Support us on Patreon to keep GamingOnLinux alive. This ensures all of our main content remains free for everyone. Just good, fresh content! Alternatively, you can donate through PayPal. You can also buy games using our partner links for GOG and Humble Store.
We use affiliate links to earn us some pennies. Learn more.

Here's a statement from Valve on the reported Steam data breach

By -
Last updated: 14 May 2025 at 10:09 pm UTC

There's been reports of a Steam data breach recently, and instead of jumping the gun I reached out to Valve first to see what was going on.

From what I can tell the reports originated on LinkedIn from "Underdark.ai" that claimed there was a "Massive Alleged Steam Data Breach: 89M+ Records for Sale". This was then picked up on X/Twitter, and then lots of news websites posted it up. The initial report mentioned the company Twilio, who told me earlier today:

There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.

A Twilio Spokesperson

Next up, the full statement sent to me by Valve:

Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.

We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.

The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.

From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.

We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.

Valve Press

Will update when I learn any more verified information.

Quick little update 11:09 BST — Valve have now posted it officially on Steam.

Article taken from GamingOnLinux.com.
Tags: Security, Misc, Steam, Valve
30 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
Some you may have missed, popular articles from the last month:
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
16 comments Subscribe

Purple Library Guy 19 hours ago
So . . . all that could really happen here is that some phisher could send your phone an old text message and maybe if you responded you could have a problem. Well, joke's on them--I don't have a phone so they can't send me any text messages!
Liam Dawe 18 hours ago
  • Admin
"Do you guys not have phones?"
Mountain Man 18 hours ago
This is an indictment of modern news organizations, where someone can anonymously post false information to a website, and it gets picked up as a legitimate story without anybody bothering to vet it. Liam being an exception, of course.


Last edited by Mountain Man on 15 May 2025 at 3:26 am UTC
devland 18 hours ago
All of the maistream gaming media sites jumped on the "you need to change your password yesterday" train and pushed a random shitter msg as objective truth while amplifying the fear around it for clicks and engagement. Shame on them for not checking the source and shame on everyone that fell for it.
Kimyrielle 16 hours ago
Imagine a world where Steam would have support for hardware tokens, or at least passkeys. Anything remotely close to state of the art security really.

What they offer is... SMS "2FA".

Who in their right mind would ever want to use the one item in your possession with the greatest probability to get lost or stolen (which is your phone) as a security key anyway?

smh
R Daneel Olivaw 16 hours ago
  • Supporter
^ huh?

I have 2fa on my steam account and I've never used sms. I use the app which does a popup. Seems fine to me.

Anything that doesn't use email/txt is great.
Kimyrielle 16 hours ago
I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.
Leahi84 15 hours ago
I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game. It's never, ever happened once to me in all that time. I'm too protective of it to ever have that happen.
Kimyrielle 15 hours ago
I can never imagine in a million years losing my cellphone or having it be stolen. I've been using cell phones since the very early 2000s when all they could do was play that snake game.

I got my first cell phone in the late 90s, never lost one or got one stolen, either. Statistically, both of us are still very anecdotal evidence, because LOTS of people lose their phone every year. 2FA security needs backups just as much as your hard drive, and that's what many people don't seem to understand. I have multiple YubiKeys for that reason. If I lose one, I still have access to my stuff, because I got a backup elsewhere. Now if Steam would just support them... *sigh*

The idea to have a single point of failure in any security scenario is revolting to me. But then again, I am not the one who will have to talk to Steam support for months to get their account back if they lose their phone a.k.a. single point of failure token. *shrug*
CatKiller 15 hours ago
  • Supporter Plus
I haven't seen their app, but last time I checked their 2FA FAQ it was using your phone (more precise, your phone number) as a security token and JUST that. Which is an extremely stupid thing to do, for reasons I stated above.
It doesn't use your phone number. Valve don't know my phone number. It uses the app to approve or deny a login attempt.

https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C#enablephone


Last edited by CatKiller on 15 May 2025 at 2:23 am UTC
Linux_Rocks 14 hours ago
I use the Steam app for two-way verification too. The Google Fi VPN that I use on my phone sometimes throws it off though. Cause it thinks that my phone is either in Mountain View CA or Chicago IL. lol
Mountain Man 13 hours ago
The Steam authenticator has a recovery code, and you can generate 30 one time use backup codes, all of which can be securely stored somewhere like a password safe such as BitWarden or KeePass, so even if your phone is stolen or bricked, you won't be locked out of your account.
Samsai 9 hours ago
  • Editor
  • Supporter Plus
So, basically the scariest thing about it is that someone managed to get their hands on a bunch of SMS data. So, theoretically if they know the account details and can continuously intercept text messages, they could get into an account.

The main issue is that this sort of thing has been going on for a while and it's not Steam specific. The cellular network is full of holes and ancient systems that were designed with 1970s threat models in mind.


Last edited by Samsai on 15 May 2025 at 7:57 am UTC
tmtvl 5 hours ago
The Steam app is 1) not open source, and 2) not available on Ubuntu Touch. That all despite the fact that its 2FA code generation is standard TOTP. Yet they don't allow you to just use regular TOTP 2FA because they want to show a pop-up for trades. So yeah, Valve can go deep-throat a cactus, I'm just gonna stick to e-mail + SMS.
WildCoder 5 hours ago
I wish they'd add regular authenticator app but I have to admit that they mobile app works pretty well. Just annoying that it can't be setup anywhere else.

Also I checked Steam account security at the link they provided. It lists all my logged in devices. I noticed an old phone but there's no option to remove just that one device the only option is to logout of everything. Lame.
WORM 48 minutes ago
Just annoying that it can't be setup anywhere else.
I have mine in my 2FAS app.
Admittedly it's not trivial to set up but there's a few tools out there to facilitate it. All while keeping Steam Guard working in the Steam app.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
Login / Register

Register Forgot Login?
★ Support Us
Popular this week
Search or view by category
Contact
Latest Guides
Graphics DriversHow to install, update and see what graphics driver you have on Linux and SteamOS
By Liam Dawe,
SteamOSHow to set, change and reset your SteamOS / Steam Deck desktop sudo password
By Liam Dawe,
> View more Tips & Guides
Latest Comments
Buy Games
Buy games with our affiliate / partner links:
Misc