.png)
Sign in to your XDA account
A breach has affected gaming's beloved Valve, with some 89 million records relating to Steam users and 2FA codes being the trove of data up for sale. While many were quick to dispel the seriousness of the leak, others questioned whether it was even real. The data references Twilio as the "Vendor Name", though Twilio has denied suffering a breach, and Valve took some time to release a statement aside from confirming to MellowOnline1 that they do not use Twilio's services. I managed to get a copy of the sample data when the news first broke, and having reviewed it, I don't necessarily believe it's as much of a nothingburger as many are making it out to be.
Of course, one thing to get out of the way first: this could certainly have been an elaborate hoax when it was first reported. However, it appeared that the data had already been sold, and the seller, posting as Machine1337, has since published two more sets of sample data; one allegedly relating to Apple, and the other allegedly to Snapchat. What's more, Machine1337 may have ties to EnergyWeaponUser, a name linked to multiple high-profile breaches such as Cisco and Ford. The evidence suggests that these are two different people, but the Machine1337 username has also been active for at least a year on some of these hacking forums. A number of smaller leaks, such as a leak of text messages sent to passengers from Turkish Airlines, have been attributed to Machine1337, and that particular breach occurred in April of this year.
While all of this could certainly point to a poser looking to make a name for themselves while piggybacking off the names of others, the authenticity of the data at the time wasn't the point. The point was that it wasn't, nor is it still something to scoff at, even though the data may appear harmless on the surface. It's understandable to approach the situation with a healthy dose of skepticism and general distrust (as you should have), but I've seen others completely dismiss it under the assumption that the data is simply meaningless or was completely fabricated, despite not seeing the data for themselves.
Even now, there are still a few reasons to be concerned, even if the danger doesn't feel immediate.
Targeted phishing is the biggest risk by far
And users just became bait
Image Credit: LayerX Labs
First and foremost, let's go over what the data contains. Truth be told, it's fairly boring, mostly filled with metadata relating to cost per text message, the operator used to send the text, and the country of the user. Plus, the Steam Guard codes are obviously long past their use-by date, though the dataset also contains codes relating to changing account credentials. The wide range of languages in the texts also lent credence to the authenticity of the dataset before it was confirmed, with English, Portuguese, German, Russian, and more languages being present. However, when it comes to phone numbers, there are only 1,825 unique phone numbers in the dataset out of the 3,000 supplied. If (big if) the duplication ratio in the sample holds across the full dump, you’d expect roughly 54 million unique numbers. It's still a lot, but it's also almost half of the original figure that it appeared to be at first.
There were always a few reasons to believe the authenticity of the leak, from the varied data to the multiple languages, and even the forums where these were posted. Many of these so-called underground forums run a tight ship when it comes to the selling of hacked data, and Machine1337 would certainly have been banned had those other leaks been fake and they had scammed other users. Given that we now know that the data is real, it's not 54 million users that had their months-old authentication codes leak, it's 54 million users that just became phishing bait.
We're all aware of what phishing is, and it can be fairly easy to spot a phishing scam given that many of them are targeted at large swathes of users and are sent off with little regard for their relevance to the user receiving the message. This dataset, however, makes targeted attacks (known as spear phishing) possible. For example, there were just over 6,000 Russian speakers in Portugal in 2022. While that number has almost certainly increased since then, most of those attempting to rattle off as many phishing attempts as possible to Portuguese users are not going to be doing so in Russian. A Steam user receiving their Steam Guard code in Russian already provides additional information on how to tailor a text to a specific user, but it gets worse.
There have been many breaches of many different services over the years, and those leaks can include names, phone numbers, email addresses, and more. I checked some of the phone numbers on HaveIBeenPwned and discovered that many of them had already been leaked in the 2021 Facebook dataset that contained approximately 20% of all of Facebook's users, encompassing many personal details, and more than enough to identify a user. Now let's combine that with our Russian user that we've already identified. If a phone number is a match in another dataset, such as Facebook's own, then a threat actor could craft a phishing attempt aimed at a user containing their name, written in their language, referencing an urgency relating to their Steam account. Now you've got the user's attention, and in a way that a regular phishing attempt would not have.
This isn't some hypothetical scenario either; targeted phishing attacks are real, and while one data breach on its own may not seem particularly impactful, combining multiple data sources helps someone to craft an attack tailored to you. In fact, there are "combolists" that combine multiple datasets together, with famous examples you may have heard of being in the form of Collection #1 through to Collection #5. Steam accounts can sell for quite a lot, and weapon skins in the likes of Counter-Strike can be worth hundreds and even thousands of dollars. There's certainly a phishing incentive when it comes to Steam users, and combined with other datasets, it can prove to be quite dangerous for users whose data has been leaked. While you and I both know to be careful of random text messages, not everyone is as diligent, and this just gave would-be attackers a way to uniquely tailor their messages to their victims in an attempt to steal potentially thousands of dollars.
Lateral movement is a real threat
How do we know more systems weren't compromised?
