Anyone with security/hacking experience answer this?

[BloodOmen]

So, my Discord account and Steam account got compromised the other day, both of which have 2-Factor authentication on - None of the auths triggered when they gained access to my accounts, usually it says "device logged in from new location, is this you? yada yada" none of that triggered, they just bypassed the auths completely.

Scanned computer - completely clean, scanned my mobile phone that has the authenticators - also completely clean

Edit: E-mail addresses (discord and steam have diff emails) attached to both accounts also has 2FA on

Confused and also pissed off as one of my steam games got a EAC/Vac ban while it was compromised

 

[TdC]

no idea mate but I'd sure as shit get in touch with Steam, Discord and your email provider. make sure your passwords are changed *everywhere* and don't trust anything online for a while.

 

[BloodOmen]

no idea mate but I'd sure as shit get in touch with Steam, Discord and your email provider. make sure your passwords are changed *everywhere* and don't trust anything online for a while.

I am doing - unfortunately Steam has a zero tolerance policy, even if your account is compromised the ban will not be removed (which I think is fucking shit personally), its because people can just use a VPN, cheat, get banned and change their IP and say it wasn't them so I can't ever remove it. I have appealed it with EAC - still waiting for a response, that's all I can do.

It's only Rust that was banned, I can still play all other games, just not Rust online (which I played a lot, it was my go to game to relax when stressed, I just played it on PvE servers and built shit)

 

[TdC]

tbh its quite interesting that your 2factor didn't ping. I've heard of things like that in the past (Twitter iirc) but I'm not IT security in any way shape or form. I'd just make sure you get every single password changed. That's gonna be a pain in the arse as is I reckon mate.

 

[BloodOmen]

I'm going so much further than that, currently writing down/planning to make a brand new email address / brand new steam account (which means losing £600+ worth of games) and full on deleting the previous ones. If they could get access to my steam before with 2FA, they already know my steam account name and/or its already out there on some shady list of small dicked hackers - logically its only a matter of time before it gets nicked again despite the 2FA.

Going to completely start from scratch
Brand new e-mail
Brand new steam acc etc

 

[Overdriven]

Regarding Steam: Email them. They've got IP logs/usage logs. Their support should at least listen to you regarding this. They have levels of observability/logging most companies don't think about. That should be recoverable.

Have you logged into anything weird on any public networks? Been asked on Steam/Discord on mobile log in? Do you have any third party tools authenticated to use your account details where you've logged in? Plugins which can hook into Steam/Discord etc.

For it to bypass MFA it means you've had a session somewhere, but even at an IP region change (assuming it was a different region) that should have triggered. (Use this when talking to Steam...) -- Bit of a weird one.

 

[old.Osy]

Yeah, my money is on session token hijack. Happens more frequent than one would think.

Mate of mine got emptied out of his bitcoin like that. North of 200k.