.png)
On May 13th, Steam users were faced with the news that a breach of some kind had affected gaming giant Valve, with a user known as Machine1337 selling a trove of data containing phone numbers, text metadata, and old Steam two-factor-authentication codes. While these codes were obviously long past their use-by date, it begged the question of who had suffered the breach. Initially, fingers were pointed at Twilio given their mention in the data, but Valve denied using Twilio's services, and Twilio denied suffering a breach. I reached out to Valve with a number of questions and received the following statement in response. In short, Valve confirms that the data is real, but denies suffering a breach of its own.
Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.
Valve's response is relieving
Though confirmation is concerning, too
While it's great to finally have clarity on the situation, it also raises a big question. Where did the breach occur? As the statement mentions, SMS messages are routed through many providers, so truth be told, there's going to be a lot of digging here to find the source of the breach. As an example, it's possible that an intermediary that contracts Twilio to send messages on its behalf in Portugal could have been compromised, but this is merely speculation, and it's anyone's guess where the breach really originated.
Thankfully, now that we have confirmation that Valve itself wasn't breached, there's no need to change your password as a result, but users will still have valid concerns. While the dataset only contains phone numbers and texts, those phone numbers can be combined with other datasets to paint a broader picture of an individual user. That, plus the language the text was sent in, could be used in targeted phishing attacks concerning a person's real name and their Steam account. It's not a meaningless breach by any means, but it's thankfully a rather limited one in scope.
As Valve recommends, the best way to protect yourself at present is to set up the Steam Mobile Authenticator, rather than relying on SMS 2FA codes. SMS 2FA is inherently insecure, as codes can be intercepted by spoofing a user's phone number. You should always use 2FA combined with a password manager to best protect your accounts online.
English (US) ·