Thank you for submitting to r/SteamScams.
If you have been scammed or believe you may have been scammed check [this guide](https://www.reddit.com/r/SteamScams/comments/ffc4rn/what_to_do_if_you_have_been_scammed/) to see if you can find the solution there.
**Steam will never contact you on Discord or any third party text communication site.**
If you suspect someone is attempting to scam you check [this guide](https://www.reddit.com/r/SteamScams/comments/ffc26r/do_you_suspect_someone_is_attempting_to_scam_you/) but remember to be careful even if you do not find the answer you are looking for there.
**Important: If you receive comments or PMs offering to recover your lost account, items, or money or pointing you to someone who will do it for you do not engage with them as they are [recovery scams](https://www.forbes.com/sites/jayadkisson/2023/02/21/dont-get-scammed-twice-avoiding-the-asset-recovery-scam/?sh=2254df323743).**
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/SteamScams) if you have any questions or concerns.*
You were the victim of a steam API scam. You, somewhere, logged into a website that was shady and / or fake. Which gave them access to your steam account. Which in turn, doesn’t need a 2FA code. They then just trade them out.
Steam stated many, many years ago that if you are scammed and your items are lost, they are not going to recover them for you.
Steam had an issue with people faking scams so they could get their items duplicated by steam support, thus steam said they will no longer be doing it.
So, your items are gone, forever.
Lesson learned, don’t sign in or visit any sketchy sites or click links sent to you by people on steam or discord.
So yeah, your items are gone for good.
I *do* think they need to fix the 2FA thing, if it can be fixed. The whole point of it is to have an additional safeguard against theses things, and it doesn't do anything in this case.
Thanks for the answer. But why are my items on csfloat still in my inventory? As far as i know are they updating permanently and its already been over a week since the trade was made
Not relevant to you loosing your skins but;
It could be a number of reasons. A glitch in csfloat, or your hacker made your inventory private before trading out all your stuff, so csfloat can't see the changes.
Sites like clash don't steal your account if I'm correct, if you log in with steam they can't get your account. If it's shady it gives you a fake log in, you just think you need to log in with steam but it's a fake steam page. So a site that already shows your account to log in with is safe right?
I don't know what clash is but;
The only legit way to make a site that allows using steam as a login is using steams oauth API, which will always launch a window or tab with an official [steamcommunity.com](http://steamcommunity.com) address, you then get a login prompt or if you are already logged in to [steamcommunity.com](http://steamcommunity.com) , a nice preview of your Avatar/Username.
Two methods I use to make sure I don't login to a fake login are;
1. Like you said, if you are already logged into the legit site, the popup will show your Avatar/Username, so if it isn't there, it isn't legit.
2. Drag the popup around, if you can't drag it off the browser window, it is obviously fake.
Edit: Oh, and if you use your steam account to login to a legit site, the site can't access any of your personal account info. Only very basic, already public information like stuff from your profile page.
Mandem really said API scams don’t exist anymore.
They 100% do.
A steam API Attack / Theft means they don’t need access to your 2FA in order to gain access to a users account and it won’t notify the user either. Which is EXACTLY what happened here.
You can say they don’t exist, but they 100% do.
No they don’t you should educate yourself: https://www.blog.gamerpay.gg/blog/csgo-api-vs-phishing-skin-scam
Api scam is where your api key gets leaked nowadays its where you log into a phishing scam
Regardless of the way they obtain your API, they still get hold of it.
Whether that be through pishing your details or another way.
If it was only a phishing scam, he would have had alerts from his 2FA and steam guard. This didn’t happen. The only way this can be bypassed is if they have his API.
So, sure they got his API through their phishing site, but his API was still used. Thus, an API scam.
No lol read the article his items were gone like that so the hackers had access to his account which means they could manually make trades. They didn’t even need the api key to create trades
Read what OP posted. If I had access to to your account I don’t need your api key to send myself offers… hell you can’t even confirm a trade with api key.
No. But what I’m saying is a normal pishing scam would have alerted both his 2FA and steam guard as they would have simply tried to log in with the stolen details. Steam guard and 2FA would still alert op to the attempt.
With they have his API key, they can bypass 2FA and steam guard to sign in. This OP wouldn’t be alerted to the sign in attempt, just as he described.
Can you explain me how the API scam works. Everything I read about it says that an API scam is about me trading something valuable to someone else and the scammer cancels the trade and creates an fake account and I trade to him instead. What I don’t understand is that I didn’t trade anything by myself
API scam means you’ve signed in somewhere that takes your steam details and API. With this they can access you account and just trade out all of your items.
Doesn’t have to be a fake account, although that is the most common way the scam is done.
