As a PC gamer, you might have noticed some alarm circulating online about Steam—headlines reporting that 89 million Steam accounts have been hacked. However, there’s no need for panic.
These reports are based on a post found on the dark web, where a supposed hacker claimed to sell records from millions of Steam accounts, including one-time codes used for two-factor authentication (2FA). This sounds concerning, right? But when Twilio, the third-party service responsible for delivering 2FA text message codes for Steam, was asked for their take, they informed BleepingComputer that they hadn’t discovered any proof of a breach or leak.
Meanwhile, various media outlets have published the original allegation, along with a follow-up from X/Twitter user Mellow_Online1, who stated they were informed by Valve that there is no connection between Steam and “Trillio.” (This seems to be a typo, as Mellow_Online1 later referred to Twilio in a post on X.)
So, what’s the situation? As BleepingComputer points out, this data may indicate a leak in the text message delivery system—one of three main reasons security professionals caution against receiving 2FA codes via SMS. (The other two reasons? A thief could hijack your phone number to receive codes, or they could reroute the codes to their own device unbeknownst to you.) This isn’t an issue from Valve, though; it’s unfortunately a recognized vulnerability in text messaging.
Speaking of Valve, the company recently confirmed in a post on the Steam Community that their systems have not been compromised. The leaked data also does not “connect phone numbers to a Steam account, password details, payment information, or other personal data.” Valve advises to treat any unexpected account security notifications (for instance, requests for a 2FA code or updates to your account) with skepticism.
While this incident likely isn’t something to fret over, your account may still be at risk for other factors. It’s likely that your password isn’t as strong as you believe. (Just consider how quickly modern GPUs can decode passwords.) Additionally, you might not have enabled two-factor authentication yet.
Enhance your password to something robust, random, and unique. Also, activate Steam Guard right away. The preferred method for obtaining codes is through the Steam Mobile App on your phone.
If you’re already using a strong password and Steam Guard, for your peace of mind, you can still consider changing your password (this should be quick and easy if you utilize a password manager). Additionally, switch to the Steam Mobile App as your 2FA method if you haven’t done so already.
As you enhance your Steam security, remember to review the list of authorized devices connected to your account as well. Remove any that seem unfamiliar.
You might hesitate to trust claims made in dark web forum posts. However, improving your security is a proactive step you can manage entirely on your own.
The game and software development leader Valve has released an official statement denying recent claims of a significant data breach on Steam, asserting that they have investigated the leaked sample and concluded that it does not represent a breach of the game store’s systems.
In case you have missed it, the quick summary is that the PC gaming community has been alarmed over reports indicating that 89 million Steam accounts were allegedly compromised in the last couple of days.
Initially reported by Underdark.ai and subsequently amplified by Twitter user Mellow_Online1 and gaming news outlet VG247, the rumor alleged that a hacker named Machine1337 had infiltrated Steam and was offering a dataset of over 89 million user records for $5,000.
It was asserted that internal vendor data from the affected users had been exposed, causing concerns about the safety of bank accounts associated with Steam. Adding to the fear, both Mellow_Online1 and Underdark later claimed that the leaked sample included real-time 2FA SMS logs routed through Twilio, detailing message contents, delivery status, metadata, and routing costs, intensifying the panic.
After the initial flurry of sensational headlines about “89 million Steam accounts being hacked” subsided, the community began to scrutinize the alleged breach and quickly identified several inconsistencies, signaling that the situation had been greatly exaggerated.
Among those providing insight was digital security expert Christopher Kunz, who characterized the breach as a “fart in a puddle,” noting that the leaked data consisted solely of metadata and phone numbers of Steam users, implying that the worst that those affected might face is an uptick in spam calls, while their accounts remain unharmed.
The SteamDB team also weighed in, clarifying that the dataset seems to be SMS delivery logs from a third-party provider. Furthermore, Mellow_Online1 later shared an update indicating that they were contacted by a Valve representative who confirmed that Valve does not utilize Twilio in any capacity.
Valve recently issued “a note regarding the security of your Steam account,” confirming that, after careful investigation, they determined that the leak did not compromise Steam systems.
The leak, according to Valve, included older text messages containing one-time codes that were only effective for 15 minutes, as well as the phone numbers they were sent to. Even more comforting is the fact that the leaked data did not associate those phone numbers with Steam accounts, passwords, payment details, or any other personal information – indicating that even if your number is included in the leak, it can’t be directly connected to you.
“Old text messages cannot be used to compromise the security of your Steam account, and whenever a code is utilized to change your Steam email or password via SMS, you will receive a confirmation through email and/or Steam secure messages,” Valve stated. “There’s no need for you to change your passwords or phone numbers due to this incident.”
Rumors have circulated about a significant data breach affecting nearly 90 million Steam accounts. However, the initial source was disproven, so there’s likely nothing to be concerned about.
A post shared by ‘Underdark AI’ on LinkedIn, allegedly sourced from a “well-known dark web forum,” claimed that a hacker had accessed data from over 89 million Steam users. The stolen data was said to consist of usernames and passwords along with private SMS logs containing 2FA codes, message details, and delivery status, all for $5,000. That suspiciously low price raised eyebrows, and comments from IT professionals highlighted that this seemed far-fetched.
Dr. Kunz, a security expert, commented that although the leaked data reportedly included phone numbers and expired one-time codes, it lacked critical information such as usernames, Steam IDs, or password hashes. Essentially, the data was inexpensive because it didn’t contain what was claimed and had “no other use than for phishing attempts.” The original poster even admitted uncertainty about taking their point as credible.
Still, the initial alarming news spread rapidly, fueled by a Twitter/X user named Mellow_Online1, who initially promoted it as a significant data breach. Mellow_Online1 stated that the data was being sold on a dark web forum, which heightened public anxiety. This information was disseminated through various video game websites before any confirmation of its authenticity, despite the original post’s caution to not accept it as fact.
Steam supposedly became aware of the situation and reached out to the user. Mellow_Online1 shared several updates and clarifications, noting that the data likely did not originate from a direct breach of Steam’s systems, but possibly from a third-party service provider, which was initially thought to be Twilio. This service provider manages communications, including SMS-based 2FA.
Valve reportedly informed Mellow_Online1 that it does not utilize Twilio, contradicting Mellow_Online1’s initial report and the claims about the data’s source. If this response was legitimate, it would further affirm the need to treat this news with skepticism. We have contacted Valve for an official statement and will provide updates once we receive a response.
While this appears to be misinformation, it’s crucial to maintain two-factor authentication on your Steam account. Even if someone acquires your passwords, you will receive notifications of any login attempts, and access won’t be granted without the code sent to you. This way, you can feel secure if such a situation were to occur.
Even if you missed the original post’s debunking, the tweet’s unusually low price of $5,000 for the supposed 89 million accounts and its uncertain source were already indications of potential fraud. We will update this article when we hear back from Valve or if there are further developments.
Leave a Reply