud as well. If a player chooses to backup the Steam App, they're also saving both their log-in credentials, incuding the username and password, as well as Steam Guard itself.
If the player includes applications in their backups, then it's a fairly trivial process for a hacker that has access to the iCloud account to download this backup. Once there, several utilities exist where users can generate two-factor codes on the desktop instead of from mobile, a move that completely defeats the purpose of 2FA. What happens then is fairly simple, as the hacker uses those three pieces of information to empty the account, either to third-party websites or to a middleman account. Junior eventually recovered his account, but said he hasn't received any of his lost skins as of yet.
Why do you need Steam Guard and other two-factor authentication?
As of 2016, Valve announced that with 2FA in place and the proliferation of third-party sites, they would no longer regenerate skins for players who had them stolen. Valve's concern was that not only could a user pretend to be robbed, eventually getting the "stolen" skins back from a second account or the money from its sale, but that third-party skin sites were making a killing while the developer watched money move outside the Steam ecosystem. Since Valve takes a 15% cut of every CSGO item sold on the Steam Marketplace, so Valve obviously prefers to keep everything in-house.
How do Steam accounts get stolen?
There are three main ways. The first would be if a user's email address and password were stolen. With those pieces of information, a hacker could reset the email connected to the account. Steam recommends that players never "use the same password for both their email and their Steam Account."
The second way is through the process mentioned above, where the hacker has access to both the Steam Guard backup and the user's email and password. The third way is through malware. Keyloggers and viruses are some of the main ways hackers can access the data needed to clean out an account.
Will Valve return stolen skins to thier owners like Stewie2k?
There's still hope for Junior's skins. Team Liquid's Jake "Stewie2k" Yip had his own account hacked in a similar way during the 2019 StarLadder Berlin Major. Luckily, Valve restored access to the pro's account and returned to him his skins, so it's possible that Junior will be just as lucky. Even CSGO observer DJ "Prius" Kuntz revealed that he was a victim of a similar attempt during a stint at IEM Katowice.
Much love & appreciation for the quick recovery @CSGO . Stole thousands of dollars of skins without trade ban & i have no idea how. Hats off for the hacker, dedicated your life for these things...got what you want. Seems like @CSGO got it all under control though ❤️— Jake (@Stewie) September 5, 2019
There are an entire host of scams used on Steam to trick people out of thier items, so it's best to follow the simple rules of the internet to keep things safe.
- If it's too good to be true, it probably is.
- Never share your password with anyone.
- Enable 2FA on all ways into your account like an email address, phone, and Steam itself.
Finally, enabling Steam Family Sharing is an odd way to work around the issue, but it requires players to enter another four digit pin in order to do anything through the Steam Service. Prius reccomendeds it as a way to further lock down an account, but it need to be enabled correctly to function. Users can find out more about Family Sharing and how it can protect them through Steam's FAQ.
How to avoid CSGO scam Seven Town and protect your Steam account
Fivetown is CSGO's newest scam, and this is how it works
s1mple admits to sharing a VAC-banned account with friend
Steam 101: This is how to refund a game on the Steam Store
Stewie2k had account hacked, skins stolen before Astralis match
AOC uses Among Us Twitch stream to raise $200,000 for charity
Kayle, Malphite, others are dominating LoL patch 10.24
Best Valorant agent duos according to your playstyle
Fnatic's KRIMZ receives VAC ban before Flashpoint 2 match
OG star Ceb banned from Twitch for unknown reason
Forsen banned indefinitely for explicit animal content
GODSENT enters new multiyear sponsorship deal
How does Valorant measure up with Volcano's vision for an FPS?
Doublelift retires with 2000 kills and more crazy stats
Nuguri is reportedly heading to LPL, could join FunPlus Phoenix
Valorant releases new First Strike trailer before NA main event
DAMWON Gaming adds Khan as top laner for the 2021 LCK season
How to start CSGO in 128 tick mode without FACEIT or ESEA
Fnatic finalizes its new 2021 LEC roster with Upset