My Steam Account was Hacked

Steam is a very popular platform, and one I use quite a bit. Most of my PC games are registered through it, and it’s the first place I go to when looking for new titles, be they indie or AAA. And who can blame me? It’s made by the people who made Half-Life and was the brain child of Gabe Newell, a paragon of gamer worship. You can download your game to any computer, cloud save your progress, talk with your friends, and the deals—THE DEALS I TELL YOU.

But what happens when that’s taken away? When the $500+ (I’m lowballing here) of games you’ve accrued vanish into thin air? Well, let me tell you what happened to me, and how it sucks even more than you’d imagine.

It was a Friday morning. I turned off my alarm and grabbed my smartphone, ready to check emails before making some oatmeal, my morning ritual. I noticed an email from Steam with the title “Steam Account – Forgotten Password.”

Huh.

That’s weird, I thought, maybe it’s from someone’s computer I was using. They probably still had my username in and didn’t realize it wasn’t their own. They must feel silly.

The thing about that, though, is I hadn’t been to a LAN party or so much as used a computer I hadn’t owned in at least a month. I didn’t think too much of it. My oatmeal was had and I went to work. On my way out to lunch a few hours later with some co-workers and I checked my phone like we all do when there’s a lull in the conversation. I had two new emails from Steam, one titled “Your Steam account: Access from new computer” and the other thanking me for changing my contact email address. I stopped dead in my tracks.

God, I’m such an idiot! Someone’s stealing my account! I thought. I had the chance to fight back and I didn’t take it. Now someone’s taken away 25% of my usage for my home computer. I was furious at myself for being such a complacent ninny, at the hacker for taking what wasn’t his, and at Steam for not protecting me.

But wait, I had Steam Guard which sends unique codes to your email address before you can log on from a different computer. He shouldn’t have been able to hack my account with the second layer of security. I wracked my brain trying to figure out how he could have guessed the randomized codes until I happened upon the very simple but horrifying conclusion—he had my email address.

Let’s zip back to May of 2011. I was in some downtime at work reading about a group of hackers called Lulzsec. They were taking on huge corporations, exposing their weaknesses, taking down websites, and generally taking private databases for joyrides. I was cheering them on from behind the scenes for flagrant illegality and rubbing the flaws of the people we trusted in everyone’s faces. It was a fantastic showing of why companies should take better care of the data entrusted to them by the public. And then they leaked thousands of usernames and passwords from many, many sources, one of which was Battlefield Heroes. I love Battlefield. Of course I played Heroes.

I was panicked at first, but realized that it didn’t matter. You know that email address you set up in middle school that you now use to give to stores and places you know are going to be sending you spam that you don’t want? You know, the one that has over 1000 messages in its inbox despite it being cleaned monthly? It was that one. I couldn’t care less about that email address. You want some deals for staying at a Hilton? Maybe to hear about the price for a new bass at Guitar Center? Take it, hacker. I don’t care. I thought.

And that was where I made the first critical mistake—not remembering my Steam account was linked to that email address and they shared a common password. Well done J., well done.

Lulzsec taught me a lesson that day that I wouldn’t actually learn until last month, a week before I had to record Borderlands 2 footage.  The first thing I did was file a ticket with Steam. Something to the effect of “OH GOD, SOMEONE TOOK MY ACCOUNT, PLEASE HELP ME. I’M AT WORK SO I CAN’T ACCESS MY ACCOUNT FOR VERIFICATION, BUT SOMEONE STOLE IT FOR REAL WHAT DO I DO HELP WHAT IS MY LIFE”. There was nothing else I could do until work was over; a full five hours of “what ifs.”

I got home from work and immediately tried getting on to my account, but to no avail. I even tried different password combinations to see if he just moved letters. I tried resetting the password despite knowing the contact email address had been changed. I even tried making a separate account to try talking to the hacker and saying he should give me my account back because come on man, be a buddy. Unfortunately, he had already set the profile to be private, so I couldn’t get in touch with him and my heart sank.

I put myself in Steam Support’s hands and hoped they could make it better. I focused on other work over the weekend, making sure to give Valve time to sort the issue out.

By Monday morning, however, I was getting anxious. I went back to my ticket and realized that in my panicked haste, I had left out proof verifying the account was mine. I gave full credit card information, my driver’s license, a picture of my Left 4 Dead key with my ticket number on it, everything. When I was satisfied knowing I could do nothing more, I let them take the reins.

For a few days.

Wednesday rolled around and I needed gameplay footage before doing live recording and still no message from Steam. Not so much as a “We’re working on it.” A quick post to the Steam subreddit yielded “They’re usually pretty fast” to “Good luck, I had to email bomb them to get mine fixed.” So I sent an email to an employee and sure enough, it was cleared up in three hours. In that time I also found out my Origin account was tied to my spam email and he had tried ordering FIFA 13, but without my full information, he couldn’t complete the transaction. Hooray.

He also changed my email settings to French. Hourra.

So finally back in control of my Steam account and the worst he’s done is deleted my friends. A pain, but an easy enough fix. No bans, no account purchases, nothing. He just sat on my account for a weekend. Good for you, buddy.

Though the entire ordeal lasted five days, it still felt awful. Not only did someone have my account, they had easy access to stored credit card information, they could get me banned from playing some of my favorite games, they could pose as me to my friends to ask for gifts or trades. It was a breach of my personal space, a space I thought was secure, but due to no one’s fault but my own, was not.

More important and alarming, however, was the potential loss of save game data. I’m a gamer that plays principally for story, and by taking the record of my own story away from me, it’s like you’ve erased my personal progress from happening. Chances are high I’ll never go back to that data again, but if I ever do, I’ll be greeted by the character me-from-the-past thought was awesome and a slice of life at the time. Even now, sound effects from Counter-Strike or songs from Final Fantasy VI conjure very specific memories in my life.

I played FFVI from the beginning to the opera house scene everyday during the summer of 1999. Anytime I hear that tune, I can remember conversations with my grandfather and how hot his small house could get. Though both he and the house are gone, I continue make the play through at least once a year.

To me, save files are a record of my past or a hook to happen upon a memory I’ve forgotten. When the hacker took my Steam account, he took far, far more of me than I had bargained for and that feeling is awful.

Since then, I’ve adopted a more secure password, different passwords for all of my accounts, and have turned on two-stage security with my email address. Luckily, the only large negative impact I had was the video review being pushed back a few days. I was lucky, and I intend to keep myself from having to be lucky again. I value my personal information and privacy enough to now know better than to leave myself open to attack.

So please, secure yourselves and realize that having your Steam account stolen means much more than losing games.