Steam account hacked - advice need

[Yoko]

Okay so I woke up this morning and noticed two emails from steam, the first an account verification email and the second confirmation that I had changed my login via an IP address in Kazakhstan

My account name has been changed and all my friends deleted and my profile pic replaced!

My account was setup with two stage verification via email and the only thing this pc is used for is Steam so I am unsure as to how they managed to do this (my email also requires two stage verification including by telephone or SMS)
I haven't accepted any friend requests or clicked any links nor do I access emails on this particular PC

I have managed to recover my account on a different PC (worried my pc is compromised but AV scan is clean) I've changed my email passwords, steam password and setup steamguard via mobile app

Is there anything else I should do???
Luckily I do not have any cards connected with my steam account so I am not out of pocket

 

[Yoko]

Which Steam games do you play? If you play CSGO I hope you don't dabble in the 'skins' business. A lot of fake skin sites floating about.

I only really play Total War games on steam and some 1990's oldies like Xcom and Colonisation

Do you use the same email address for everything?

I use my main email address for lots of different things but none have the same password as the email account or steam

This.

If your 2SV codes are sent to your email, that would have been the only way to have access to your Steam account.

I would use another machine to reset all passwords, and also revoke all existing pickup codes - (assuming you're using Gmail - these are fixed one-time codes that can be used to gain access).

No idea what pickup codes are and don't use gmail

Do you use Steamguard?

Yes but have now opted for mobile verification as opposed to email and have adopted the smartphone app for account access verification

I can only assume they gained access to my email account somehow as Gimpymoo said

 

[Yoko]

Maybe they're intercepting your text messages as both Steam and email were protected via SMS? Change to Google Authenticator or something for as many sites as you can - Gmail, Amazon, Microsoft, Ubisoft, EA, even OcUK can use it.

Sorry, to be clear I only added phone protection today, previously any changes were by verification via a second email account

Interestingly, I now have the email address of the suspected culprit, as used on my account, and it is linked to a specific individuals Russian language Facebook type account in Kazakhstan with pictures
I will pass details onto Steam but doubt they will do anything