Steam Data Breach Exposes 89 Million Accounts via Third-Party 2FA Service | How to Protect Yourself
A massive Steam data breach is making headlines after hackers allegedly gained access to 89 million user records linked to Steam’s two-factor authentication (2FA) system. While Valve’s gaming platform wasn’t directly compromised, the breach appears tied to a third-party SMS provider, raising serious concerns about account security.
Hackers are reportedly selling the data on the dark web, exposing users to risks like phishing and session hijacking. As investigations continue, security experts urge Steam users to update passwords and switch to safer authentication methods like Steam Guard.
How the Breach Happened
The breach was first reported by independent journalist @MellowOnline1, who found hackers selling the massive dataset for US$5,000 on a dark web forum. The leaked information includes:
- Real-time SMS logs
- 2FA codes and message content
- Delivery status and routing costs
- Timestamps and recipient phone numbers
Though it’s not a direct breach of Steam, hackers may have gained access through a compromised Twilio system, such as admin accounts or API key misuse.
Twilio Denies Breach, Investigation Ongoing
Twilio, which also owns the Authy 2FA app, quickly responded to the allegations. The company stated that their systems had not been breached and they found no evidence connecting the leaked data to their servers. However, they are continuing to investigate.
Advertisement
A supply-chain compromise is suspected, possibly involving an intermediary SMS provider between Twilio and Steam users. This theory arises from technical evidence in the leaked data showing SMS traffic logs tied to Steam’s 2FA services.
Why This Matters for Steam Users
Even if Steam wasn’t directly hacked, the breach exposes users to:
- Phishing attacks using real phone numbers and familiar-looking messages.
- Session hijacking, where hackers intercept or reuse 2FA codes to bypass login security.
With over 120 million monthly active users, Steam’s community is a valuable target for cybercriminals.
What Should Steam Users Do?
Security experts recommend immediate action:
Advertisement
- Change your Steam password.
- Switch 2FA methods to avoid SMS-based codes.
- Use Steam Guard Mobile Authenticator, which delivers 2FA codes through the Steam app, adding a safer layer of protection.
- Monitor account activity for any unauthorized logins.
A Reminder of Past Breaches
This incident follows a pattern of security concerns for Twilio. The company faced a breach in July 2024, while its parent company, SendGrid, also dealt with security issues recently. However, there’s no confirmed link between these past events and the current Steam-related breach.
For now, users should remain vigilant and adopt stronger authentication methods to safeguard their accounts.
Have you received suspicious Steam-related messages lately? Share your experience in the comments below.
More…
- https://mobilesyrup.com/2025/05/13/over-89-million-steam-accounts-impacted-in-alleged-data-breach
- https://www.xda-developers.com/89-million-steam-account-details-leak
- https://www.bleepingcomputer.com/news/security/twilio-denies-breach-following-leak-of-alleged-steam-2fa-codes
Advertisement
