World
India
If you’re one of the millions using Steam, the world’s largest digital gaming platform, this might be the right time to update your password and review your account security.
Reports have surfaced suggesting that 89 million Steam account records may have been compromised and are allegedly being sold on the dark web. The potential breach, if proven true, could mean a serious risk for users—especially those who have not enabled two-factor authentication (2FA) or use weak passwords.
The alarm was first raised on social media by @Mellow_Online1, who shared that around two-thirds of all Steam accounts might have been exposed in a massive data leak. According to his posts, the stolen data is being sold on the dark web forum Mipped for just $5 (approximately 111,000 Czech Koruna).
The hacker, using the alias Machine1337, claimed responsibility for the breach. A cybersecurity firm called Underdark confirmed the report through a post on LinkedIn, which stated that the threat actor was offering a dataset of over 89 million user records for $5,000 on a well-known hacking forum.
The hacker’s dark web listing reportedly included a Telegram contact, a sample of the stolen data, and even internal vendor information, hinting that the attacker might have gained deeper access to systems connected to Steam.
Initially, it was suspected that the breach may have come through Twilio, a third-party communication service provider known for sending 2FA codes via SMS. Mellow_Online1 suggested that Steam might have used Twilio’s services in the past, leading to this possible data leak. However, when he reached out to Valve, the parent company of Steam, they denied ever using Twilio.
Later, BleepingComputer reviewed a set of 3,000 leaked files, which included historic SMS messages containing one-time passcodes (OTPs) used for Steam logins. These messages also included recipients’ phone numbers, raising alarms about potential misuse of user data.
However, Valve responded with a public statement on Wednesday, clarifying that the incident was not a breach of Steam’s internal systems. According to Valve, the leaked information consisted of older one-time codes, valid only for 15 minutes, and could not be linked to specific Steam accounts or passwords. They emphasized that no payment data, personal information, or passwords were included in the leaked set.
Valve explained, “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.”
Valve also mentioned that they are still investigating the source of the leak, though they reiterated that users do not need to change their password or phone number. Still, they strongly recommend using the Steam Mobile Authenticator, known as Steam Guard, for added security.
Twilio also issued a statement, saying: “There is no evidence to suggest that Twilio was breached.” They added, “We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”
Despite these reassurances, cybersecurity experts warn that the presence of two-factor codes, metadata, delivery statuses, and recipient numbers suggests that hackers may have had direct access to Twilio’s systems, possibly through hacked user accounts, compromised API keys, or even internal backend access.
Until more is known, Steam users are urged to take preventive steps:
-
Change their current Steam password
-
Enable two-factor authentication (Steam Guard)
-
Check their email and Steam messages for suspicious activity
-
Avoid clicking on unknown links or phishing attempts that mimic Steam communication
Whether or not the breach is as deep as claimed, Steam’s vast global user base is on alert. With gaming libraries worth thousands of dollars potentially at stake, this incident underscores the importance of digital security in online platforms.
ALSO READ: Online Porn In The US Could Soon Be Illegal If This Bill Passes
