A sigh of relief for gamers without two-factor authentication.
Game and software development giant Valve has issued an official statement refuting recent reports of a massive data breach on Steam, stating that they have examined the leaked sample and determined it was not a breach of the video game store's systems.
In case you've been living under a rock, the TL;DR is that over the past couple of days, the PC gaming community has been shaken by widespread reports claiming that 89 million Steam accounts were allegedly hacked.
First reported by Underdark.ai and later amplified by Twitter user Mellow_Online1 and gaming news outlet VG247, the rumor alleged that a hacker known as Machine1337 had breached Steam and was selling a dataset of over 89 million user records for $5,000.
It was claimed that internal vendor data of affected users had been compromised, raising fears about the security of bank accounts linked to Steam. Adding to the alarm, both Mellow_Online1 and Underdark later said that the leaked sample featured real-time 2FA SMS logs routed via Twilio, including message contents, delivery status, metadata, and routing costs, further fueling the panic.
Once the initial wave of sensational headlines about "89 million Steam accounts being stolen" died down, the community began analyzing the alleged breach and quickly uncovered multiple inconsistencies, suggesting that the entire kerfuffle was completely blown out of proportion.
Among those weighing in was digital security expert Christopher Kunz, who described the breach as a "fart in a puddle," noting that the leaked data contained only metadata and phone numbers of Steam users, meaning the worst those affected might expect is an increase in spam calls, but their accounts remain safe.
The SteamDB team also chimed in, clarifying that the dataset appears to be SMS delivery logs from a third-party provider. Furthermore, Mellow_Online1 later provided an update, stating that they were contacted by a Valve representative who confirmed that Valve does not use Twilio at all.
Putting a big, fat dot in all the commotion, Valve itself shared " a note about the security of your Steam account," stating that after thorough examination, they can confirm that the leak did not breach Steam systems.
According to Valve, the leak contained older text messages with one-time codes that were only valid for 15-minute windows, along with the phone numbers they were sent to. Even more reassuring, the leaked data did not link those phone numbers to Steam accounts, passwords, payment information, or any other personal data – meaning that even if your number is on the list, there's no way to tie it directly to you.
"Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages," Valve wrote. "You do not need to change your passwords or phone numbers as a result of this event."
Describing the ordeal as a good reminder to treat any unsolicited account security messages with suspicion, the studio also recommended enabling two-factor authentication through the Steam Mobile Authenticator and regularly reviewing your Steam account security, which can be done by clicking this link.
Read Valve's full statement here and don't forget to join our 80 Level Talent platform and our new Discord server, follow us on Instagram, Twitter, LinkedIn, Telegram, TikTok, and Threads, where we share breakdowns, the latest news, awesome artworks, and more.
English (US) ·