During the last days, Steam, the leading PC gaming platform, has been caught up in an intense wave of news and rumors after the discovery of the Sale on the dark web of a supposed database containing information on up to 89 million accountsAlthough at first glance the issue generated a significant stir among users and industry media, the reality of the leak is now being clarified by Valve and specialized sources, making it clear what really happened and how it affects players.
Despite alarming headlines and impulsive recommendations to change passwords, Valve itself has come out to explain everything in detail. The leak does not involve a breach of Steam's internal systems., nor does it mean that access keys, personal data, or payments have been exposed. However, there are relevant details about the data exposure and how to stay protected from potential indirect consequences.
What exactly has been leaked from Steam?
The incident focuses on the Exposure of old SMS messages sent for two-factor authentication (2FA), used by Steam to protect account access. These messages contained one-time codes—which are valid for just 15 minutes— and destination phone numbers, but were not associated with passwords, specific accounts, payment information or sensitive personal data according to official Valve statements.
The data sample published and put up for sale by a hacker under the pseudonym Machine1337 included information such as codes, delivery statuses, timestamps, phone numbers and technical metadataCybersecurity firm Underdark.ai and various media outlets have verified that part of the sample is real, although the overall magnitude seems doubtful, especially given the low selling price, which has caught the attention of numerous analysts.
Have they hacked Steam directly?
According to Valve's statements and research by cybersecurity experts, There has been no intrusion into Steam's servers or the company's central system.The origin of the leak points more to a vulnerability in the chain of third-party providers responsible for sending SMS messages for the authentication system.
These communications travel unencrypted through various intermediaries before reaching the user, complicating traceability of the incident and making it difficult to pinpoint the exact location of the breach. Twilio, the company initially identified by some media outlets as a possible source, has denied any direct involvement in such a leak. and Valve also indicates that they do not currently use their services for these purposes.
What risks really exist for users?
The main danger does not reside in direct access to accounts by attackers, since the leaked codes have long since expired and the information exposed is not sufficient to impersonate individuals. The real risk lies in the potential use of leaked phone numbers to carry out phishing attacks. Targeted, such as fake SMS messages that attempt to trick the user into obtaining more login details or carrying out personalized scams.
Valve and several cybersecurity portals agree that There is no need to change your Steam password for this specific incident if you have two-factor authentication enabled. and your devices are under control. However, maintaining strong passwords, reviewing connected devices, and avoiding reusing passwords across different services is still critical to strengthening account protection.
Recommended measures and good security practices
- Activate Steam Guard If you don't already have one, add an extra layer of protection by using the official Steam app as an authenticator, avoiding the need for SMS.
- Be wary of suspicious messages, especially those sent via SMS, supposedly on behalf of Steam. Don't follow links or share information unless it's through official channels.
- Change your Steam password If you are in the habit of reusing it in other services, if you have doubts, or periodically to minimize risks.
- Regularly monitor your account activity in Steam settings, checking access and authorized devices.
Valve insists that, to date, the security of Steam's servers has not been compromised and that critical user information remains safe. The company is continuing to investigate the exact source of the exposure and recommends the community exercise extreme caution, especially in the face of attempted deception or fraud stemming from the leak.
It's important to remain calm and follow good digital security practices. The leaked information doesn't allow access to Steam accounts or affect critical financial or personal data, so there's no reason to be unduly alarmed. Staying informed through official channels and being alert to potential fraud attempts are the best measures to protect yourself in these cases.
