Hacker offer to sell SMS OTP messages of 89M Steam users, Valve clarifies no account connection
Take action: If you have an account on Steam, just make sure you have an active MFA. It seems the hacker's claims were overblown, so Steam accounts are not at risk. But the leak exposed real phone numbers of users, which can be used for scams and phishing impersonating Steam.
Learn More
A cybercriminal is claiming a breach of Steam and is offering to sell the records of 89 million Steam users. This alleged breach could potentially affect approximately 70% of Steam's active user base, which is reported to have around 130 million monthly active users. It appears that the leak is old SMS OTP codes, which are not related to user accounts in those messages. As such, the codes are useless, and the only valuable information is the phone numbers which can be abused for scams and phishing.
A person or group using the aliases "EnergyWeaponUser" and "Machine1337" has advertised a database on the dark web allegedly containing over 89 million Steam user records. The seller claims this is a “fresh” leak and says it includes:
- usernames,
- passwords,
- two-factor SMS logs,
- message contents,
- metadata,
- delivery status,
- other sensitive details.
The hacker is selling this database for $5,000. Initially reported on Twitter, analysis of sample records by BleepingComputer shows the following records exposed:
- Historic SMS text messages containing one-time passcodes for Steam
- Recipients' phone numbers
- Authentication message contents and metadata
- Delivery status information
Possibly usernames and passwords
Update - Valve Corporation has responded to the leaked data. According to the statement, the compromised data was limited in scope and posed minimal risk to Steam users' account security. The exposed data consisted of old text messages containing one-time authentication codes (valid for only 15 minutes) and phone numbers associated with these authentication messages.
Valve has confirmed that the exposed information did not include Steam account associations with the phone numbers or password information. Valve explicitly stated that users do not need to change their passwords or phone numbers as a result of this incident, confirming that no critical security information was compromised.
The origin of this data remains unclear, with several conflicting reports:
- Initial speculation suggested this might be a direct breach of Valve's Steam platform
- Later theories pointed to a supply chain attack involving Twilio, a cloud communications company that provides SMS messaging services for many applications
Twilio has explicitly denied being breached, stating: "There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio." According to games journalist MellowOnline1, Valve has stated they have never used Twilio's services. Another possibility is that an intermediary SMS provider between Twilio and users could have been compromised
Steam users should always enable 2FA, preferably through an application, and be very careful about any unexpected messages claiming to be from Steam, as the phone numbers leaked are real and can be abused for scams and phishing.
