Unfortunately the CS:GO community has to deal with many scam and phishing attempts. To make sure your account is protected you can check if there’s an active API key for your account (explanation about what this is below) by visiting this link: https://steamcommunity.com/dev/apikey
Next to the domain name is a text field that should be blank, waiting for you to fill it in. In this case, your account should be safe.
If the field is not empty, and it was not you who created it - this means that someone has created an API key for your account and has remote access to it. Click on “Revoke My Steam Web API Key” to erase the remote access. Please then visit this link https://store.steampowered.com/twofactor/manage and click on "Deauthorize all other devices". This will log you out of all devices, except the one you clicked on the button with. Then, please also change your steam and email passwords, as there is a high probability that these have been compromised as well.
What is an API key?
It’s a key created for your account, enabling outside programs to act on a steam accounts behalf. This is how trade bots are created.
How does the scam work?
Scammers can gain access to your steam account in many ways, usually from a phishing site pretending to be steam friendly or sending you on a fake “connect with steam” link, then saving the username and password that you fill in. This can also be from a malicious browser extension.
Although they have access to your steam account, they don’t have access to your mobile authenticator, so they can’t just send themselves a trade, this is why they create an API key for your account. They use this key to connect your account to their program and then all they have to do is wait for you to make a trade. When you deposit an item to a skin marketplace, the site will send you a trade offer. The scammers program will automatically decline this trade on your behalf and immediately send you a different trade from the scammers bot, made to look exactly like the bot you were going to trade with. If this trade is authenticated on your mobile, the item is sent to the fake bot and the unsuspecting user has been scammed.
In addition to the above, please check you do not have an SDA (Steam desktop authenticator) to further reduce chance of a breach.
How can you protect yourself from being scammed?
Lootbear takes great care to explain safe trading to its users. Before every return you will see a window explaining everything that’s written above:
Please follow the instructions and be sure there is no API key created for your account.
After you do this, Lootbear will give you the creation date of the bot you are about to trade with in a window that looks like this:
Please copy the creation date into the test field to show that you understand. Then, please do be sure to check the creation date of the bot you are about to trade with ON THE MOBILE AUTHENTICATOR. The creation date appearing in your browser may be irrelevant by the time you go on your mobile, it is only the date appearing on mobile that 100% belongs to the bot your'e about to trade with. If it matches the one given to you before the trade you should be able to accept the trade safely.
If it does not, please decline the trade, then go to the link provided earlier to check if there's an API key for your account and change your password on steam and email.
LOOTBEAR BOTS DO NOT HAVE AN EMPTY INVENTORY. Bots with an empty inventory are a red flag.
LOOTBEAR BOTS WILL NOT SEND TRADES REQUESTING SPECIFIC ITEMS BACK. We will only send a trade when it is requested by you, from the site.
Please do not hesitate to contact support for additional information, or if you feel your steam account has been compromised.