Millions of Steam users are being urged to change their passwords and secure their accounts following alarming reports that personal data from 89 million user accounts is up for sale on the dark web. The alleged breach, which surfaced through posts on social media and cybersecurity forums, has sparked confusion and concern across the gaming community.
Steam, owned by Valve Corporation, is the world’s leading digital distribution platform for PC games, hosting over 120 million active users each month. With some user accounts containing hundreds or even thousands of dollars’ worth of games, any potential compromise could be devastating.
Hacker Claims to Sell Millions of Accounts
The situation came to light when a hacker known as Machine1337 (also using the name EnergyWeaponsUser) advertised a trove of stolen Steam data on a dark web forum, offering it for just $5,000. The data reportedly includes sensitive details such as one-time passcodes and phone numbers—potentially opening the door to account takeovers and phishing attempts.
Cybersecurity firm Underdark AI brought attention to the listing via LinkedIn. Shortly after, independent journalist MellowOnline1, who leads the SteamSentinels group that monitors fraud within the Steam ecosystem, shared the news more widely on X (formerly Twitter).
The leak is said to contain SMS messages sent to users with codes used to confirm identity or link phone numbers to Steam accounts, further raising alarm over how the data was collected—and how recent it may be.
Questions Swirl Over the Breach’s Origin
One of the biggest mysteries surrounding this incident is how the attacker gained access to so much data. Early speculation suggested that Valve may have suffered a breach. However, the company reportedly denied any connection, specifically stating it has never used Twilio—a cloud-based service commonly used to send two-factor authentication (2FA) messages.
Despite Valve’s denial, technical details in the leaked files point to Twilio’s systems as a possible link. BleepingComputer, a cybersecurity news site, examined a sample of 3,000 leaked records and found evidence of real-time SMS logs that could have come from Twilio’s backend or an affiliated service.
MellowOnline1 speculated that the data might have been accessed through a compromised API key or admin account, suggesting a potential supply-chain vulnerability. Still, Twilio has firmly denied that its systems were compromised.
In a statement, a Twilio spokesperson said:
“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”
While Twilio confirmed it is actively investigating the matter, the company believes the data may have been obtained from a third-party SMS provider that acts as an intermediary between its platform and end users.
Leaked Data Appears Recent and Authentic
Adding to the urgency, BleepingComputer reported that some of the leaked messages appear to be from as recently as March, suggesting that the data is not only real but also relatively new. This has intensified concerns among users and experts, especially for those who haven’t enabled additional security on their accounts.
Without 2FA enabled—Steam’s version is called Steam Guard—accounts could be vulnerable to unauthorized access. Even if a hacker can’t gain direct control, the leaked information could be weaponized in phishing campaigns that trick users into handing over credentials or financial information.
Valve’s Silence Raises Eyebrows
Despite mounting concern and media attention, Valve has yet to make an official public statement. This silence has only fueled speculation, leaving users uncertain about whether the company is investigating internally or preparing a formal response.
Until Valve speaks out, the community is left relying on third-party insights and cybersecurity warnings. This has understandably led to confusion, especially among those unsure of whether their accounts are at risk.
What Users Can Do Right Now
Experts are urging all Steam users to take immediate action, even without confirmation from Valve. The most effective steps include:
- Changing passwords immediately, especially if reused on other sites.
- Enabling Steam Guard Mobile Authenticator, which offers stronger protection through time-based codes on your phone.
- Regularly checking account activity for any unfamiliar logins or purchases.
- Staying alert to phishing emails or text messages pretending to be from Steam.
It’s worth noting that users who already have Steam Guard enabled are believed to be safe from direct compromise via the leaked data.
