Valve has denied claims of a data breach within Steam’s infrastructure, responding to reports that tens of millions of user records — primarily SMS-based two-factor authentication (2FA) messages — had been compromised.
The company confirmed that its own systems were not infiltrated and is currently investigating how the leaked data surfaced online.
Steam, developed and operated by Valve Corporation, is the largest digital distribution platform for PC gaming, serving an estimated 132 million monthly active users.
The situation came to light earlier this week when independent games journalist and Steam safety advocate Mellow_Online1 (@MellowOnline1) reported that an alleged breach had exposed over 89 million user records. These records, being sold for $5,000 on the underground cybercrime forum XSS, included 2FA text messages used to authenticate Steam logins, along with phone numbers, timestamps, and delivery statuses. A sample of 3,000 records was leaked as proof. However, Valve maintains that this data was not sourced from Steam’s infrastructure.
CyberInsider
In a public statement released today, Valve explained that the leaked messages were unencrypted SMS texts containing short-lived 2FA codes — valid for only 15 minutes — and phone numbers, but without any associated Steam account information, passwords, or payment data. The company emphasized that this data alone cannot be used to compromise accounts and does not necessitate password changes or other immediate user action.
While Valve has not named the third-party service involved, researchers and community analysts, including Mellow_Online1 and the group Steam Sentinels, pointed to Twilio — a major communications platform used by many services to send SMS messages — as a possible source. The leaked data includes message content, delivery metadata, and routing cost information, suggesting access to a provider’s backend systems or API credentials.
Twilio, for its part, has denied any breach. In a statement to CyberInsider, a Twilio spokesperson said: “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”
Valve continues to investigate the source of the leaked data and recommends that users remain cautious. “It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious,” the company advised, pointing users to its account management page and encouraging adoption of the Steam Mobile Authenticator, which offers stronger protection than SMS-based 2FA.
Steam users should consider switching to app-based authentication if still relying on SMS-based 2FA, review authorized devices and login history on Steam’s account security page, and be wary of phishing attempts that mimic legitimate Steam communications.
Leave a Reply