Reports of a massive Steam data breach sparked alarm over the weekend, but Valve says there’s less to worry about than first feared.
Valve has issued a statement addressing widespread reports of a data breach potentially involving more than 89 million Steam user records. This was posted on the Steam website on Thursday morning (15 May, 2025).
The company clarified that its systems have not been compromised, and reassured users there is no need to reset passwords or change personal information.
Valve’s statement comes a few days after reports of the said breach circulated on LinkedIn and X (formerly Twitter).
Steam data leak claims emerge online
The alarm was first raised after X (formerly Twitter) user Mellow_Online1 shared a warning on Monday (12 May) about a LinkedIn post from Underdark AI, which pointed to a claim by a hacker going by the alias Machine1337. The hacker allegedly posted on a popular dark web forum, claiming to possess over 89 million Steam user records.
The post suggested that the leak was “fresh” and included more than just usernames and passwords, although no specifics were provided. According to Underdark AI, analysis of the dataset pointed to the inclusion of two-factor authentication (2FA) SMS logs, message contents, metadata, delivery statuses, and other technical information.
Following the initial post on the claimed Steam data breach, the LinkedIn update stated that "New evidence confirms that a leaked sample contains real-time 2FA SMS logs routed via Twilio. The data includes message contents, delivery status, metadata, and routing costs, suggesting backend access to a vendor dashboard or API, not Steam directly."
Twilio, a cloud communications company that provides APIs for sending SMS, voice calls, and 2FA messages, is widely used by apps like Steam for user authentication.
As reported by BleepingComputer, a Twilio spokesperson acknowledged the situation and confirmed an investigation was underway.
"Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available," the company spokesperson told BleepingComputer. Twilio also later clarified that its systems had not been breached.
X user Mellow_Online1 later on posted an update after Valve reached out to them:
According to the post, Valve told Mellow_Online1 that the company does not use Twilio.
Valve issues clarification: no action needed from users
In a statement released on Steam, Valve confirmed that while a leak did occur, it was not the result of any breach of Steam’s internal systems. The data consisted of old SMS messages containing one-time validation codes, which expire after 15 minutes, and the phone numbers they were sent to.
“We have examined the leak sample and have determined this was not a breach of Steam systems,” Valve said in its statement. “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
Valve explained that these messages, which were sent to users for security verification purposes, are not sufficient to compromise accounts. The company reiterated that any change to a user’s email or password using an SMS code would also trigger a confirmation via email or a secure Steam message.
The company is continuing to investigate the source of the leak, noting that SMS messages are unencrypted during transmission and are routed through multiple third-party providers, increasing the risk of exposure outside of Steam’s infrastructure.
No immediate risk, but users urged to stay cautious
Valve made clear that users do not need to change their passwords or phone numbers due to this event. However, it advised users to treat any unsolicited security messages with suspicion, and to review their account’s authorised devices for added peace of mind.
Additionally, users who have not yet enabled the Steam Mobile Authenticator are encouraged to do so, as it offers the most secure method for receiving account-related messages and verification requests. Further security options and device management tools are available through Steam’s official website.
