News of the leak first appeared in this LinkedIn post from Underdark AI, an Israeli cybersecurity firm, which was highlighted by an X user and independent games journalist named MellowOnline1.
Underdark says a threat actor known as Machine1337 had posted on “a well-known dark web forum,” offering a dataset of 89 million Steam user records for $5,000.
Steam is one of the world’s mostly widely used game distribution services and storefronts, with more than 130 million active users – meaning this breach affects more than half the user base.
Underdark urges Steam users to change their passwords, enable two-factor authentication and watch for suspicious emails and phishing attempts, which is all standard practice post-breach.
If Machine1337’s claim is true, how did the threat actor obtain the details? Valve has denied a leak, as has API service Twilio. Twilio was suspected because its name was mentioned in the dataset, but Valve has confirmed it does not use Twilio’s service (and Twilio itself has denied any breach).
The dataset does, however, suggest that the breach occurred somewhere in the supply chain, such as an SMS provider. It contains two-factor SMS logs, including message contents, delivery status, metadata and routing costs, implying backend access to a vendor dashboard or API.
In a statement, Valve said:
“We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
That routing makes finding the end culprit extremely time-consuming. However, Valve did have some good news, saying that while frequent password changes are good opsec, “customers do not need to change their passwords or phone numbers as a result of this event.”