Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Investigations suggest a third party may have been breached, leaking some two-factor authentication (2FA) codes and phone numbers.
The owner of digital gaming marketplace and platform Steam, Valve, has responded to claims that a massive database of user data has been leaked online, stating that the incident claims are false and Steam itself was not breached.
Rumours of the incident first appeared following a LinkedIn post by a company called “Underdark.ai” highlighted claims made by a threat actor who had claimed to have breached Steam’s network and exfiltrated the data of 89 million users.
The threat actor, Machine1337, better known as EnergyWeaponUser, reportedly claimed on a dark web forum that they had exfiltrated the data, providing a sample that “contains real-time 2FA logs routed via a 3rd party”, according to Underdark in the updated post. Data reportedly included message contents, metadata, routing costs and delivery status, which suggested it wasn’t Steam that was breached, but a third-party organisation.
Now, Steam has confirmed that it was not breached, but it is investigating the leak.
“You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems,” said Steam.
“We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
Steam added that the leaked contents included one-time codes for verification that only last 15 minutes and the phone numbers they were connected to, but it added that the phone numbers were not connected to Steam accounts, passwords, payment data or any other personal details.
The third-party believed to be involved was Twilio, a cloud communications firm that provides the infrastructure for its clients to add communication capabilities to their applications. Twilio was mentioned in the leaked dataset, leading to the suspicion.
Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise – meaning an external service that Steam relies on was targeted.
– Mellow_Online1 (@MellowOnline1) May 11, 2025
Here’s what we understand from this update:
New evidence confirms some…
However, Twilio has since confirmed that it was not breached in a statement to BleepingComputer.
“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio,” a company spokesperson said.
Additionally, Valve has confirmed that it does not use Twilio’s service, ruling the company out.
At this stage, the third party believed to have been breached is still unknown. Steam has said that customers do not need to change their details or passwords.
“You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious,” it said.
Be the first to hear the latest developments in the cyber industry.
