Recent reports of a potential Steam data breach affecting 89 million accounts have caused significant concern among the gaming community. However, Valve, the company that owns and operates Steam, has now issued an official statement clarifying the situation.

Let's examine what happened, the conflicting reports, and what Steam users should do to protect their accounts.

Initial Reports and Claims

On May 13, 2025, cybersecurity firm Underdark AI published a LinkedIn post claiming a "Massive Alleged Steam Data Breach" with over 89 million records reportedly for sale on a dark web forum. According to these initial reports, a threat actor using the alias "Machine1337" (also known as "EnergyWeaponsUser") was offering the database for US$5,000.

The alleged stolen data was said to include phone numbers and one-time passwords, potentially allowing unauthorized access to accounts without two-factor authentication.

Conflicting Information Emerges

As the story spread across social media and news outlets, conflicting information began to surface about the source and extent of the alleged breach:

1. Twilio Connection Questioned: Early speculation pointed to Twilio, a communications provider, as the potential source of the breach. However, Twilio explicitly denied any involvement. In a statement to BleepingComputer, a Twilio spokesperson said: "There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio."
2. Valve's Official Response: On May 14, Valve issued a comprehensive statement addressing the situation: "Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems." Valve clarified they are still investigating the source of the leak, noting that "SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone."

What Was Actually Exposed?

According to Valve's statement, the leaked data consisted of:

• Older text messages containing one-time codes (valid for only 15-minute windows)
• Phone numbers these messages were sent to

Importantly, Valve emphasized that "The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data."

When BleepingComputer examined the sample of leaked files containing 3,000 records, they found historical SMS text messages with one-time passcodes for Steam, including recipient phone numbers, which aligns with Valve's assessment.

Security Implications for Users

Despite the limited nature of the exposed data, security experts recommend taking precautionary measures:

Valve's Official Guidance

Valve has clearly stated: "From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event."

However, they recommend:

• Treating any unsolicited account security messages as suspicious
• Regularly checking Steam account security at https://store.steampowered.com/account/authorizeddevices
• Setting up the Steam Mobile Authenticator for enhanced security

Additional Security Best Practices

While Valve indicates no immediate action is required, following these general security practices remains advisable:

• Use strong, unique passwords for gaming accounts
• Enable Steam Guard (Steam's two-factor authentication system)
• Be cautious of phishing attempts via email, messages, or suspicious links
• Consider using a password manager to maintain secure credentials

The Investigation Continues

Valve has stated they are "still digging into the source of the leak," suggesting this situation may evolve as more information becomes available.

The conflicting narratives between the initial reports and Valve's assessment highlight the importance of waiting for official confirmation before taking drastic action based on cybersecurity news.

What This Means for the Gaming Community

With over 30 million users regularly active on Steam, security concerns naturally generate significant attention.

While the current evidence suggests this incident was not a breach of Steam's systems and poses limited risk to users, it serves as an important reminder about digital security hygiene.

The focus on SMS-based one-time passwords also underscores a potential vulnerability in text message-based authentication methods, which security experts have long noted are less secure than app-based authenticators.

Conclusion

Based on Valve's official statement, Steam users can breathe a sigh of relief knowing their accounts and personal information appear to remain secure. The situation offers a timely reminder about maintaining good security practices and treating unexpected security messages with appropriate caution.

As the investigation continues, users should stay informed through official Steam channels rather than relying on unverified reports circulating online.