Update: Nah it sounds like it’s fine actually. Here’s a statement we recieved from Valve:
Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event.
Original article continues below.
Details from 89 million Steam accounts have reportedly gone up for sale on the dark web. Since RPS’s dedicated tech team have just informed me that the dark web is not the thing you get when you click ‘incognito tab’ and is actually potentially much scarier than that, you might want to consider changing your password. Or maybe not. As I say, it’s all alleged at this point.
The news comes from a LinkedIn post by user Underdark.AI, listed as a “Computer and Network Security” page, as reported on by our network chums at VG247. From the post:
Today, a threat actor going by Machine1337 posted on a well-known dark web forum claiming to have breached Steam, offering a dataset of over 89 million user records for $5,000. The post includes:
- A Telegram contact for purchase
- A link to sample data hosted on Gofile
- Mentions of internal vendor data, indicating deeper access
They later updated the post with the following:
Following our initial post on the claimed Steam data breach (89M+ users), new evidence confirms that a leaked sample contains real-time 2FA SMS logs routed via Twilio.
The data includes message contents, delivery status, metadata, and routing costs — suggesting backend access to a vendor dashboard or API, not Steam directly.
This reinforces a supply chain compromise, putting user security at risk via phishing or session hijacking.
X user Mellow_Online, who shared the news on that platform, says that they were contacted by a Valve representative who “stated that they do not use Trillio [sic], the data protection company mentioned in the LinkedIn post.
Data security is very far out of my wheelhouse – I still think it’s funny to say “I’m in” in a hacker voice whenever a website loads after being slow for a bit – so I’m not to going to add additional comment (though I have asked Valve for one). Do with this information what you will!
