New information has come to light regarding a recent alleged leak of over 89 million account details from Steam — one of the most popular gaming platforms in the world, and the most popular client used by PC gamers worldwide with over 120 million active users monthly.
A few days ago, a dark web monitoring group known as Underdark.ai posted a warning to its LinkedIn, claiming that it came across a threat actor named Machine1337 offering to sell over 89 million user records for a sum of $5,000. Naturally, this ended up spiking quite a bit of panic, with many outlets and community figures urging Steam users to change their password and enable Two-Factor Authentication (2FA) if they haven't already.
A follow-up update from Underdark.ai on its original post noted that a leaked sample from the data for sale specifically included 2025 2FA SMS logs of one-time access codes sent to users, encompassing "message contents, delivery status, metadata, and routing costs," along with phone numbers.
Now, though, it appears that the threat is far less serious than it was originally thought to be. Valve has responded to the situation in a statement given to GamingOnLinux, asserting that none of the leaked data was ever linked to Steam accounts and that there's ultimately nothing for users to worry about.
"The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data," the statement reads. "Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages."
"From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious," Valve continued. "We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety."
So, there you have it. While a leak of 2FA text messages and metadata did happen, none of it ties back to any personal data like Steam account login info or financial details. If you've been worried about a major breach of your security happening as a result of the leak, you can now breathe a sigh of relief.
As for how and where the leak originated, it's unclear; Valve says it wasn't a Steam breach, and Underdark.ai claimed it was from the cloud communications company Twilio that supposedly handles 2FA services for Steam. However, Valve has reportedly said it's not partnered with Twilio in any way. According to a statement from Twilio given to BleepingComputer, "There is no evidence to suggest that Twilio was breached," though the firm didn't give a clear answer about whether or not it's worked with Valve before (or is doing so now).
Regardless, it's good to hear from Valve itself that the leak isn't nearly as concerning as it seemed to be initially — though a price as low as $5,000 arguably signaled that the data wasn't very dangerous from the start. With that said, I still encourage you to set up Valve's Steam Guard Mobile Authenticator 2FA solution if you don't use it already. Also, be wary of any random messages you get on Steam, and avoid clicking potential phishing links in them out of an abundance of caution.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
