Steam API Scam – scam that can cause you to lose items in an exchange. To avoid getting caught, you need to be careful and check all exchange parameters before confirming it.
How do scammers steal API key?
An attacker can get your API key using a fake authorization window. It looks just like a regular Steam login window, but it leads not to the official site of the game store, but to the attackers' site. If a user enters their Steam Guard login, password and confirmation code in such a window, scammers can get the account API key and then use it to spoof the exchange, and then the stuff you send will be sent to their bot. At the same time, the fraudulent script is able to copy the bot's name and avatar, and even the exchange message.
How to protect yourself from API key theft?
To prevent attackers from getting your API key, always check the authorization window when you log in to Steam:
-
The
link in the address bar should be the same as https://steamcommunity.com/openid/login?openid.ns=. A different address – is a sign of fraud. -
If you are asked to log in even though you have already logged in to Steam in this browser, this also indicates fraud.
-
A fake authorization window is often designed as an HTML element on a website. So you won't be able to change its language or move it outside the browser.
How do scammers steal items?
If fraudsters have access to your API key, they will be able to substitute the original exchange for their own after you checkout on our site. The spoofing occurs before you confirm the action through the mobile authenticator. This is why there is a risk that you will send items to a fraudulent account.
We cannot guarantee that scammers have not accessed your API key before, but we do everything we can to help you recognize a fake exchange.
- Check if an API key has been generated for your account at https://steamcommunity.com/dev/apikey. If there is one and you did not create it yourself – it is the work of scammers.
-
Do not rush to confirm the exchange in the mobile authenticator – first check the data of the bot you are sending items to.
- Check the latest exchange offers at https://steamcommunity.com/id/7yukari7/tradeoffers/. If you see the last two identical offers, one of which is canceled, it's likely that the scammers are trying to spoof the trade.
-
Compare the registration date of the bot that you see on the website in your phone. If scammers are trying to spoof the exchange, the dates will be different.
-
If your exchange is rejected by Steam, it also means that your account is at risk. You will see a warning sign and hear a beep.
We advise you to process the transaction through your computer browser, then you will be able to open the site and the mobile authenticator at the same time, which means it will be easier to control the exchange.
If you find that fraudsters are trying to tamper with the exchange, cancel it and then take the following actions:
-
Change your account password. (https://help.steampowered.com/en/wizard/HelpChangePassword)
-
Delete API key (https://steamcommunity.com/dev/apikey)
- Check if the API key is generated from https://steamcommunity.com/dev/apikey and if so, delete it.
-
Change the exchange link (to do this, go to «Inventory» -> «Exchange Offers» in your profile).
Be careful and do not enter your Steam login and password on third-party sites – this is the main way to steal API-key.
Using these rules, you will be able to easily conduct transactions with the exchange of items in Steam and protect your account.