CS:GO skin collectors have recently discovered that Steam’s multi-factor authentication (MFA) isn’t enough to protect their accounts from skin thieves. Thanks to a hack found in Apple’s iCloud storage service, skins thieves are cleaning out CS:GO players’ virtual closets.
According to win.gg, pro CS:GO player Paytyn “Junior” Johnson woke up on November 28 to find most of his inventory gone. The hackers were able to bypass Steam’s MFA app, Steam Guard, to get access to Junior’s skins due to a backup option available on iPhones.
any 2FA or Steam Authorization, I'm trying everything i can do possible but if anyone can help that would be greatly appreciated!!
— Paytyn (@1juniorcs) November 27, 2020
How the CS:GO skin hack works
Many iPhone owners use the iCloud storage option to store photos, contacts, email attachments, etc. It’s also possible to keep complete iPhone backups on the cloud as well, which includes apps and settings. If a CS:GO player backs up their iPhone settings to the cloud, this will include both the Steam and Steam Guard apps. Backing up Steam and Steam Guard also backs up usernames and passwords.
All the hacker has to do, then, is break into iCloud storage, copy the data, and break into the hapless user’s Steam account. Even if the iPhone owner has MFA enabled, the hacker can simply use one of the many MFA desktop apps available to gain access.
From there, it’s a simple matter of transferring the skins to another account.
Junior did not lose access to his account, but he did immediately change his password and MFA options. So far, he has not been able to get his skins back, and Valve hasn’t publicly commented on the matter. However, in the past when similar hacks occurred, Valve restored the player’s skins.
Much love & appreciation for the quick recovery @CSGO . Stole thousands of dollars of skins without trade ban & i have no idea how. Hats off for the hacker, dedicated your life for these things…got what you want. Seems like @CSGO got it all under control though ❤️
— Jake (@Stewie) September 5, 2019
Tips to prevent iPhone Steam hacks
Even though these hackers were able to bypass Steam’s MFA app, it’s still highly recommended to enable multi-factor authentication for Steam, and, well, any other logins you want to protect. Instead of using iCloud storage for your apps and phone settings, back your phone up on to a local device, such as your PC.