UPDATE (14/05/25, 5:40 PM BST): Mellow_Online1 has tweeted an update, writing: “I have been contacted by a Valve representative, and they have stated that they do not use Trillio.”
Meanwhile, SteamDB has flagged a LinkedIn post from Dr. Christopher Kunz, a security writer at German tech site Heise, who wrote in an article on the alleged breach: “The dataset contains phone numbers and (expired) one-time codes, but no references to access data such as usernames, Steam IDs, or even password hashes. Whether Steam customers should now change their passwords as a precaution or install the ‘Steam Guard’ security app seems at least questionable.”
He added that stolen phone numbers could potentially be used “to launch convincing phishing campaigns enticing users with Steam vouchers or threatening account suspension”, meaning you might want to be vigilant if you’ve recently used SMS codes as part of your Steam 2FA.
Original story follows:
Steam is one of the most popular platforms on PC, but it’s also been among the most secure. Unfortunately, it looks like one vendor that Valve may have worked with at some point has suffered a data breach, which has compromised the credentials of over 89 million users.
That’s close to 70% of the entirety of Steam’s active user base, so there’s a good chance your username and password is included in this leak.
The information comes from Mellow_Online1 on Twitter, who brought attention to an Underdark AI Linkedin post about the discovery. It reveals that a hacker, who goes by the handle Machine1337, claims in post on a popular dark web forum that they’re in position of over 89 million Steam user records.
According to the seller, this is a “fresh” leak that includes more than user names and passwords – though they didn’t share specifics. Further analysis by Underdark AI has apparently revealed that the batch contains two-factor SMS logs, message contents, metadata, delivery status and other details.
The vendor, which Valve had likely worked with in the past, appears to be the source of this breach. The vendor’s name appears in the logs, according to the post. It’s not unusual for Valve and other major companies to rely on third-party cloud hosts for tasks like sending users 2FA texts, but, so far at least, it appears Steam itself has not been breached.
While it’s not clear what, exactly, the bad actor is in position of, you should assume the leak includes user names and passwords, among other things. If a third-party 2FA vendor has indeed been breached, this could allow hackers to utilise their services to send fake messages to Steam users, or hijack real 2FA requests.
Whenever user details leak online, the first thing bad actors try to do is to also see if the same credentials are in use on multiple sites, which is something most of us are guilty of. This is why it’s crucial to change your Steam password, just to be safe. You should also enable two-factor authentication (Steam Guard) on all your accounts, and make sure to only use codes sent at the moment you initiated the request.
Thanks, XDA Developers.