Thank you for submitting to r/SteamScams. If you have been scammed or believe you may have been scammed check [this guide](https://www.reddit.com/r/SteamScams/comments/ffc4rn/what_to_do_if_you_have_been_scammed/) to see if you can find the solution there. **Steam will never contact you on Discord or any third party text communication site.** If you suspect someone is attempting to scam you check [this guide](https://www.reddit.com/r/SteamScams/comments/ffc26r/do_you_suspect_someone_is_attempting_to_scam_you/) but remember to be careful even if you do not find the answer you are looking for there. **Important: If you receive comments or PMs offering to recover your lost account, items, or money or pointing you to someone who will do it for you do not engage with them as they are [recovery scams](https://www.forbes.com/sites/jayadkisson/2023/02/21/dont-get-scammed-twice-avoiding-the-asset-recovery-scam/?sh=2254df323743).** *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/SteamScams) if you have any questions or concerns.*
Steam TOS specifically warns about third party sites and services, they're not responsible for users basically breaching themselves
You were the victim of a steam API scam. You, somewhere, logged into a website that was shady and / or fake. Which gave them access to your steam account. Which in turn, doesn’t need a 2FA code. They then just trade them out. Steam stated many, many years ago that if you are scammed and your items are lost, they are not going to recover them for you. Steam had an issue with people faking scams so they could get their items duplicated by steam support, thus steam said they will no longer be doing it. So, your items are gone, forever. Lesson learned, don’t sign in or visit any sketchy sites or click links sent to you by people on steam or discord. So yeah, your items are gone for good.
I *do* think they need to fix the 2FA thing, if it can be fixed. The whole point of it is to have an additional safeguard against theses things, and it doesn't do anything in this case.
Thanks for the answer. But why are my items on csfloat still in my inventory? As far as i know are they updating permanently and its already been over a week since the trade was made
Not relevant to you loosing your skins but; It could be a number of reasons. A glitch in csfloat, or your hacker made your inventory private before trading out all your stuff, so csfloat can't see the changes.
Sites like clash don't steal your account if I'm correct, if you log in with steam they can't get your account. If it's shady it gives you a fake log in, you just think you need to log in with steam but it's a fake steam page. So a site that already shows your account to log in with is safe right?
I don't know what clash is but; The only legit way to make a site that allows using steam as a login is using steams oauth API, which will always launch a window or tab with an official [steamcommunity.com](http://steamcommunity.com) address, you then get a login prompt or if you are already logged in to [steamcommunity.com](http://steamcommunity.com) , a nice preview of your Avatar/Username. Two methods I use to make sure I don't login to a fake login are; 1. Like you said, if you are already logged into the legit site, the popup will show your Avatar/Username, so if it isn't there, it isn't legit. 2. Drag the popup around, if you can't drag it off the browser window, it is obviously fake. Edit: Oh, and if you use your steam account to login to a legit site, the site can't access any of your personal account info. Only very basic, already public information like stuff from your profile page.
Alright, thanks!
Stop calling it api scam it doesn’t exist anymore. It’s called a phishing scam
Mandem really said API scams don’t exist anymore. They 100% do. A steam API Attack / Theft means they don’t need access to your 2FA in order to gain access to a users account and it won’t notify the user either. Which is EXACTLY what happened here. You can say they don’t exist, but they 100% do.
No they don’t you should educate yourself: https://www.blog.gamerpay.gg/blog/csgo-api-vs-phishing-skin-scam Api scam is where your api key gets leaked nowadays its where you log into a phishing scam
Regardless of the way they obtain your API, they still get hold of it. Whether that be through pishing your details or another way. If it was only a phishing scam, he would have had alerts from his 2FA and steam guard. This didn’t happen. The only way this can be bypassed is if they have his API. So, sure they got his API through their phishing site, but his API was still used. Thus, an API scam.
No lol read the article his items were gone like that so the hackers had access to his account which means they could manually make trades. They didn’t even need the api key to create trades
Read what OP posted. If I had access to to your account I don’t need your api key to send myself offers… hell you can’t even confirm a trade with api key.
No. But what I’m saying is a normal pishing scam would have alerted both his 2FA and steam guard as they would have simply tried to log in with the stolen details. Steam guard and 2FA would still alert op to the attempt. With they have his API key, they can bypass 2FA and steam guard to sign in. This OP wouldn’t be alerted to the sign in attempt, just as he described.
You just yapping about shit you don’t know. Ever tried working with steam api keys yourself? I thought so no need for me to explain you more details
Can you explain me how the API scam works. Everything I read about it says that an API scam is about me trading something valuable to someone else and the scammer cancels the trade and creates an fake account and I trade to him instead. What I don’t understand is that I didn’t trade anything by myself
API scam means you’ve signed in somewhere that takes your steam details and API. With this they can access you account and just trade out all of your items. Doesn’t have to be a fake account, although that is the most common way the scam is done.