Hello.
Sadly my main mail account got stolen from me so I had to recover a lot of accounts on bunch of sites to make sure they have my new adress and don’t send any info to the hijackers.
When I tried to do the same here, it DID NOT change my email and send a verification mail to my HIJACKED mail adress, notifying the hijackers about my new mail.
I really do not know what to do right now and might have to change my adress once more because of that, as well as having to go through changing my mail adress on all the other resources as well.
Also now having knowledge of my chrono.gg account they might try to get the Steam keys I got from here and hijack my Steam using them as a proof for the “account recovery”.
This is a major security issue!
With my Chrono.gg account still linked to the hijacked mail it is unlikely I will continue to use the site, as it will be sending the hackers more info about me.
Your situation clearly sucks, but I don‘t think someone can gain access to your Steam account by having used keys.
I once had a physical copy of Half-Life 1 and someone bruteforced the key. I provided pictures of it and everything but they wouldn‘t remove the game from whoever got my key.
So trust me when I say that Steam‘s support won‘t do shit based on keys.
We had a discussion on that very topic not long ago and I believe it was strongly claimed that in case of an account ownership dispute providing keys registered to the account would indeed help proving your right to the account.
So while the key can’t directly be used to hijack an account, if they do manage to start a dispute for it then this will make things all that much harder for Sinael.
As for what can be done here, I do not know. If @lonin can verify who should have access to this particular chrono account in some manner and help sort that out that’d be great. But changing the email on someone’s says so would also be a security issue as OP here could, as far as I can tell, just as easily be the attempted hijacker. But I’m sure more information is available on the chrono side of things and I hope they can figure something out.
this seem to be pretty commonplace, as a tool to just avoid insta hacked acc swap, say if they got into your steam account straight they couldn’t just change your email to something new without you being informed/sending notification to the original email to make sure it’s “really you” that make the change
but when it’s then your email that’s compromised it ofc sorta complicates matter that way
i’d obviously suggesting trying strongly to get your email back to block this
and if it’s needed maybe email chrono at help@chrono.gg maybe @lonin or @Ernin8t0r can help out, maybe they can fix the email issue, or “delete”/move your account to a fresh that doesn’t notify the trespassers, or “something” (i have no clue), -and hopefully you get your email back and get it secured
That’s a bummer, never fun to have to deal with these situations. I do have to disagree as it would be a major security issue if sites allowed people to change email addresses linked to the account without a verification email sent to the original address. It would be too easy for people to steal the accounts that way. I strongly recommend that you start doing 2 factor authentication on all your important accounts, especially your email account. Also write down all backup codes and keep those in a fireproof safe, offsite would be best but that is probably impractical for most people chances of you ever losing an account this way are pretty slim.
I can understand that too though; imagine someone buys a hard copy of the game and sells the key online, and then they contact Steam support to say someone apparently “stole” their key somehow (copied it or ‘bruteforced’ it as u put it) so that the game gets activated on their account and the buyer gets locked out of the game…
Gnuffi
I know that changing mail willy-nilly is not allowed and no site allows to do that…
And that’s why they ask for a password confirmation before doing so!
As I said before, I already changed my mail on more than a dozen sites (including Steam itself) and none of them sent anything to my hijacked mail, only asking for the confirmation of my old password and in case of some my security questions.
DownwardConcept
Steam recovery system accepts digital keys as proof of purchase. If you have several keys to the games that the account owns, you can claim that it’s yours and Steam is very likely to favour your claim as genuine.
Gnuffi
The mail host I used (which is pretty popular where I live so I used it without care) was found by me to be not very good at keeping accounts secure - it had two-factor authentication, but for whatever reason it was found that through some specific steps one could bypass the phone check completely and thus reset the password and enter their own.
Fraggles
I’ve been accessing my Chrono.gg account only from 3 places/devices (home, phone and workplace), all in the same city - any access from “irregular” point/machine or another country for that matter would be not mine. I hope this can help, since Chrono.gg does not seem to implement any security questions or other forms of additional authentification.
As was said above - additional verification is fine, but not when sending mail back to initial adress is the ONLY way of confirmation - there should be something else added to the security.
Since all the keys I claim at this point on this site will be sent to my hijacked email, using Chrono.gg in any manner puts my Steam account at heavy risk of being claimed by the hijacker via key ownership.
I’ve already sent an email to help@chrono.gg and my request was accepted, so we’ll see what happens next.
But why would anyone do that? Does the key become usable again? I removed games from my account before, I never heard of the keys being usable after that. Other than just pure annoyance there‘s not really a logical reason?
Steam‘s concern back then was that I wasn‘t the original owner of the copy and because I couldn‘t provide the receipt for a game I bought a decade ago they didn‘t do shit.
to get the game activated on their own account and deactivated from the buyer’s account and keep the money from the sale
some ppl are just “bad hombres” dude, rofl
Why were ppl getting emails from 3579 different Nigerian princes back in the day…
and why am i getting 10 spam mails a day telling me that i won 500,000$ because my email got selected randomly (by Yahoo and Microsoft of all places! rofl, nice cooperation between Yahoo and Microsoft) and all they need to wire the money is my personal info…
dude, yr absolutely right, so here’s the thing; yr such a nice guy that i’m gonna give u the 500k ok? so pls, just fill in this info so i can forward it to them:
Personal Information
1Full Name…
2Country…
3Contact Address…
4Telephone Number…
5Marital Status…
6Occupation…
7Age…
8Sex…
9Provide another email of yours…
they’ve also sent me mails where they tell me to “open the attachments” to claim my winnings, hahaha
[u rly have to be very careful in today’s world man, i normally never had to deal with such mails and stuff cuz i’m quite conservative when it comes to sharing my mail and stuff, but ever since I’ve started looking for a job online it’s just hellish; i’m even getting fake job offers and shit, and whenever a company (or what seems to be a company) does contact me i have to spend time googling that shit first cuz it’s just so frikkin dangerous giving info or receiving attachments, which are both also necessary when u deal with companies online ofc]
Well, my perspective was that the game would be removed, without reimbursement, so yeah, I’m aware of “bad hombres”. If that works the way you described it, then I get it.
(i have no clue), -and hopefully you get your email back and get it secured 
chances of you ever losing an account this way are pretty slim.
