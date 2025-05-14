There's been reports of a Steam data breach recently, and instead of jumping the gun I reached out to Valve first to see what was going on.
From what I can tell the reports originated on LinkedIn from "Underdark.ai" that claimed there was a "Massive Alleged Steam Data Breach: 89M+ Records for Sale". This was then picked up on X/Twitter, and then lots of news websites posted it up. The initial report mentioned the company Twilio, who told me earlier today:
There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.A Twilio Spokesperson
Next up, the full statement sent to me by Valve:
Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.Valve Press
Will update when I learn any more verified information.
Quick little update 11:09 BST — Valve have now posted it officially on Steam.
Last edited by Mountain Man on 15 May 2025 at 3:26 am UTC
What they offer is... SMS "2FA".
Who in their right mind would ever want to use the one item in your possession with the greatest probability to get lost or stolen (which is your phone) as a security key anyway?
smh
I have 2fa on my steam account and I've never used sms. I use the app which does a popup. Seems fine to me.
Anything that doesn't use email/txt is great.
I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game.
I got my first cell phone in the late 90s, never lost one or got one stolen, either. Statistically, both of us are still very anecdotal evidence, because LOTS of people lose their phone every year. 2FA security needs backups just as much as your hard drive, and that's what many people don't seem to understand. I have multiple YubiKeys for that reason. If I lose one, I still have access to my stuff, because I got a backup elsewhere. Now if Steam would just support them... *sigh*
The idea to have a single point of failure in any security scenario is revolting to me. But then again, I am not the one who will have to talk to Steam support for months to get their account back if they lose their phone a.k.a. single point of failure token. *shrug*
I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.It doesn't use your phone number. Valve don't know my phone number. It uses the app to approve or deny a login attempt.
https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C#enablephone
Last edited by CatKiller on 15 May 2025 at 2:23 am UTC
The main issue is that this sort of thing has been going on for a while and it's not Steam specific. The cellular network is full of holes and ancient systems that were designed with 1970s threat models in mind.
Last edited by Samsai on 15 May 2025 at 7:57 am UTC
Also I checked Steam account security at the link they provided. It lists all my logged in devices. I noticed an old phone but there's no option to remove just that one device the only option is to logout of everything. Lame.
Just annoying that it can't be setup anywhere else.I have mine in my 2FAS app.
Admittedly it's not trivial to set up but there's a few tools out there to facilitate it. All while keeping Steam Guard working in the Steam app.
^ how'd you do that? I'd love to do the same.
The best guide I know of is the one for ASF: https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Two-factor-authentication#common-steps-for-both-scenarios
You'll want to follow the "Joint authenticator" section.
I imagine the process is similar if you want to use something like steamguard-cli instead of ASF. Once you have the token you can import it into applications that support Steam Guard, such as KeePass XC or 2FAS. You can thank me for Steam Guard support in the iOS 2FAS app btw
