A hacked Steam account usually breaks in three places: sign-in, inventory, and the device that let the attacker stay in. Fix them in that order so you do not lose time in the wrong menu.
If the same password, inbox, or browser profile was hit on other services, treat it as account takeover, not a Steam-only incident. That changes the cleanup order and tells you where the weak link is.
| What you see | What it usually means | Best next move |
|---|---|---|
| You can still sign in and the email inbox is yours | The attacker may still have a session, but your reset channel is intact | Change the Steam password, review account security, and cut off unknown access |
| You cannot sign in, but you still control the email or phone | The account was locked down, but not fully cut off from recovery | Use Steam's account security flow and choose the stolen or hijacked path |
| Items, trade offers, or market listings changed | The attacker has moved from access theft to inventory abuse | Document the trade trail, then use the trading support flow |
| Passwords keep changing but the account gets hit again | Your device or browser is still carrying the attacker back in | Assume session hijacking or infostealer malware and clean the machine |
Key idea: Steam recovery gets easier when the email inbox is clean. If the reset channel is compromised, every other fix is weaker.
First 10 minutes
Use a trusted device and work from the account that can still control recovery. The priority is to stop the attacker from keeping a foothold while you gather proof.
- Secure the email account tied to Steam first. Change the password, enable two-factor authentication, and remove any forwarding rules or mailbox filters you do not recognize.
- If you can still sign in to Steam, change the Steam password immediately and do it from a clean browser or device.
- Review recent Steam messages, trade offers, and market activity before you make any more changes.
- Write down the time you first noticed the compromise, what changed, and what still looks normal. That timeline helps when you contact support.
If you only do one thing: secure the email inbox tied to Steam before you chase trades, chat messages, or profile changes.
Recover sign-in access
Start at Steam Support's Account Security flow. The official support page surfaces the paths for a stolen or hijacked account, Steam Guard phone number changes, Steam Guard Mobile Authenticator issues, and account detail updates.
If you still control the email or phone
Work through the official account security options and use the channel that still belongs to you. If the attacker changed your Steam email address or phone number, do not keep guessing in the client. Use the support flow and provide ownership evidence through Steam's forms, not through email threads or random chats.
Once you are back in, review the account details that can be abused for repeat takeover: email, phone, and any payment or country data that no longer matches your real setup. Keep the changes minimal and deliberate until the incident is contained.
If you lost the email inbox too
If the inbox that controls Steam is gone, recovery gets slower, but the support path is still the right one. Use the official form and give the strongest ownership evidence you can still verify: old purchase receipts, payment details tied to the account, the original email address if you remember it, and any device history that proves the account belonged to you before the compromise.
Do not spread the case across multiple browsers or devices. That usually adds noise and does not improve the proof Steam Support sees.
What ownership proof usually helps
Use only the evidence the form asks for. Purchase receipts, payment details tied to the account, the original email address, and the approximate date the account changed hands are usually more useful than long explanations. Keep the packet factual so the strongest proof is easy to find.
If you reused the same password on other sites, fix those accounts too. That pattern usually means Steam was not the only login at risk.
If Steam Guard moved or disappeared
The official two-factor management page is the right place to review Steam Guard state after recovery: Steam Guard management. If the phone was replaced, the device was wiped, or the authenticator was moved without your permission, do not trust the current setup until you have confirmed the active recovery path.
Inventory and trade triage
Steam account theft often becomes inventory theft fast. The attacker may drain items, place fraudulent listings, or use your account to bait friends into fake trade offers. The right move is to preserve the trail before it changes again.
Steam's Trading support wizard exposes the exact paths you need: trade history, trade offers, missing or stolen items, scam reporting, and trading policy guidance. Open Steam Support's Trading wizard and choose the path that matches what changed first.
- Capture the trade history, active offers, and any market listings that did not come from you.
- Record item names, timestamps, profile URLs, and anything visible in the trade trail. If an item is gone, note when you last saw it.
