It might be time to change your Steam password.
Valve’s popular PC gaming store is allegedly impacted by a data breach that appears related to Twilio, a third-party service that Steam uses for two-factor authentication (2FA) codes sent via SMS. Hackers are reportedly selling 89 million Steam records on a dark web forum for just US$5,000 (about C$6,992).
The details come from independent games journalist @MellowOnline1, who spotted the hackers’ post and shared about it on Twitter/X.
In a later tweet, @MellowOnline1 clarified it doesn’t appear to be a direct breach of Steam, but instead a breach of an external service that Steam relies on. They shared that a sample of the leaked data includes real-time SMS logs, which are used in 2FA, message content (e.g., the 2FA codes), the delivery status, routing costs (how much it costs to send messages), and metadata like timestamps, recipient numbers, and more.
Moreover, the leaked data implies that the hacker had or has access to Twilio’s systems. While Steam itself doesn’t appear to have been hacked, users still face significant risks. The hack opens up possible phishing attacks where hackers could send fake but convincing messages to users. It could also lead to session hijacking, where hackers could intercept or replay 2FA codes to bypass login protections.
Twilio is the company behind the Authy 2FA app, and this isn’t the first data breach it has faced. It suffered a breach in July 2024, while Twilio’s parent company SendGrid was hacked last month (though SendGrid claims there’s no evidence of a breach). It’s worth noting there’s no official confirmation of another breach from Twilio yet, and there’s a possibility that this Steam data stems from a previous hack.
Regardless, Steam users should be on guard for phishing scams and should take steps to protect themselves. A good first step would be changing Steam passwords. It’d also be wise to change 2FA methods to avoid using Twilio. Perhaps the best option would be to use Steam Guard, which requires installing the Steam app on a smartphone to access 2FA codes instead of receiving them over SMS.
Source: @MellowOnline1 (Twitter) Via: MakeUseOf
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
