Valve introduced Steam Guard back in 2011
-- an additional security measure that aims to protect users whose Steam accounts are compromised. However, a new phishing scam has seen hackers manage to bypass Steam Guard completely.
When you have Steam Guard activated on your Steam account, and you (or someone else) attempts to log in to your account from somewhere other than your regular computer, a code is sent to your email which must be entered before access can be gained.
A new phishing scam, however, asks for a username and password for Steam, and then tells users that they need to download a special SSFN file from your computer. This file is located in your Steam folder, and is in place to tell Steam Guard that it doesn't need to security check your computer.
As noted by Malwarebytes' Chris Boyd, if you upload your SSFN file through the phishing website, the scammer can then potentially use this file, coupled with a username and password, to gain access to a Steam account and claim it as their own.
This is a relatively new scam that Gamasutra has seen in action just in the last couple of weeks. Scammers use the account to drain it of any credit, items and trading cards that are inside, and then move on to another account -- notably, the scammer cannot purchase anything, since they need to know your card security details.
Valve is aware of the issue, and is warning Steam users not to send their SSFN files to anyone.