89 million Steam account details allegedly leaked, but no one seems to know how
Table of Contents
Valve has now confirmed that “this was NOT a breach of Steam systems” and users do not need to change their passwords as a result. However, it continues to recommend that you set up the Steam Mobile authenticator for extra security.
Valve's popular PC gaming platform, Steam, is allegedly affected by a data breach that has compromised the credentials of over 89 million users. That's nearly 70% of Steam’s entire active user base, so there’s a good chance your username and password could be part of the leak.
The information comes from X user @MellowOnline1, who highlighted a LinkedIn post from Underdark AI discussing the discovery. According to Underdark AI, a user named Machine1337 posted on a reputable black market forum, offering to sell 89 million Steam account details for $5,000. The seller claims this is a “fresh” leak and says it includes usernames, passwords, two-factor SMS logs, message contents, metadata, delivery status, and other sensitive details.
How did the leak occur in the first place?
Despite circulating on social media for a few days, people still aren't sure where the leak originated. The first assumption, of course, was Valve itself, but later updates suggested that it wasn't a direct breach of Steam, but rather a vendor Valve may have worked with at some point.
This brought Twilio into the spotlight, with claims that it handled Steam's two-factor authentication systems and that the leak stemmed from its infrastructure. However, Valve reportedly reached out to MellowOnline1 and stated that it has never used Twilio.
So, at the time of writing, the internet is still trying to figure out who is actually responsible for the supposed breach. Interestingly, user MellowOnline1 also mentions that the site selling these datasets resembles others like Mipped, which the group Sentinels of the Store, known for pushing Valve to clean up shady practices on Steam, have been warning about for years. Despite these warnings, Valve was slow to take action.
For now, we recommend that Steam users stay on high alert for phishing scams, as hackers often resort to these tactics to target accounts they couldn't access through the breach. As a precaution, change your Steam password and avoid using SMS verification until the situation becomes clearer. The safest option is to enable Steam Guard, which uses the Steam mobile app to generate 2FA codes instead of relying on SMS.
About the Author