Here's a statement from Valve on the reported Steam data breach

By Liam Dawe - 14 May 2025 at 9:51 pm UTC
Last updated: 14 May 2025 at 10:09 pm UTC

There's been reports of a Steam data breach recently, and instead of jumping the gun I reached out to Valve first to see what was going on.

From what I can tell the reports originated on LinkedIn from "Underdark.ai" that claimed there was a "Massive Alleged Steam Data Breach: 89M+ Records for Sale". This was then picked up on X/Twitter, and then lots of news websites posted it up. The initial report mentioned the company Twilio, who told me earlier today:

There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.
A Twilio Spokesperson

Next up, the full statement sent to me by Valve:

Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.

We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.

The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.

From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.

We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.
Valve Press

Will update when I learn any more verified information.

Quick little update 11:09 BST — Valve have now posted it officially on Steam.

Article taken from GamingOnLinux.com.

Tags: Security, Misc, Steam, Valve

16 Likes

About the author - Liam Dawe

I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me

Some you may have missed, popular articles from the last month:

Nexus Mods app adds Cyberpunk 2077 as a supported game, improves Stardew Valley modding

Save the world from insidious and cruel demons in Bosorka with a Linux version available now

Colony building sim Mountaincore is now free to play and open source

Two Point Museum gets a big free content update with a new large UI scaling setting for Steam Deck

All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.

11 comments

Purple Library Guy 4 hours ago

So . . . all that could really happen here is that some phisher could send your phone an old text message and maybe if you responded you could have a problem. Well, joke's on them--I don't have a phone so they can't send me any text messages!

4 Likes

Liam Dawe 4 hours ago

Admin

"Do you guys not have phones?"

7 Likes

Mountain Man 4 hours ago

This is a indictment of modern news organizations, where someone can anonymously post false information to a website, and it gets picked up as a legitimate story without anybody bothering to vet it. Liam being the exception, of course.

3 Likes

devland 3 hours ago

All of the maistream gaming media sites jumped on the "you need to change your password yesterday" train and pushed a random shitter msg as objective truth while amplifying the fear around it for clicks and engagement. Shame on them for not checking the source and shame on everyone that fell for it.

1 Likes

Kimyrielle 2 hours ago

Imagine a world where Steam would have support for hardware tokens, or at least passkeys. Anything remotely close to state of the art security really.

What they offer is... SMS "2FA".

Who in their right mind would ever want to use the one item in your possession with the greatest probability to get lost or stolen (which is your phone) as a security key anyway?

smh

0 Likes

R Daneel Olivaw 2 hours ago

Supporter

^ huh?

I have 2fa on my steam account and I've never used sms. I use the app which does a popup. Seems fine to me.

Anything that doesn't use email/txt is great.

0 Likes

Kimyrielle 1 hour ago

I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.

0 Likes

Leahi84 1 hour ago

I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game. It's never, ever happened once to me in all that time. I'm too protective of it to ever have that happen.

0 Likes

Kimyrielle 51 minutes ago

I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game.

I got my first cell phone in the late 90s, never lost one or got one stolen, either. Statistically, both of us are still very anecdotal evidence, because LOTS of people lose their phone every year. 2FA security needs backups just as much as your hard drive, and that's what many people don't seem to understand. I have multiple YubiKeys for that reason. If I lose one, I still have access to my stuff, because I got a backup elsewhere. Now if Steam would just support them... *sigh*

The idea to have a single point of failure in any security scenario is revolting to me. But then again, I am not the one who will have to talk to Steam support for months to get their account back if they lose their phone a.k.a. single point of failure token. *shrug*

0 Likes

CatKiller 8 minutes ago

Supporter Plus

I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.

It doesn't use your phone number. Valve don't know my phone number. It uses the app to approve or deny a login attempt.

https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C#enablephone

Last edited by CatKiller on 15 May 2025 at 2:23 am UTC

1 Likes

Linux_Rocks less than a minute ago

I use the Steam app for two-way verification too. The Google Fi VPN that I use on my phone sometimes throws it off though. Cause it thinks that my phone is either in Mountain View CA or Chicago IL. lol

0 Likes

While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations:

PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!