A dubious AI company attempted to tout a false Steam breach, but their story fell apart almost instantly. While this incident was fake, future threats could be real. Here’s how to safeguard your account, which could be worth a significant amount of money.
A recent LinkedIn post claims that a database with 89 million Steam account details, including one-time passcodes (OTPs) for two-factor authentication (2FA), is for sale at $5,000—a surprisingly low price for such a massive leak.
Despite the alarming claims and social media shares, the evidence presented was entirely fabricated. Fortunately, Apple users can utilize the built-in Passwords app that now supports two-factor codes for iPhone, iPad, and Mac.
Twilio Denies Involvement
This claim was initially spread by a small cybersecurity firm, Underdark AI, which posted about it on LinkedIn. They alleged that a hacker named “Machine1337” was selling the data on a dark web forum, purportedly exposing 2FA codes, phone numbers, and timestamps for millions of Steam users.
This would indeed be concerning—if it were true. However, Twilio, the cloud communications provider that was speculated to have leaked the SMS logs, explicitly denied any connection to this incident, and Steam does not use Twilio.
Several aspects of the data raise suspicions. The sample contains outdated SMS messages formatted generically, lacking login tokens, account IDs, or any metadata typical of a legitimate breach. Additionally, there are duplicate entries, and the timestamps are inconsistent, suggesting that the records may have been cobbled together from older leaks. Security researchers have noted that the dataset does not align with how Steam typically sends 2FA codes.
Moreover, there has been no verification of a breach from official sources or credible threat intelligence.
Steam Refutes the Breach
Steam responded via email to inquiries about the rumored breach, stating that there has been no breach of their systems, as shared in a transcript on GamingOnLinux.
We’re still investigating the source of the leak, which is complicated by the fact that SMS messages are unencrypted in transit and go through multiple providers before reaching your phone.
The leak involved older text messages containing one-time codes that were only valid for 15 minutes, along with the phone numbers they were sent to. The leaked information does not link any phone numbers to Steam accounts, passwords, payment details, or other personal information. Old text messages cannot compromise your Steam account’s security, and if a code is used to change your email or password, you will receive a confirmation via email or Steam secure messages.
From Steam’s perspective, customers do not need to change their passwords or phone numbers due to this situation.
How to Protect Your Online Accounts
This event serves as a reminder of the importance of 2FA. Two-factor authentication adds an extra verification step during login, typically through a time-sensitive code sent via an app or SMS.
These codes provide an additional layer of security against attackers who may have your password. The most effective method is app-based 2FA.
Apple Passwords supports two-factor authentication codes.
Apps like Apple’s built-in Passwords, Steam Guard, Google Authenticator, and Authy generate codes directly on your device, minimizing the risks associated with SMS transmission.
While SMS-based 2FA is better than none, it’s more susceptible to phishing attacks and SIM-swapping.
There’s no need for alarm over the alleged Steam leak. Use this as an opportunity to enhance the security of your accounts through app-based two-factor authentication.