What on Earth am I talking about?
What is this ‘Steam’ thing?
Steam is a gaming network, where I buy, manage and play most of my computer games, and play and hang out online with friends. This means it’s a place where I spend a bit of money, and a lot of time. The fact that it’s a Steam account is not really important in this case aside from serving as an example. Having this successfully hacked would be as troublesome to me as for anyone else to have their Facebook, Twitter, email, Instagram, Snapchat, Amazon, Yahoo or any other user account taken over by strangers.
And what is two-factor authentication anyway?
It is a way for a service or account provider to double-check that when you’re logging into your user account, you’re the correct customer and not someone who is pretending to be you in order to get access to your account. They do this by sending you a second code that you have to confirm before they will let you in, even if you have entered the correct username and password.
This second code will typically be sent either to your email address or as a text message to your phone (there are also code generator apps that can be used for the same purpose). An attacker won’t have access to your email or your phone, so they won’t be able to confirm the code, and will therefore be denied entry.
The email I got from Steam said as follows (I’ve redacted some identifying information):
Here is the Steam Guard code you need to login to account my-username:
This email was generated because of a login attempt from a computer located at 95.220.46.*** (RU). The login attempt included your correct account name and password.
The Steam Guard code is required to complete the login. No one can access your account without also accessing this email.
If you are not attempting to login then please change your Steam password, and consider changing your email password as well to ensure your account security.
(IF however they manage to access your email and/or your phone text messages, then you’re having way bigger problems than just your Steam account getting hijacked, and you should press the Panic button immediately — and if necessary get someone qualified to help you with the recovery and cleanup operation required to reclaim ownership.)
If they had got in, what could they have done?
I’m sure there are things that can be done with and to a hijacked Steam account that I can’t even think of, but for starters there are two things they could have used it for:
- Buy games with my credit, and gift or sell them to other Steam users. This would cost me money (more so if my credit card had been stored on my Steam user account), and they would make money from whoever bought the games from them at an irresistible discount. This kind of game piracy, where illegitimate traders sell license codes for games “at very affordable prices” is big business.
- Send spam messages to people on my Steam contact list, either with advertising, or links to websites that could infect their computers with viruses, or attempt to trick them into surrendering their usernames and passwords, so that they in turn become the bandits’ next victims.
But who would do this?
The login confirmation email that I got from Steam also gave me information about where in the world the attempted attack came from. Thus I know that somewhere in Dolgoprudny just outside Moscow, someone was slightly miffed when their attack failed. Only slightly, because I’m fairly sure they have many other user accounts to try, and a good portion of them are likely to not have two-factor authentication. They wouldn’t be doing this if there wasn’t a reasonable chance of success.
How did they get hold of your password?
That’s a tough question, and to be honest I don’t know. I am very careful about where I put my passwords, and I’m fairly sure that I would have been able to spot a phishing attempt if I’d been exposed to one. Then again I’m only human, and accidents occasionally happen. On the other hand, although if Steam itself had been hacked I’m certain we the users would have been informed, there are third party vendors who connect to Steam via the users’ accounts, and it’s conceivable, however unlikely, that one or more of them might have had a security breach.
What to do next?
The first thing to do when you get any indication that your username and password have wound up in the wrong hands is to change your password, and do it immediately! And make it a thorough change, i.e. not just from “MyPassword1” to “MyPassword2”, but a whole new password.
The second thing is to go through your user accounts with other services, and see where else you have used the same username and same password, make sure you change your passwords there too, and use different passwords for every service.
And third, if you haven’t already, check if the service in question offers two-factor authentication. It might save you from unnecessary grief at some point, and the added security (in a world where criminal breaking and entering into all kinds of user accounts is a major industry) is well worth the little bit of extra hassle.
What’s a good password?
A good, secure password is one that is random, and long enough that it will take too long to break for anyone to bother. There are many schools of thought, but I recommend something like what you see in this comic strip (click on the image to see it in full size).
To get an idea about how secure your new password will be, you can check it with this password security checker, which will tell you how long it likely will take to break it:
Mind you, don’t type in your actual password, test instead with something that is similar, but different. I don’t think that their website is ‘harvesting’ passwords, but as a matter of principle you should never type your password anywhere except where it really belongs.
Final words: I write this blog on my spare time, and I’m neither a support department nor a hacker, so I will not be able to help you change passwords to services or regain access to hacked accounts, and definitely not help you hack anybody else’s account. If you’re in need of help, contact the service provider in question, ask a tech-savvy friend, or call an IT hotline.
Also, I take no responsibility for contents on linked websites, as I have no way of controlling how they conduct their business, or the accuracy of the information they provide. Use common sense, don’t click every button you see, and don’t believe everything you read on the Internet.