My Steam Account Was Hacked

Late on Thursday evening I received an email from an ex-Automattic friend who asked if my Steam account was compromised because he received a message from me saying,

[8:34 PM]
DOC: What’s up mate

[8:45 PM]
DOC: may i ask u favor?sorry for disturbing u btw

I don’t call anyone “mate”, I don’t use “u”, I use punctuation. It didn’t sound like me so it raised red flags immediately for him.

In a panic I checked my Steam account and I still had access to it. Steam Guard was still active and I hadn’t received any emails about changes to my account. Nevertheless I went through the process of changing my password.

A series of emails followed. I thought someone was impersonating my account but a screenshot showed the age of my account and account XP which is impossible (I presume) to fake.

Eventually I found out through a Reddit post that my account had been compromised.

There is a new scam going around where a friend will ask you to vote for a team to get the team into a competition for me it was Intel Extreme Masters they may use different names, but that is all I have encountered.

Posted by u/Accurate_Heart

That rung a bell for me. About two weeks ago someone messaged me on Steam and asked me to vote in a team logo competition on a website called roplautstar .com. I’m not hyperlinking that website because it has since changed how it works and simply shows a “Sign in through Steam” dialogue box.


Clicking on that button shows a fake “Login through Steam” popup.

roplauster fake login

At the time I was first asked I didn’t fill in the form. I was tired after a long day at work. I worried about linking my Steam account to this random website just to vote in some silly competition. So I forgot about it. Unfortunately they got back to me a few days later and asked again. I reasoned that if my Steam friend’s account had been compromised they would have noticed in that time and it must be legit so off I went and happily entered my login details and Steam Guard code and thought nothing more about it.

Until Thursday night.

Those emails and the revelation my Steam account was hacked is very upsetting. I pride myself on being very paranoid about logins. Especially on Steam where there are all sorts of scams to steal tradable goods, buy giftable games or launder money and more. I’ve been online for more than twenty years. How the hell could I have been hacked?

You should be asking yourself that too. You couldn’t possibly be hacked.

This fake login was very good, but there were signs I ignored because I saw the familiar “Valve Corp” in the address bar. Turns out it’s just an image you can download.

I should have been wary of a popup asking me for my Steam login, but half the time I use Steam in my browser I’m logged out due to inactivity so that didn’t raise alarm bells. I should have opened Steam in a new window to check if I was logged in.

If I had clicked on any of the links in that popup I would have been alerted to the scam. Firefox wouldn’t load the page in an iframe and gave an error.

But I didn’t. Why would I?

The popup is very believable. It features the window decoration of Windows 10 (close/minimize/maximize button) which should have tipped me off as I’m using a Mac. If I had tried moving the popup I would have discovered that it can only move in the bounds of the “parent” window. Hovering over the drag bar at the top changes the mouse pointer or an icon showing horizontal bars I’m not familiar with.

They had access to my account for about two weeks. They messaged four Steam friends with the same message. Luckily nobody clicked the link and two people ignored the initial “What’s up mate” greeting. I wish they had warned me via other means. One person was messaged on October 2nd and she could have contacted me on Facebook.

I went through the messages of all my friends checking who it was sent me the original message but I couldn’t find it. Maybe I’m blocked from seeing their messages.

What do you do if this happens to you?

  1. Change your password immediately.
  2. Check this Steam API key page and make sure it’s blank.
  3. Check your Steam Friend Chat Log. You’ll see who you talked to recently but it only goes back 7 days from what I can see.
  4. Go through your friend list in the chat and see who is blocked.
  5. Unblock any you find and check that they did not get a suspicious link and tell them you were hacked. Tell them to change their password if they had entered their Steam credentials in that site.
  6. Check your Steam Login History. All my most recent logins are in Ireland except for about six that are all in Russia. Why doesn’t Steam alert me when I login from a different country?
  7. The Steam Account Data page is very useful. Thanks GDPR.

If you receive an unusual message from a friend try to contact them through some other means. Do you know them on Facebook or Twitter? There’s no harm, and they will be very relieved to find out there was a problem.

Be careful online. You will be hacked eventually.


Catch website file changes with AIDE

A week ago I suggested installing AIDE to track changes on your server in case it had been hacked. I think AIDE Is so useful that it deserves a post of it’s own. Here’s a short guide to get it working properly.

The AIDE .deb package includes configuration files for over 80 different software packages or log files. That’s great if you have all that software installed or want to keep a paranoid eye on /var but what if you only care about the directory where your website lives?

When I first installed AIDE (using apt-get install aide), it said I needed to run /usr/sbin/aideinit after installation. Every morning I’d get an email from AIDE with a list of changed files from all over my server, including mail logs, Apache logs, and more. I didn’t need all that so I removed the files from /etc/aide.conf.d/ except my WordPress config file:

/home/web/ Checksums

Unfortunately after I removed the configuration files the daily AIDE email was flooded with open_dir() errors:

Output is 40577 lines, truncated to 1000.
open_dir():Not a directory: /home/donncha/.bashrc
open_dir():Not a directory: /home/donncha/.bash_profile
open_dir():Not a directory: /home/donncha/.viminfo
open_dir():Not a directory: /home/donncha/.bash_history

AIDE was rendered useless by all the errors. Thankfully it was easy to fix. Run aideinit again and it regenerates the AIDE database.

# /usr/sbin/aideinit
Overwrite existing /var/lib/aide/ [Yn]? y
Running aide –init…

AIDE, version 0.13.1

### AIDE database at /var/lib/aide/ initialized.

Overwrite /var/lib/aide/aide.db [yN]? y

For good measure, I ran /etc/cron.daily/aide again which sent me the “Daily AIDE report”, and yes, it reported that my .htaccess file had been changed. Nice.

If your site is on a shared hosting account then you’re out of luck, but if you have a dedicated host, or virtual private server (VPS) then please consider using AIDE to keep track of changed files. It will send you a short email every day listing changed, added or deleted files. It may save you a lot of hassle and embarrassment if your site is hacked.

Edit: By default, the nightly cron script doesn’t update the AIDE database leading to the same files changes reported every day. Edit /etc/default/aide and make sure COPYNEWDB is set to “yes”. That will update the database.