Support us on Patreon to keep GamingOnLinux alive. This ensures all of our main content remains free for everyone. Just good, fresh content! Alternatively, you can donate through PayPal. You can also buy games using our partner links for GOG and Humble Store.
We use affiliate links to earn us some pennies. Learn more.

Here's a statement from Valve on the reported Steam data breach

By -
Last updated: 14 May 2025 at 10:09 pm UTC

There's been reports of a Steam data breach recently, and instead of jumping the gun I reached out to Valve first to see what was going on.

From what I can tell the reports originated on LinkedIn from "Underdark.ai" that claimed there was a "Massive Alleged Steam Data Breach: 89M+ Records for Sale". This was then picked up on X/Twitter, and then lots of news websites posted it up. The initial report mentioned the company Twilio, who told me earlier today:

There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.

A Twilio Spokesperson

Next up, the full statement sent to me by Valve:

Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.

We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.

The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.

From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.

We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.

Valve Press

Will update when I learn any more verified information.

Quick little update 11:09 BST — Valve have now posted it officially on Steam.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Steam, Valve
21 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
Some you may have missed, popular articles from the last month:
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
12 comments Subscribe

Purple Library Guy 8 hours ago
So . . . all that could really happen here is that some phisher could send your phone an old text message and maybe if you responded you could have a problem. Well, joke's on them--I don't have a phone so they can't send me any text messages!
Liam Dawe 8 hours ago
  • Admin
"Do you guys not have phones?"
Mountain Man 7 hours ago
This is an indictment of modern news organizations, where someone can anonymously post false information to a website, and it gets picked up as a legitimate story without anybody bothering to vet it. Liam being an exception, of course.


Last edited by Mountain Man on 15 May 2025 at 3:26 am UTC
devland 7 hours ago
All of the maistream gaming media sites jumped on the "you need to change your password yesterday" train and pushed a random shitter msg as objective truth while amplifying the fear around it for clicks and engagement. Shame on them for not checking the source and shame on everyone that fell for it.
Kimyrielle 6 hours ago
Imagine a world where Steam would have support for hardware tokens, or at least passkeys. Anything remotely close to state of the art security really.

What they offer is... SMS "2FA".

Who in their right mind would ever want to use the one item in your possession with the greatest probability to get lost or stolen (which is your phone) as a security key anyway?

smh
R Daneel Olivaw 5 hours ago
  • Supporter
^ huh?

I have 2fa on my steam account and I've never used sms. I use the app which does a popup. Seems fine to me.

Anything that doesn't use email/txt is great.
Kimyrielle 5 hours ago
I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.
Leahi84 5 hours ago
I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game. It's never, ever happened once to me in all that time. I'm too protective of it to ever have that happen.
Kimyrielle 5 hours ago
I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game.

I got my first cell phone in the late 90s, never lost one or got one stolen, either. Statistically, both of us are still very anecdotal evidence, because LOTS of people lose their phone every year. 2FA security needs backups just as much as your hard drive, and that's what many people don't seem to understand. I have multiple YubiKeys for that reason. If I lose one, I still have access to my stuff, because I got a backup elsewhere. Now if Steam would just support them... *sigh*

The idea to have a single point of failure in any security scenario is revolting to me. But then again, I am not the one who will have to talk to Steam support for months to get their account back if they lose their phone a.k.a. single point of failure token. *shrug*
CatKiller 4 hours ago
  • Supporter Plus
I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.
It doesn't use your phone number. Valve don't know my phone number. It uses the app to approve or deny a login attempt.

https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C#enablephone


Last edited by CatKiller on 15 May 2025 at 2:23 am UTC
Linux_Rocks 4 hours ago
I use the Steam app for two-way verification too. The Google Fi VPN that I use on my phone sometimes throws it off though. Cause it thinks that my phone is either in Mountain View CA or Chicago IL. lol
Mountain Man 3 hours ago
The Steam authenticator has a recovery code, and you can generate 30 one time use backup codes, all of which can be securely stored somewhere like a password safe such as BitWarden or KeePass, so even if your phone is stolen or bricked, you won't be locked out of your account.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register

Register Forgot Login?
★ Support Us
Popular this week
Search or view by category
Contact
Latest Guides
SteamOSHow to set, change and reset your SteamOS / Steam Deck desktop sudo password
By Liam Dawe,
Decky LoaderHow to set up Decky Loader on Steam Deck / SteamOS for easy plugins
By Liam Dawe,
> View more Tips & Guides
Latest Comments
Buy Games
Buy games with our affiliate / partner links:
Misc