Steam API Keys are a bit complicated topic but we are going to explain. Steam API Keys are used to primarily link the users account to 3rd party sites for stat tracking or logins etc., for example, CSGO Faceit. The API key is used to control trades on your account. It’s sad but true, it’s obsolete programming that allows full control of a users account regardless of any account security.
If the key is compromised, hijackers can cancel, send bogus trade offers and redirect items you trade to their account which is why items get stolen. The API key field should really be blank. Roughly 77,000+ Steam accounts are hacked, raided or scammed every month even with the various forms of 2-Factor Authentication on Steam. The main root of the problem seems to stem from the Web API Key project on Steam.
Steam API Keys are dangerous
This seems like a pretty cool concept, but its becoming very very dangerous as the years go on with Valve failing to provide any additional security. The API Key is generated on the users account but can also be removed and should be removed if you see it active on your account. The Steam Web API Key was never intended for this kind of use Steam claims.
Though it doesn’t seem to be getting any better as Valve continues to let the hacker and scammer community flourish according to outside sources and internal whistleblowers.
Steam promotes the API Key for website developers to use, although its being exploited more recently to API Scams and Hacks.
API Scams normally happen during the evening or nights because the main Valve HQ in Washington State is closed and unable to be reached so the scammers/hackers use this opportunity to do the damage unless the user becomes the wiser.
How to avoid getting hacked through an API Scam or Hack on Steam
Steam API keys can be a vulnerable entryway for hackers to steal your items.
First and foremost, if you have API Keys activated that you didn’t activate and/or shouldn’t be there, deactivate them immediately!
For steps you can take to secure your account if you have been a victim or are just looking for preventive maintenance, follow these steps below:
1: Scan for malware.
2: Deauthorize all devices https://store.steampowered.com/twofactor/manage
3: Change your password on a secure device.
4: Generate new back up codes.
5: Revoke the API Key https://steamcommunity.com/dev/apikey
What are these API Scammers/Hackers after?
Its hard to say what exactly hackers are after specifically. Typically hackers target users for their CSGO Skins and additional CSGO Content. CSGO has a daily player count of 800,000+. People are getting scammed and hacked daily for their most valuable skins because they hold real world value. From $50, $100 all the way up to $1,000+ on some exceptionally rare items.
In the end, it’s probably time that Valve/Steam starts Deactivating the API Key program to better the account security. While it remains active, it will continue to be a backdoor into anyone’s account.