Valve denies Steam data breach, says accounts are secure
No, your Steam account has not been hacked. Valve has responded to recent leaks and rumors about a data breach and 89 million-plus accounts on sale on the dark web.
The company examined a leak sample and found it only contained "older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to."
More importantly, Valve confirmed, "The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data."
The company said that older text messages "cannot be used to breach the security of your Steam account," and "whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages."
You won't need to change your passwords or phone numbers, but it is good practice to set up an authenticator to secure your account. For more information on setting up and activating Steam Guard, refer to the documentation on Steam's support page.
The original report of the hack can be traced to a LinkedIn account, Underdark.ai, which claimed that a threat actor with the handle Machine1337, posted a dataset with 89 million Steam user accounts on the dark web.
The report said the accounts were being sold for $5000 (€4463.50 or £3766) and required a Telegram account for purchase. The report also mentioned internal vendor data in the set, hinting at possible admin access.
The report has since been updated to confirm the leak contained "real-time 2FA SMS logs routed via Twilio." Interestingly, Twilio has also denied a breach, and Valve clarified that it doesn't use Twilio for authentication.
At this time, Valve hasn't been able to verify the source of the leak or how the two-factor authentication (2FA) logs ended up on the dark web.
Source(s)
