Did A Steam Data Breach Compromise 89 Million Accounts? Valve Responds
Valve has responded to reports of a major data breach in which Underdark.ai, a cyber threat intelligent service, highlighted a dark web forum post by a hacker claiming to be in possession of 89 million Steam user records. According to Valve, which has been pretty good at keeping on top of security, there is nothing for Steam users to be worried about. Furthermore, Valve says there's no need to change your password or phone number as a result of this incident.
Underdark.ai brought the issue to attention in a post on its LinkedIn page. The firm says a threat actor going by Machine1337 was attempting to sell an alleged dataset of 89 million Steam users records for $5,000, and offered up a sample of the supposedly stolen data.
"The implications here are serious—Steam isn’t just a game platform; it's a treasure trove of personal and financial data tied to users worldwide. If this breach is verified, it could lead to widespread phishing, account takeovers, and targeted attacks across the gaming community," Underdark.ai stated.
It followed up with an update claiming a leak sample containing real-time two-factor authentication SMS logs confirmed the breach. The firm went on to say that the data included message contests, delivery statuses, metadata, and routing costs, which led the company to posit that the data breach occurred from backend access to a vendor dashboard or API, rather than breaching Steam directly.
The situation would obviously be concerning, given that Steam is the world's largest digital distribution platform for games (along with other software) with over 132 million monthly active users. But after Valve had time to perform an initial assessment, it determined in bold text that "this was NOT a breach of Steam systems" and that no sensitive data was compromised.
"The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages," Valve stated in a post on Steam.
Valve went a step further by saying, "You do not need to change your passwords or phone numbers as a result of this event," though it did use the incident as an opportunity to be wary of any account security messages that appear out of the blue.
Valve also recommends regularly checking your Steam security settings page, and specifically keeping tabs on which devices are authorized to access your account. Additionally, Valve says it's a good idea to set up the Steam Mobile Authenticator if you have not already done so.
