If you’ve seen news stories claiming that more than 89 million Steam user records leaked, don’t panic. Social media posts currently circulating suggest that Steam credentials are up for sale on the dark web, but those claims appear to be untrue. Of course, even if your data hasn’t actually been compromised, it’s a good idea to have additional authentication set up on your Steam account.
What happened with Steam?
Short answer: Probably nothing. As XDA reported , X user MellowOnline1, a games journalist, called attention to a post on LinkedIn from Underdark.ai alleging that 89 million Steam user records were up for sale on a dark web forum for $5,000 via a threat actor known as Machine1337. MellowOnline1 suggested that the leak came not from Valve Corporation—Steam’s owner—itself, but from Twilio, a platform that provides two-factor authentication (2FA) for apps like Steam via methods like SMS, voice, email, WhatsApp, passkeys, push notifications, and time-based one-time passwords.
Upon further investigation, Bleeping Computer received a statement from Twilio denying involvement in any breach (and according to an update from MellowOnline1 , Valve has indicated that it does not use Twilio anyway). The data allegedly included SMS messages with one-time Steam passcodes and user phone numbers, but Bleeping Computer could not verify the source, nor could it confirm the threat actor’s claims.
What Steam users need to do
While this supposed threat doesn’t actually necessitate alarm, it doesn’t hurt to ensure you have additional security set up on your Steam account. You can change your Steam password (found under Settings or Preferences) and enable Steam Guard Mobile Authenticator , Steam’s 2FA feature. You should also be on the lookout for unauthorized login attempts and use caution when engaging with any messages about your account that appear to come from Steam support, as these may actually be phishing attempts capitalizing on user panic.