Source: GamesRadar
The other side of the coin, and one that I was particularly worried about, was the potential for lateral movement. Essentially, this is a process in which the attacker moves deeper into the network, gaining access to more systems as they go. If Valve itself was breached, who's to say this dataset was the end of it? While companies should employ internal security as stringently as they employ external security, that isn't always the case. If a company doesn't employ zero-trust principles, anyone connected to the internal network might pass through the rest of the network as a trusted connection, free to attempt to access other internal systems once a foot is already in the door.
To be clear, we now know that this hasn't happened as of Valve's May 14th statement, and to be honest, it wasn't all too likely from the outset. Machine1337's other leaks appear to have stopped where they started, such as in the case of Turkish Airlines. Nothing more came of that, but with potential ties to EnergyWeaponUser, it wasn't out of the question to be worried. What appears most likely to have happened is that they gained access to an intermediary that handles text messaging for Valve. Valve has said that it does not use Twilio, and Twilio denied a breach. It may be the case that an intermediary contracts Twilio in Portugal (and perhaps other regions) to send Steam-related texts.
With that said, we didn't have enough information to rule anything out, and the instant dismissal of a potential Valve breach, in the absence of official information, was nothing short of frustrating. Valve took quite a while to deny it, and theoretically, it could have been the case that the company had been breached. Obviously, we know now that this wasn't the case, but it was never out of the question. While we can make assumptions that Valve almost certainly stores login details with best practices in mind, a company experiencing a breach, which could potentially have been Valve in this case, has already slipped up somewhere. Who knows where else a company suffering a data breach made mistakes?
As an aside, this is why changing your passwords is always a recommended practice when talking about any breach of a service. It's not "fear-mongering" in the absence of information to encourage users to change their passwords, especially given that rotating passwords at regular intervals can be considered a part of best practices, anyway. Forced password rotations are bad as they cause users to engage in less secure practices overall, like iterating on existing passwords, writing them down, or saving them in unsecured locations, but anyone serious about security will have a password manager and consistently use robust passwords, which negates the negative side of password rotation.
Yes, the scenario in which Valve itself was breached is now hypothetical, as Valve says the leaked SMS data is detached from Steam accounts, and Twilio denies any compromise. I'm aware of that fact, but every security breach is hypothetical until it happens. Breaches are only stopped by planning for the hypotheticals, and the only way to prevent a security breach is to be proactive rather than reactive; if you're reactive, you're already too late. Modern guidance (NIST SP-800-63B and the UK NCSC) is clear: when there’s a plausible chance your credentials were exposed, you change them. That’s known as an event-driven reset, not just a regular password rotation policy. Given the real-world cash value of some Steam inventories and the prevalence of credential-stuffing, a one-time reset plus enabling the Steam Mobile Authenticator is a low-cost, high-reward response. Calling that "fear-mongering" misunderstands both the standards and the stakes.
If you thought your bank "might" have suffered a security breach that could potentially give an attacker access to your account, and you had no information to confirm it either way, other than some data had leaked, you'd change your password right away.
Treat every security breach as a potential risk
Even if it seems unlikely to be a problem
While it may be tempting to dismiss something as trivial as old authentication codes and phone numbers, there are reasons why the data is still concerning. It's not only how it can be combined with other datasets, but it's also the fact that a company somewhere in the chain was breached in the first place. Until it's stated otherwise, the safest move is to always assume that there's a level of risk to your account. That way, you can take steps to protect yourself proactively, rather than waiting for a potential danger to only react when it's too late. In that scenario, at best, you could get locked out of your Steam account while waiting for Valve support to transfer its ownership back to you. At worst, you could lose access to your account forever.
To reiterate, again, we know now that Valve was not breached. Nor did I think that there was a significant likelihood that anyone was going to suffer as a result or would lose access to their Steam account as a result of this breach. I personally believed that it was likely an intermediary service had been hacked, and that there'd be no way to transition from that service to Valve's internal networks. I also don't expect more to come concerning Valve in this data leak. However, targeted phishing is real, and this leak enables exactly that. Plus, even a small chance of being hacked doesn't mean people should sit idly and wait for it to happen. There's a reason companies recommend changing your passwords when a service is breached, even when the service says its passwords are hashed and salted. Modern guidelines draw a line between routine rotation and event-driven resets, and a reasonable suspicion is more than enough to move the dial from a routine rotation to an event-driven reset. In the absence of information, erring on the side of caution is always the better move.
I'm not saying to lose any sleep over this breach, but it feels like this event has highlighted a wider lack of concern for personal data leakage and personal security. While Valve is technically correct in that the phone numbers aren't linked to accounts directly, many of these numbers can be linked to accounts with some effort. I would argue that anyone using a weaker password who knows that they are in other datasets should change their password anyway, because anyone buying this dataset will intend to use it for phishing attempts and combine it with other datasets. Datasets can be linked together to build an accurate picture of who you are as a person, which makes targeted phishing easier, and this is yet another to add to the pile. In the worst case, an initial dataset being leaked could be a sign of more to come, too, though we know that likely isn't the case here. At the very least, take this as an opportunity to use a password manager and improve on your passwords and overall security. After all, plenty of datasets have been sold and passed around only to surface months later for the first time.
English (US) ·