By now, you have no doubt heard the noise raised about a huge Steam hack. Headlines warn of an 89 million Steam accounts breach, roughly 70% of the active user base. These folks could have their usernames and passwords compromised as part of this leak, and everyone should change their passwords before it’s too late.
This is normally good advice for a suspected breach. Still, we believe many outlets and YouTube channels jumped the gun here, taking anonymous posts at face value and running full speed with incomplete information.
Table of Contents
The Steam Breach Claim: Where Did it Begin?
The frenzy began when X user @MellowOnline1 highlighted a LinkedIn post from Underkar AI. That post flagged a message from a user on a dark web forum, offering to sell data from 89 million Steam accounts for $5,000. The seller claimed to have a “fresh” leak of usernames, passwords, two-factor codes, SMS logs, metadata, messages, and more.
Underdark AI reported that “sample data” was shared as proof, and prospective buyers were invited to contact the seller via Telegram. It sounds awful, but there is an immediate glaring question. Why would a hack with substantial private information on most of the userbase of the biggest digital gaming storefront only go for $5,000? This is an incredibly low sum for a fresh leak of millions of sensitive records.
Digging Deeper: Was Steam Really Breached?
Shortly after, security outlets like BleepingComputer analyzed the 3,000 record leak samples over the last 2 months. They determined that the data consisted mostly of historic SMS messages with one-time access codes and associated phone numbers. Importantly, there was little evidence of actual account credentials or personal data beyond these details.
Independent analysis suggested that the leak likely originated from a third-party service that managed Steam’s SMS notifications, rather than from Steam itself. Some speculated that Twilio, an SMS delivery vendor, was involved, citing a compromised admin account or abused API keys.
However, when BleepingComputer reached out to verify, a Twilio spokesperson explained that, while they are still investigating, they denied any breach and stated that there was no evidence that their systems had been compromised.
Valve, Steam’s parent company, later contacted @MellowOnline1 and firmly stated they have never used Twilio for their authentication process.
Valve’s Official Response
Valve publicly addressed the uproar with a direct statement: there was no breach of Steam’s systems.
According to Valve, the leaked data consisted of logs of old SMS messages, containing one-time authentication codes. These codes:
- Were only valid for 15 minutes,
- Were not tied to user passwords, payment information, or other account details,
- Did not expose Steam account credentials.
Valve stressed that users do not need to change their passwords or phone numbers as a result of this supposed leak. Whenever a code is used to change your Steam email or password using SMS, you will also receive a confirmation via email and/or Steam secure messages.
However, they continue to recommend enabling Steam Guard via the mobile authenticator app for better account security.
What This Actually Means (And What You Should Do)
It turns out the “leak” was more of an overambitious attribution of what the leaker actually had. Just an opportunistic attempt by someone on the dark web to sell expired one-time codes, not valid user credentials or passwords. No evidence supports claims that actual user accounts or Steam’s core systems were compromised.
It didn’t help that the Underdark AI bot extrapolated from incomplete information and made some errors in doing so. The post said that the data contained: “The data includes message contents, delivery status, metadata, and routing costs — suggesting backend access to a vendor dashboard or API, not Steam directly.” A claim that is now said to be inaccurate.
Besides a 2FA provider breach, another possible explanation for the leak and its origin is that these one-time codes could have come from a mobile carrier. However, at the time of writing, it has not been determined that this is the case or which provider might have been hacked.
Best Practices for Steam Users Remain
- Enable Steam Guard using the mobile app, not SMS, for two-factor authentication. This requires a verified email address at a minimum.
- Steam > Settings > Account, and then clicking on Manage Steam Guard Account Security.
- Toggle the option to ‘Protect my account with Steam Guard‘ and then click Next.
- Regularly review authorized devices on your Steam account and remove any you don’t recognize.
- Use a strong, unique password. If you haven’t changed it in a while and if it’s less than 10 characters, go ahead and update it.
- Consider finding and using a reputable password manager.
- Watch out for phishing attempts. Just because your account details weren’t compromised doesn’t mean enterprising criminals won’t take advantage of the buzz. Be suspicious of unsolicited security alerts or code requests you didn’t initiate.
- Ensure you are using a reputable antivirus software.
If you haven’t done so already, it’s time to take control of your digital gaming library and keep it secure.
The 89 Million Steam Accounts Breach Takeaways
This story highlights 2 important areas of security awareness:
- Not taking internet breach claims at face value, especially when they originate from unverified, anonymous dark web posts and are quickly sensationalized by news outlets.
- SMS for 2FA is better than relying solely on a password for authentication, but it is not entirely secure or reliable.
There was no breach of Steam’s systems, no exposure of account details, and no evidence of third-party vendor compromise. Your Steam library is safe… for now.
But this is a great reminder to keep your account security practices up to date!