Steam has reportedly been compromised. I use the word “reportedly” here because it has yet to be confirmed where the breach stemmed from. At the moment, a hacker is allegedly in possession of 89 million user records and has supposedly put this information up for sale for $5,000.
The report comes from BleepingComputer, who claims to have looked at 3,000 of these leaked files and found historic SMS text messages with one-time passcodes for Steam. These SMSs include user phone numbers too.
According to an insider, this breach hasn’t happened at Valve but rather at Twilio. Twilio is a communications company that provides 2FA text messages, delivery status notifications, metadata, and routing costs to companies. So essentially, when you get a 2FA or PIN token via SMS when signing into your account, Twilio is responsible for sending this.
Twilio has since responded to these claims, saying that the company isn’t involved in the breach at all. In fact, a spokesperson says that the company has reviewed some of the leaked data and found no indication that it was obtained internally.
Valve, on the other hand, says the leak is real. In a statement, it says that data from a few million Steam accounts has leaked, and the leak does include phone numbers. However, while the phone numbers have leaked, Valve says the information does not include any password content, payment information, or personal data of any sort.
Valve also says that this leaked information consists of older text messages that include one-time codes valid for only 15 minutes. This information is pretty useless given that every text message is much older than 15 minutes now. So the data cannot be used to change Steam email addresses, passwords, or phone numbers.
Valve says that users should set up the Steam mobile Authenticator, which you should have set up anyway because it is a much easier way to sign into Steam. The company says it is trying to dig into the source of the leak.
“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.”
Source: BleepingComputer / Valve
