On May 13, 2025, alarming reports emerged online regarding a significant data breach affecting millions of Steam users. This incident raised serious concerns due to the potential exposure of sensitive account information, including passwords and two-factor authentication (2FA) codes. Gamers quickly sought clarification about the security of their accounts and whether their credentials had been compromised.
Massive Claims Surrounding 89 Million Affected Steam Accounts
The gaming community was thrown into chaos as rumors spread across social media platforms about a data dump that possibly impacted around 89 million Steam accounts. Various cybersecurity analysts and data breach monitoring services began reporting the disturbing news, further alarming users.
The claims originated from a post on the LinkedIn profile of Underdark.ai, revealing that a threat actor known as Machine1337 was offering a dataset containing over 89 million Steam accounts for a price of $5,000 on a prominent dark web forum.
The situation escalated when independent games journalist Mellow_Online1 tweeted about the alleged breach, further amplifying the fears of the gaming populace.
The convergence of these reports, along with circulating leaked files on dark web forums, heightened anxieties regarding the possible compromise of Valve’s gaming platform.
Clarification: External 2FA Service Breach, Not Steam Itself
Subsequent investigations revealed that it wasn’t Steam itself that faced the breach; rather, it was an external service that Steam utilizes for its operations. Reports surfaced pointing to compromised SMS logs used for two-factor authentication.
It became clear that the breach actually involved Twilio, a leading cloud communications service that provides essential communication tools. Twilio is the parent company of the Authy 2FA application, instrumental for Steam users in generating 2FA codes to enhance account security.
Consequently, although Steam did not directly lose control of its internal database, the exposure from Twilio’s breach allowed attackers potential access to intercept 2FA codes which could facilitate phishing attempts on users.
Were Steam Passwords Actually Compromised?
One of the pressing concerns among Steam users is whether their passwords were genuinely at risk following the Twilio breach. Initial indications suggest that this may not be the case, as Twilio officially dismissed the breach allegations in a statement given to BleepingComputer.
If Twilio’s statement holds true, it implies that neither Steam passwords nor 2FA codes have been leaked. Although Valve has remained silent on the issue, reports indicate that Mellow_Online1 was contacted by Valve representatives claiming that they do not utilize Twilio’s services.
As a precaution, it is still prudent for Steam users to change their passwords and revoke access from any unfamiliar devices. While current observations show no anomalous activity on my account, staying vigilant against suspicious behavior remains essential.
- Monitor account activity regularly.
- Update your password periodically.
- Enable additional security measures whenever possible.