- Save screenshots of suspicious messages, fake support claims, or links sent from your account to other people.
- Tell close contacts not to accept trades or click links from your account until the incident is closed.
Common mistake: users keep trading, chatting, or restarting Steam from the same browser while they try to document the incident. That can destroy the trail and keep the attacker session alive.
If a trade already completed, do not assume the item story is over. Document the full sequence first, then route it through the Trading wizard. The shorter the gap between the theft and the support ticket, the easier it is to show what happened and what changed.
Build an evidence packet
Keep the packet simple and factual. Support usually needs a clean timeline more than a long explanation.
- Approximate time you noticed the compromise
- Account email before and after the incident if it changed
- Recent trade history and active offers
- Market listings or purchases you did not create
- Friend messages, profile changes, or community posts made by the attacker
What to save before the trail changes again
Capture the strongest identifiers first: trade URL, item names, timestamps, wallet or market activity, profile links, and any chat transcript that shows the scam bait. If a friend account was used to lure you into the trade, note that too.
A clean packet beats a long story. Support can work faster when the account history and the item trail are visible in the same place.
If the incident has spread beyond Steam, use Been hacked? What to do first to keep the broader response in order. If you need a quick check on whether the pattern matches a real compromise, use How to check if you've been hacked.
Remove API and automation access
Steam Web API access can keep trade automation alive even after you change the password. Open Steam's API key page and revoke any key you do not recognize or no longer need.
This matters if you used bots, marketplace helpers, Discord integrations, or scripts that connect to Steam on your behalf. If an attacker got the key, they may not need your password to keep working through the account.
- Revoke API access you did not create yourself.
- Disconnect trading bots, marketplace tools, and community integrations until the account is stable.
- Recheck any app or service that asked you to paste a Steam session token, cookie, or key.
Rule of thumb: if you never intentionally set up an API key or trading bot, treat it as suspicious until you prove otherwise.
When to resume trading
Do not restart trading until the email inbox is clean, the Steam password is changed, Steam Guard is verified, API access is revoked, and the device no longer leaks sessions. If one of those controls is still uncertain, wait. Reopening trade flow too early gives the attacker another path back in.
Treat the PC or browser as compromised when the pattern repeats
If another account is hit right after Steam, or password changes do not stick, the device is probably part of the incident. That points to infostealer malware, browser session theft, or a profile that still has active tokens.
Clean from a trusted device first, then come back to the infected machine only after you have control of the account path. On the affected PC or browser, remove unknown extensions, sign out of browser sync, clear saved passwords you do not trust, and run a reputable malware scan. If symptoms keep coming back, a full reinstall is often safer than trying to guess which process is still active.
- Update the operating system and browser before you sign back in anywhere.
- Remove extensions or apps you did not intentionally install.
- Check whether password managers, browser profiles, or sync services are restoring old tokens.
- Do not reuse the same device for final recovery if the machine still looks dirty.
Watch browser sync carefully
If the same browser profile syncs across machines, a clean password on one computer can be overwritten by stale tokens from another. Sign out of browser sync and review saved credentials only after you know which profile was touched.
That cleanup step is what stops the next round of compromise. Without it, you are often just rotating passwords while the same attacker keeps the session path open.
If you see the same signs across Steam, email, and other services, treat the case as a broader compromise and not a one-off login issue. The safer baseline is to assume the reset channel, the session path, and the device all need attention before you trust the account again.
Check payment-linked accounts
If Steam used a payment method you still control, review that account too. Attackers sometimes use the same inbox or browser profile to reach payment confirmations, which can make a Steam incident look smaller than it is. Secure the payment account before you assume the compromise is isolated.
Once the email inbox is clean, the Steam password is new, Steam Guard is verified, API access is removed, and the device no longer leaks sessions, the account stops being a useful target. That is the real end state, not just getting back into the client.
When the next warning arrives, the question is not whether Steam can be opened. The question is which control failed first, because that is the part that decides whether the next incident is a repeat or a dead end.