DataBreach Logo
HomeNewsBreachesAPIAboutAccount
HomeNewsBreachesAPIAboutAccount

The Steam “Breach” of May 2025: Sorting Fact from Fiction

DataBreach.com Team · · May 16th 2025, 12:00 am EDT

The Steam “Breach” of May 2025: Sorting Fact from Fiction

Initial Reports Spark Concern Over Alleged Steam Data Compromise 
 
In early May 2025, the online gaming community faced a wave of anxiety following reports of a significant data security incident potentially affecting Valve Corporation's Steam platform. Initial claims, originating from a LinkedIn post by cybersecurity firm Underdark AI and amplified on X by games journalist @MellowOnline1, suggested that up to 89 million Steam user records had been compromised.

The core of these concerns centered on an individual identified as "Machine1337," who was reportedly offering a dataset for sale on a dark web forum for $5,000. This dataset was alleged to contain SMS logs, including two-factor authentication (2FA) codes, associated phone numbers, and technical metadata.

Suspicion initially fell upon Twilio, a widely used provider of SMS-based 2FA services, due to traces of its involvement found within samples of the circulated data. However, Twilio promptly denied any breach of its systems in a statement to BleepingComputer.

Valve intervened on May 14, 2025, issuing a clarifying statement asserting that Steam's core systems remained secure and had not been breached. According to Valve, the data in question consisted of "older text messages" containing expired 15-minute 2FA codes and phone numbers. Crucially, Valve stated this information was not linked to Steam account credentials, passwords, or payment details.

The incident appears to stem from a potential vulnerability within the broader SMS delivery supply chain rather than a direct compromise of Steam's infrastructure. Valve noted that unencrypted SMS messages traverse multiple providers, suggesting the data may have been intercepted from an intermediary service-distinct from Twilio-within this chain.  
 
The relatively low asking price for the dataset and the limited nature of the exposed information led security analysts to speculate the offering could be an attempt to monetize old or minimally valuable data. 
 
Timeline of Events   

  • Early May 2025: An individual, "Machine1337," lists a dataset purportedly containing 89 million Steam user records for sale on a dark web forum for $5,000.

  • May 12, 2025: Cybersecurity firm Underdark AI publishes a warning on LinkedIn regarding the alleged breach. Games journalist @MellowOnline1 disseminates this information on X, leading to widespread user concern.

  • May 13, 2025: Twilio issues a statement denying its systems were breached.

  • May 14, 2025: Valve releases an official statement confirming no breach of Steam systems occurred, characterizing the leaked data as old SMS logs and phone numbers not directly tied to sensitive account information.

  • May 15, 2025: Cybersecurity news outlets, such as BleepingComputer, begin to report Valve's assessment, indicating the severity of the initial breach claims may have been overstated and questioning the true utility or origin of the offered data.

    Nature of the Exposed Data 
    The dataset reportedly contained the following types of information:

  • SMS Logs with 2FA Codes: These were one-time passcodes intended for account login verification. However, these codes have a very short validity period (typically 15 minutes) and would have expired long before the data was widely circulated.

  • Phone Numbers: These numbers were associated with accounts utilizing SMS-based 2FA. Valve maintains these are not directly correlated with Steam usernames, passwords, or other sensitive account identifiers within the leaked dataset.

  • Technical Metadata: Information such as SMS delivery statuses and routing costs was also allegedly present, suggesting the data originated from an SMS provider's infrastructure rather than directly from Steam's servers. 
    No evidence suggests that user names, email addresses, payment card information, passwords, Valve intellectual property, or application source code were compromised in this incident. The exposed data appears to be of limited practical use for direct account takeover.  
    Potential User Impact and Risk Assessment 
    While Valve's assessment mitigates concerns of a direct, catastrophic breach, the exposure of phone numbers presents certain risks:

  • Phishing and Smishing Campaigns: Malicious actors could leverage the exposed phone numbers to conduct targeted phishing (via email) or smishing (via SMS) attacks, attempting to deceive users into divulging login credentials or clicking malicious links by impersonating Steam or Valve.

  • Social Engineering: The phone numbers, if correlated with data from other breaches, could be used in more sophisticated social engineering attempts to extract further sensitive information from individuals.

  • Secondary Exploitation: The data, however limited, might be aggregated with information from other security incidents to enhance the credibility or targeting of future malicious activities. 
    The overall risk to individual Steam users from this specific dataset is considered low, primarily because the critical 2FA codes were ephemeral and the phone numbers are not, according to Valve, directly linked to comprehensive account details in the leak. Nevertheless, vigilance is warranted.

Frequently Asked Questions (FAQ)

  • Q: How can I determine if my specific Steam account was involved in this data exposure?
    • A: According to Valve, the leaked data does not directly associate phone numbers with specific Steam account identities. Given the low-risk nature of the exposed data (primarily expired 2FA codes), individual notification or lookup is not being provided. Users are advised to follow general security best practices.
  • Q: Were my payment details or Steam account passwords stolen?
    • A: No. Valve has confirmed that account credentials, payment card information, and other forms of highly sensitive personal data were not part of this specific data leak.
  • Q: What was the root cause of this data leak?
    • A: This was not a breach of Steam's direct systems. Valve indicates the data likely originated from a third-party SMS provider within its supply chain due to the unencrypted nature of SMS message routing. The specific provider has not been publicly named.
  • Q: Is it still safe to use the Steam platform?
    • A: Yes. Valve has affirmed that Steam's core systems were not compromised. Utilizing strong security practices, particularly the Steam Guard Mobile Authenticator, will enhance account security.
Track your breaches & future legal actions
More News
Is Ticketmaster’s 2024 Mega-Breach Now on the Cyber-Crime Resale Rack?
Is Ticketmaster’s 2024 Mega-Breach Now on the Cyber-Crime Resale Rack?
5 days ago
Exclusive: Texas Tech University Health Sciences Center El Paso Data Breach Exposes 1.4 Million Records
Exclusive: Texas Tech University Health Sciences Center El Paso Data Breach Exposes 1.4 Million Records
10 days ago
Data Broker LexisNexis Masters Data Collection, Fails Spectacularly at Data Protection
Data Broker LexisNexis Masters Data Collection, Fails Spectacularly at Data Protection
11 days ago
Exclusive: DaVita Ransomware Breach Live on DataBreach.com
Exclusive: DaVita Ransomware Breach Live on DataBreach.com
18 days ago
May 29 Claim Deadline: Tyler Technologies Breach Victims Can Still Secure Up to $3,500—Act Now
May 29 Claim Deadline: Tyler Technologies Breach Victims Can Still Secure Up to $3,500—Act Now
19 days ago
Latest Breaches
texas-tech-university-health-sciences-center-el-paso-2024
Texas Tech University Health Sciences Center
1M rows
Jun 4, 2025
allegheny-health-network-2025
Allegheny Health Network
194k rows
Jun 4, 2025
davita-2025
DaVita
1M rows
May 27, 2025
acadian-ambulance-2024
Acadian Ambulance
3M rows
May 8, 2025
hertz-2025
Hertz
1M rows
Apr 30, 2025
Created and maintained by
For media inquiries, contact us at contact@databreach.com
Terms & ConditionsPrivacy Policy