Steam users are urged to take immediate action following a reported data breach impacting 89 million accounts. The breach came to light through a LinkedIn post by cybersecurity firm Underdark AI. The stolen data appeared for sale on a dark web forum, allegedly offered by a threat actor named Machine1337.
User data offered for US$5,000
According to Underdark AI, the data includes phone numbers and one-time passwords. The hacker is auctioning the database for US$5,000. The stolen information could allow unauthorised access to user accounts that do not have two-factor authentication (2FA) enabled.
Steam remains silent
Valve, the company behind Steam, has not confirmed the breach. The company did not respond to CNET’s request for comment. Speculation initially pointed towards Twilio, a communications provider, as the source. However, Valve reportedly contacted X user MellowOnline1 and denied any connection with Twilio.
Confusion over breach source
No official statement from Valve clarifies the breach origin. Analysts remain uncertain whether the leak occurred through Valve, a third-party provider, or another vector. Until the facts become clearer, experts advise users to take protective measures immediately.
Steam activity remains high
At the time of reporting, more than 30 million users were online on Steam, according to the platform’s statistics page. The breach could potentially affect a large portion of this user base, particularly those without added account protection.
Users urged to secure accounts
Cybersecurity experts recommend that all Steam users change their passwords immediately. This step can limit unauthorised access in the short term.
Further protective measures include:
- Using a password manager to store complex passwords
- Enabling two-factor authentication (2FA) via phone or email
- Avoiding suspicious emails or Steam-related phishing messages
Steam calls its in-house 2FA system “Steam Guard”, which adds an extra layer of account security.
Leaked data raises phishing concerns
The exposed phone numbers and one-time passwords create potential for phishing attempts. Hackers could impersonate Steam with fake game offers or updates. Users receiving unsolicited one-time password messages should ignore them and reset their passwords again.
Steam library at stake
Many Steam accounts contain hundreds of purchased games. If the breach is legitimate, users risk losing access to extensive libraries. The dark web auction raises concerns about data misuse, particularly for accounts lacking security measures.
Ongoing investigation and response
The incident was first reported through a LinkedIn post from Underdark AI. It later gained traction on social media after MellowOnline1 posted on X. The black market listing appears on a reputable forum and shows detailed information on the breach.
The listing’s seller claims the data is valid and unencrypted. This includes email-linked credentials and one-time passwords that could bypass weak security. There are no indications yet of stolen credit card details.
Security advice for all users
Steam users should act now to minimise risk. Regular password updates and 2FA activation remain essential. Those already using Steam Guard should monitor their email and text messages for suspicious activity.
Avoid clicking unknown links or game offers received via email or messages. Hackers often disguise phishing attempts as legitimate offers. If anything appears unfamiliar, report it to Steam Support.
Password hygiene essential
Cybersecurity specialists recommend creating strong passwords using a mix of characters. Users should avoid using familiar words, repeated sequences, or birthdates. Password managers can help manage complex login information securely.
Summary of key steps for users
- Change password immediately
- Use a password manager for stronger security
- Enable two-factor authentication
- Ignore suspicious messages and password prompts
- Monitor email and device activity regularly
No signs of financial data leak
At present, there is no confirmation of compromised financial details. The focus remains on securing user accounts and preventing unauthorised access.
Situation still unfolding
Valve has not officially verified the breach. However, the reported leak and its content have caused widespread concern. Until confirmed otherwise, security professionals encourage proactive protection measures.
The investigation continues, and users are advised to remain alert. Steam has not yet issued any formal communication regarding the incident.
