Steam Data Leak: What Really Happened and Should You Worry?

Recent reports about a Steam data leak turned out to be much less serious than initially feared. Valve, the company behind Steam, has confirmed that while some data was exposed, no user accounts were compromised.

Initial Panic Over Dark Web Leak

On May 10, cybersecurity firm Underdark.ai issued a warning on LinkedIn about a possible breach involving over 89 million Steam user records. According to their post, a hacker using the alias Machine1337 was attempting to sell the data for just $5,000 on a dark web forum.

The listing reportedly included:

• 2FA SMS logs

• Phone numbers

• Message contents & delivery status

• Metadata

• routing costs

Given Steam’s massive user base—over 120 million active monthly users—the leak sparked immediate concern across gaming communities.

Valve's Response

After investigating the situation, Valve released a statement to clear things up. The company confirmed that the recent reported leak "did not breach Steam systems."

Valve explained that the leaked information only contained "older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to."

Most importantly, they emphasized that "the leaked data did not associate the phone numbers with a Steam account, password information, payment information, or other personal data."

This means that even though some phone numbers and expired verification codes were exposed, this information cannot be used to access Steam accounts.

No Action Required

The good news is that Steam users don't need to take any special actions to protect their accounts. Valve clearly stated: "From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event."

However, Valve used this opportunity to remind users about good security practices. They recommended treating any unexpected account security messages with suspicion. They also encouraged users who haven't already done so to set up the Steam Mobile Authenticator, which provides an additional layer of security.

Where Did the Data Come From?

An interesting part of this story is that no one seems to know exactly where the leak came from. Valve confirmed it wasn't from Steam's systems. Underdark.ai suggested the leak might have come from Twilio, a cloud communications company that supposedly handles 2FA services for Steam.

When asked about the situation, Twilio told BleepingComputer that "there is no evidence to suggest that Twilio was breached, we have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio."

What This Means for Gamers

The relatively low asking price of $5,000 for the data was an early indicator that the information probably wasn't very valuable to hackers. If it had contained actual account credentials or payment information, it would likely have been priced much higher.

While this particular leak doesn't pose a significant threat, it serves as a good reminder about online security. Using strong, unique passwords and enabling two-factor authentication are still the best ways to protect your gaming accounts and other online services.