Valve has responded to reports of an alleged “massive” Steam data leak, insisting none of its systems have been breached and no account, password, payment, or personal data has been stolen. It has, however, confirmed hackers accessed a number of “older text messages” containing limited information.
Unsubstantiated reports of a Steam data breach first surfaced over the weekend, when a widely shared LinkedIn post claimed a “threat actor” had appeared on a “well-known dark web forum claiming to have breached Steam” and was “offering a dataset of over 89m user records” for $5K USD. A later update claimed the breach was related to “real-time [two-factor authentication] SMS logs”, and that analysis of the leaked data suggested the hacker had gained “backend access to a vendor dashboard or API, not Steam directly.”
Valve has now responded to those claims, saying it has “examined the leak sample and… determined this was not a breach of Steam systems.” The leak specifically relates to “older text messages”, it added, and Steam users “do not need to change [their] passwords or phone numbers as a result of this event.”
“You may have seen reports of leaks of older text messages that had previously been sent to Steam customers,” the company wrote in a full message shared on Steam. “We have examined the leak sample and have determined this was not a breach of Steam systems. We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to,” it continued. “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages”
“You do not need to change your passwords or phone numbers as a result of this event,” Valve added. “It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.”