Valve defended itself today against the alleged reports of a massive data breach on Steam. The company insisted that none of its systems had been breached and that no account, password, or personal data had been stolen. However, the publisher of Steam Games confirmed that hackers accessed older text messages containing limited information.
A threat actor revealed on a LinkedIn post claimed to be holding over 89 million Steam user records with one-time access codes. The threat actor, who used the aliases Machine1337 or EnergyWeaponsUser, advertised the stolen information, allegedly pulled from Steam, and offered it for $5000.
Valve denies breach following leak of 2FA codes
Independent games journalist MellowOnline1, the creator of the SteamSentinels Community group, suggested that the incident was a supply-chain compromise involving Twilio. He revealed technical evidence in the leak that shows real-time SMS log entries from Twilio’s systems. He believes the abuse compromised the Admin account or API keys.
Twilio, a cloud provider of APIs for sending SMS, voice calls, and 2FA messages used by Steam for user authentication acknowledged the situation and confirmed that it was investigating the incident. A Twilio spokesman said the company takes the matter seriously. He added that it’s reviewing the alleged incident and will provide more information when it becomes available.
A statement from Valve revealed that the company was still digging for the source of the leak. According to Valve, any SMS message is encrypted in transit and routed through multiple providers on its way to the user’s phone.
Valve said all the codes in the hacker’s possession had already expired, and none of the files included any payment details or direct ties with Steam account phone numbers. The data consisted of older text messages containing one-time codes valid for 15 minutes only. Valve stated that it was not a breach of Steam systems.
The Steam Publisher added that no other account information, passwords, payment information, or personal data were in the cache. Twilio reached out later to clarify that there was no evidence suggesting its systems were breached. The company spokesman said Twilio had reviewed a sample of the data found online and could not find any indication that it was obtained from them.
Valve recommends the use of Steam Mobile Authenticator
Steam reminded users to treat SMS codes for changing their Steam email or password with caution. Users will receive these codes via email or Steam’s secure messaging system whenever requesting a password change.
According to Valve, users do not need to change their passwords or phone numbers, but it encourages them to enable Steam Mobile Authenticator for stronger protection. Valve revealed that the Steam Mobile Authenticator tool sends messages directly to the Steam mobile app, avoiding third-party apps.
Valve’s security team is investigating the historical messages found online to determine how they were exposed and prevent future occurrences. Steam users can regularly check their account security via the official link to keep up-to-date with records.
Online communities like Underdark.ai believe the implications to be severe, citing Steam’s role as a game platform and a treasure trove of personal and financial data tied to users worldwide. A LinkedIn post by Underdark.ai revealed the possibility of the breach being verified may result in widespread phishing. The post added that account takeovers and targeted attacks across the gaming community may also surface.
Steam users can protect their accounts by enabling two-factor authentication (2FA). The post continued to urge users to monitor their emails for suspicious activity and change their Steam passwords. As the post revealed, users should be aware of phishing attempts disguised as game promotions or support messages.
Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More