The PC gaming world got a scare when reports surfaced about a potential data breach affecting Steam, but Valve quickly stepped in to clear the air. Initial claims suggested 89 million Steam user records were up for sale on the dark web for $5,000, sparking concerns about account security.
Here’s what actually happened: Some old SMS text messages containing expired one-time login codes leaked, along with the phone numbers they were sent to. But here’s the crucial part – these codes can’t be used to access any accounts since they expired within 15 minutes of being sent. Plus, the leaked data doesn’t connect phone numbers to specific Steam accounts, passwords, or payment details.
Valve’s investigation revealed no breach of Steam’s core systems occurred. The company explicitly stated they don’t use Twilio for authentication services, contrary to early speculation. The source of the SMS logs likely stems from a third-party service provider in the message delivery chain.
For Steam’s 120 million monthly active users, this means their accounts remain secure. However, basic security practices still matter:Use Steam Guard Mobile Authenticator instead of SMS codes
Similar Posts
MellolwOnline1, an independent games journalist who tracks Steam fraud, initially suggested Twilio might be involved. However, Twilio examined the data samples and stated: “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”
• Watch out for suspicious messages
• claiming to be from Steam
• Keep strong, unique passwords for your account
• Check your account regularly for unusual activity
The incident puts focus on SMS-based authentication’s vulnerabilities compared to app-based options like Steam Guard. While the leaked data poses minimal direct risk to Steam accounts, users should stay alert to potential phishing attempts that might misuse the exposed phone numbers.
For perspective: Steam serves over 120 million monthly active users, making it the largest PC gaming platform globally.
Bleeping Computer’s investigation found some of the leaked messages dated to early March, but could not verify the original claims made by the threat actor known as Machine1337 (also called EnergyWeaponsUser).
This case shows how initial reports of data breaches need careful verification before causing widespread concern. While the situation proved less severe than first thought, it reinforces the importance of account security measures.
