A cybercriminal has just put a database of 89 million Steam accounts up for sale on the dark web. The leak includes information related to SMS two-factor authentication, including login codes sent via text message to players. While security experts are actively searching for the source of the leak, Valve, the company behind Steam, has stepped up to address the rumors.
The American company has "reviewed the sample" provided by the hacker and "determined that it was NOT a breach of Steam systems". In other words, the platform has not been the victim of an attack. However, Valve confirms that "old text messages" sent as part of two-factor authentication were indeed obtained by the cybercriminal.
Old text messages... and harmless?
As Valve explains, the leak consists of old messages with one-time codes valid for only fifteen minutes. The directory does contain phone numbers, but the hackers don't have enough information to associate them with Steam accounts. Therefore, they "cannot be used to breach the security of your Steam account".
Passwords and payment information are also not affected by the leak. Each time "a code is used to change your Steam email address or password using SMS, you will receive confirmation via email and/or Steam Secure Messages," Valve reassures in its press release.
According to Valve, the information in the hacker's possession cannot lead to attacks. However, it should be noted that the leak makes it possible to determine that a phone number belongs to a person who has a Steam account. This is enough for these numbers to become the target of phishing messages that pretend to be Steam.
Valve continues its investigations
Valve continues to investigate the origin of the leak. Everything suggests that a third party involved in sending login codes was the victim of a cyberattack. In order to sell the data at the best price, the hacker then allegedly fabricated a story around the compromise of Steam accounts.
Note that Valve claims that the text messages stolen by the hackers are old. However, several media outlets and experts have unearthed recent messages, dating back to the beginning of March 2025, in the sample provided by the cybercriminal. More will be said as soon as possible about the data leak.
Source: Valve
0 Comments