Steam users were recently at the center of a cybersecurity panic after rumors started circulating about a massive data leak of more than 89 million user accounts. But before you whip out your password reset tool and freak out about your data being out on the dark web, here’s the straight scoop on what went down—and why Valve says that no one needs to panic.
The Claim: 89 Million Records on the Block?
The narrative picked up steam when cyber threat intelligence company Underdark.ai published on LinkedIn a report on a purported “Massive Alleged Steam Data Breach.” Based on their article, a hacker who went by the handles “Machine1337” and “EnergyWeaponsUser” threatened to sell a database of more than 89 million records for $5,000 on a dark web board.
The leak was said to contain phone numbers and one-time passcodes, triggering alarm among users who use SMS-based two-factor authentication (2FA) to protect their accounts.
Twilio’s Name Enters the Chat
Some security watchers were quick to speculate that the hack could have involved Twilio, an SMS and authentication service provider used by big tech players—including, possibly, Steam.
Independent reporter @MellolwOnline1 had speculated that the information may have come from hacked Twilio API keys or admin login. But Twilio quickly responded to BleepingComputer:
“There is no indication to imply that Twilio was compromised. We have examined a sample of the data available on the Internet and find no evidence that this data was harvested from Twilio.”
Valve Responses: “Not a Steam Breach”
Valve, the parent company of Steam, also chimed in—and their take was clear: Steam’s infrastructure was not breached.
In a statement, Valve clarified that the leaked sample consisted of outdated SMS messages with one-time codes, valid for 15 minutes when used, along with the number to which they were sent. Most importantly, Valve reported that the information didn’t include passwords, payment details, or anything that could directly associate the numbers with individual Steam accounts.
“We took a look at the leak sample and have concluded this was NOT a Steam systems breach,” Valve stated.
“The leaked information did not link the phone numbers with a Steam account, password data, payment data, or other personal information.”
They also pointed out a key weakness of SMS-based authentication: messages are unencrypted and travel through multiple service providers before reaching your phone, making it difficult to pinpoint the exact source of a leak.
So—Was Anything Exposed?
Not very much, it appears. The stolen files, examined by BleepingComputer, included approximately 3,000 historic one-time Steam passcodes and the associated phone numbers. Since those codes were temporary and long expired, they’re now worthless to attackers.
Nevertheless, the leak highlights the well-documented pitfalls of SMS-based 2FA. Though easy to use, it’s considerably less secure than app-based authentication, which is encrypted and immune to interception in the same manner.
What Should Steam Users Do?
Users don’t need to change their phone numbers or passwords, Valve says. That being said, it’s always a good idea to proactively protect your account. Here’s what you can do:
- Turn on Steam Guard Mobile Authenticator: This 2FA system, based on an app, is safer than SMS.
- Use strong, new passwords for your Steam and email accounts.
- Be careful of phishing, particularly by SMS or email.
- Use a password manager to create and save safe credentials.
Valve repeated:
“From a Steam point of view, customers don’t have to change their passwords or phone numbers because of this incident.”
The Takeaway
While the headlines were ominous, the truth is far less catastrophic. No breach of Steam’s systems has been detected, and leaked information seems to be limited to outdated, expired SMS passcodes with no connection to users’ actual accounts.
Nevertheless, this is a reminder of why app-based authentication methods are the new gold standard—and why vigilance is always time well spent.
Valve’s investigation is still ongoing and more might be revealed. But for the time being, Steam users can take comfort in knowing this scare wasn’t a result of a breach of the service itself.
