Hackers stealing CSGO skins through iOS vulnerability, Steam API
Most serious skin collectors and players have thier Steam account protected by two-factor authentication, but it turns out that having the securty feature on Steam isn't enough. The hijacking of two high-profile accounts in the past year show that a user's inventory isn't always as secure as they think it to be.
On November 28, professional CSGO player Paytyn "Junior" Johnson woke up to find that almost his entire inventory had been cleaned out. He'd been the victim of one of two possible attacks that allowed hackers to access not only his Steam account, but also bypass Steam Guard, the platform's two-factor authenticatior located on a user's phone. But thanks to a simple backup option, Junior may have lost out on a hefty number of skins.
Hackers access pro's Steam account, steal skins
Hackers are rumored to be able to gain access to Steam accounts using the backup images of iPhones, allowing them to empty an account's inventories through a pretty serious flaw. The entire purpose 2FA is to have a second chance to regain control of a compromised account, so users are partly to blame as well. Here's how it works.
I wake up getting spammed notifications my steams been hacked, I was able to logon and deauthorize the account and changed every password I have, in a span of 5 minutes of me changing everything somehow all of my skins (around 20k) got sent through to another account without 1/2— Paytyn (@1juniorcs) November 27, 2020
Many players use Apple's iCloud storage to store photos and contacts, but they can also decide to back up both apps and their settings to the cloud as well. If a player chooses to backup the Steam App, they're also saving both their log-in credentials, incuding the username and password, as well as Steam Guard itself.
If the player includes applications in their backups, then it's a fairly trivial process for a hacker that has access to the iCloud account to download this backup. Once there, several utilities exist where users can generate two-factor codes on the desktop instead of from mobile, a move that completely defeats the purpose of 2FA. What happens then is fairly simple, as the hacker uses those three pieces of information to empty the account, either to third-party websites or to a middleman account. Junior eventually recovered his account, but said he hasn't received any of his lost skins as of yet.
Why do you need Steam Guard and other two-factor authentication?
As of 2016, Valve announced that with 2FA in place and the proliferation of third-party sites, they would no longer regenerate skins for players who had them stolen. Valve's concern was that not only could a user pretend to be robbed, eventually getting the "stolen" skins back from a second account or the money from its sale, but that third-party skin sites were making a killing while the developer watched money move outside the Steam ecosystem. Since Valve takes a 15% cut of every CSGO item sold on the Steam Marketplace, so Valve obviously prefers to keep everything in-house.
How do Steam accounts get stolen?
There are three main ways. The first would be if a user's email address and password were stolen. With those pieces of information, a hacker could reset the email connected to the account. Steam recommends that players never "use the same password for both their email and their Steam Account."
The second way is through the process mentioned above, where the hacker has access to both the Steam Guard backup and the user's email and password. The third way is through malware. Keyloggers and viruses are some of the main ways hackers can access the data needed to clean out an account.
Will Valve return stolen skins to thier owners like Stewie2k?
There's still hope for Junior's skins. Team Liquid's Jake "Stewie2k" Yip had his own account hacked in a similar way during the 2019 StarLadder Berlin Major. Luckily, Valve restored access to the pro's account and returned to him his skins, so it's possible that Junior will be just as lucky. Even CSGO observer DJ "Prius" Kuntz revealed that he was a victim of a similar attempt during a stint at IEM Katowice.
Much love & appreciation for the quick recovery @CSGO . Stole thousands of dollars of skins without trade ban & i have no idea how. Hats off for the hacker, dedicated your life for these things...got what you want. Seems like @CSGO got it all under control though ❤️— Jake (@Stewie) September 5, 2019
There are an entire host of scams used on Steam to trick people out of thier items, so it's best to follow the simple rules of the internet to keep things safe.
- If it's too good to be true, it probably is.
- Never share your password with anyone.
- Enable 2FA on all ways into your account like an email address, phone, and Steam itself.
Finally, enabling Steam Family Sharing is an odd way to work around the issue, but it requires players to enter another four digit pin in order to do anything through the Steam Service. Prius reccomendeds it as a way to further lock down an account, but it need to be enabled correctly to function. Users can find out more about Family Sharing and how it can protect them through Steam's FAQ.
Visual Stories around the web
How to avoid CSGO scam Seven Town and protect your Steam account
Here's how to turn on Steam Guard and save your Steam account
Fnatic's KRIMZ receives VAC ban before Flashpoint 2 match
Has Valve messed up all of the AK-47 skins in CSGO?
Stewie2k had account hacked, skins stolen before Astralis match
Fnatic's KRIMZ receives VAC ban before Flashpoint 2 match
How to start CSGO in 128 tick mode without FACEIT or ESEA
Team Secret releases its entire CSGO roster after struggles
FaZe Clan coach YNk wanted a bigger rebuild, talks IGL problems
This DreamHack trailer might have teased a returning CSGO map
Multiple North American orgs reportedly exiting Counter-Strike
Evil Geniuses pulls out of BLAST Showdown, Heroic to fill in
Vitality scores wild reverse sweep against Na'Vi in IEM Beijing
XSet’s female CSGO team wants to beat the best men's teams
One-handed streamer goes viral with her insane CSGO plays
flusha fined and sentenced for tax evasion over Fnatic winnings
Team Liquid vs Triumph: IEM Beijing betting analysis
tabseN stays atop CSGO rankings, but G2's NiKo close behind
Astralis retains top spot in CSGO rankings, Heroic breaks out