How did people get low digits steam Id for sale?
Have you ever wondered why some people have so many low digit steam Ids to sell on Reddit, mpgh, scythe etc. ??? I had that question a few years back but no one was willing to share since they were making a lot of money out of them, the price for each 5 digits account (14 years old) was about 10-15$.
1. Un-used emails will be available to re-register again after 3-5 years.
To start off, I contacted a few sellers to learn about the patterns of all accounts. Interestingly, most of the account's usernames are ending with an email extension, and the prefix is very random. I.e: cropite12@hotmail.com, arpitenoe@yahoo.com etc. Knowing the username pattern, I dug up some policies and terms of use for both Hotmail and Yahoo. What I found out was that un-used emails will become available to the public after 3-5 years.
I spent a few more hours just to learn that steam used user's email address as their username in the past. The policy changed after 2008 (I believe) to replace username with the actual "username".
2. Forgetting the password
I wonder what will happen if I request for a new password if I put in the email address on one of the accounts I purchased for testing. It works, I do get the link in the email that allows me to change the password of the current account.
Clearly, the idea is to find some old email addresses that are associated with the old steam accounts, re-register that email with the host, and make a "forget password request". I will be able to take the ownership of that old steam account without knowing the previous owner's information.
3. Scraping using the Steam resources API
The question is: how can I find an email address that is associated with the old steam account? In order word, how can I find an email address that can be used as a steam username?
First thing comes to mind, brute-forcing. You can write a script that keeps sending a random email address and random password to steam login. The response is either "account does not exist" or "password is not correct". Unfortunately, you will be blocked after 3 failed attempts.
I read through the Steam API Docs trying to find some endpoints that I can take advantage of. Lucky enough, I found this endpoint that returns the user's information based on the given steam id:
http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/
By sending a request to that endpoint using your API Key and SteamId, you will retrieve a lot of useful information.
{ "response": { "players": [ { "steamid": "<steamid>", "communityvisibilitystate": 3, "personaname": "<name>", "lastlogoff": 1257811501, "profileurl": "http://steamcommunity.com/profiles/<steamid>/", "avatar": "https://steamcdn-a.akamaihd.net/steamcommunity/public/images/avatars/fe/<avatar>.jpg", "avatarmedium": "https://steamcdn-a.akamaihd.net/steamcommunity/public/images/avatars/fe/<avatar>.jpg", "avatarfull": "https://steamcdn-a.akamaihd.net/steamcommunity/public/images/avatars/fe/<avatar>.jpg", "personastate": 0, "primaryclanid": "<clanid>", "timecreated": 1063365000, "personastateflags": 0 } ] } }
I'm not going into technical details how to register for a Dev key or how retrieve a json response from an API call. So yeah, I will leave that to you to determine what fields are useful. It's a good idea to check multiple fields at the same time. I.e: account that has steamid as an email address, who did not setup the profile and also logged in a few years back :)
4. Conclusion
I wrote some codes, but they are outdated and there would be no use at all since all of the accounts were mined out already. So feel free to try the above method out, and let me know if you have any questions.
Comments