On May 13, 2025, a potential data breach impacting 89 million Steam accounts emerged, linked to a third-party service vulnerability.
The incident, involving stolen 2FA SMS logs, has sparked widespread concern among gamers.
While Steam itself wasn’t directly breached, the risks of phishing and account hijacking are significant.
This article explores the breach details, user risks, and essential steps to secure your Steam account.
Table of Contents
What Happened to Steam Accounts in 2025?
A reported data breach affecting 89 million Steam accounts has sent shockwaves through the gaming community.
The issue, first highlighted by independent games journalist
@MellowOnline1 on X, stems from a supply-chain compromise rather than a direct breach of Steam’s systems.
A hacker using the alias Machine1337 (also known as EnergyWeaponsUser) is allegedly selling the data for $5,000 on a dark web forum, as reported by BleepingComputer on May 13, 2025.
The leaked data includes real-time SMS logs used for two-factor authentication (2FA), message content such as 2FA codes, delivery statuses, routing costs, and metadata like timestamps and recipient phone numbers.
Valve Corporation, Steam’s parent company and the world’s largest digital distribution platform for PC games with over 120 million monthly active users, has not officially confirmed the breach.
However, the incident has raised significant concerns about user security, particularly the risks of phishing attacks and session hijacking, where hackers could intercept 2FA codes to access accounts.
Was Twilio Involved in the Steam Data Breach?
Initial speculation pointed to Twilio, a cloud communications company that provides SMS-based 2FA services for various platforms, as the source of the breach.
The leaked data contained SMS logs that appeared to originate from Twilio’s backend systems, leading
@MellowOnline1 to hypothesize a compromised admin account or abused API keys.
Twilio, known for its Verify API and Authy 2FA app, has a history of security incidents, including a July 2024 breach affecting 33 million Authy users and an alleged hack of its parent company SendGrid in April 2025 (which SendGrid denied).
However, Twilio issued a statement to BleepingComputer on May 13, 2025, denying any breach: “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.” Adding to the confusion, a Valve representative reportedly told
@MellowOnline1 that Steam does not use Twilio for its 2FA services, casting doubt on Twilio’s involvement.
BleepingComputer suggested an alternative theory: the data might have originated from an intermediary SMS provider between Steam and its users, though this remains unverified.
What Does the Leaked Data Include?
The sample data examined by BleepingComputer, consisting of 3,000 records, includes:
- Real-time SMS logs used for 2FA authentication.
- Message content, such as the 2FA codes themselves.
- Delivery status and routing costs (the cost to send SMS messages).
- Metadata, including timestamps and recipient phone numbers.
Notably, the leak does not appear to include critical information like passwords, account credentials, or payment details.
However, the presence of 2FA codes and phone numbers poses significant risks.
Hackers could use this information for phishing attacks, crafting fake messages that appear legitimate to trick users into revealing more sensitive data.
They could also attempt session hijacking by intercepting or replaying 2FA codes to bypass login protections.
Some of the data dates back to early March 2025, indicating its relative freshness and potential for misuse.
How Serious Is the Threat to Steam Users?
While the breach does not directly compromise Steam accounts, the risks are substantial.
Steam accounts often hold significant value, with some users owning hundreds or even thousands of games worth thousands of dollars.
A compromised account could result in the loss of an entire game library, not to mention the potential exposure of personal and financial information tied to the account.
The primary threats include:
Phishing Attacks: Hackers could use the leaked phone numbers to send convincing fake messages, posing as Steam or other trusted entities to steal login credentials or payment details.
Session Hijacking: With access to 2FA codes, attackers could intercept login attempts and gain unauthorized access to accounts, especially if users rely solely on SMS-based 2FA.
Steam users who have 2FA enabled through Steam Guard, Valve’s proprietary authentication system, are likely safer, as the leak does not contain data that could directly crack this method.
However, users without 2FA or those relying on SMS-based authentication are urged to take immediate action.
How to Protect Your Steam Account in 2025
Given the uncertainty surrounding the breach, Steam users should take proactive steps to secure their accounts:
Change Your Password: Update your Steam password immediately.
Avoid common pitfalls like reusing passwords or using easily guessable information.
Opt for a strong, unique password with a mix of letters, numbers, and symbols.
Enable Steam Guard Mobile Authenticator: Switch to Steam Guard, which uses the Steam mobile app to generate 2FA codes instead of SMS.
This method is more secure and unaffected by the alleged breach.
To set it up, download the Steam app, go to your account settings, and follow the prompts to enable Steam Guard.
Monitor Account Activity: Regularly check your Steam account for unauthorized login attempts or suspicious activity.
Steam provides a login history feature that shows recent access attempts.
Be Wary of Phishing Scams: Avoid clicking links or sharing personal information in response to unsolicited messages, even if they appear to come from Steam.
Always verify the sender’s legitimacy directly through Steam’s official website or app.
Consider Alternative 2FA Methods: If you’re using SMS-based 2FA, consider switching to app-based authenticators like Google Authenticator or Microsoft Authenticator, which are less vulnerable to SMS-related breaches.
The Bigger Picture: Supply-Chain Vulnerabilities in Gaming
This incident highlights the growing risk of supply-chain attacks in the gaming industry.
Unlike a direct breach of Steam’s servers, this compromise likely occurred through a third-party vendor, exposing a weak link in the ecosystem.
Supply-chain attacks target external services that a company relies on, often exploiting weaker security practices to gain access to sensitive data.
In this case, the intermediary SMS provider (if confirmed) may have been the vulnerable point, allowing hackers to access Steam’s 2FA logs without breaching Steam or Twilio directly.
The gaming industry has seen similar incidents in the past.
For example, in 2022, Twilio suffered a phishing attack that impacted 163 of its customers, including secure messaging app Signal and authentication firm Okta, demonstrating the ripple effects of third-party breaches.
The Steam incident underscores the need for companies to thoroughly vet their vendors and implement robust security measures, such as zero-trust architecture and stronger API protections, to mitigate such risks.
Why Is This Happening Now?
The timing of this alleged breach coincides with a broader wave of cybersecurity challenges in 2025.
Hackers are increasingly targeting gaming platforms due to their large user bases and the high value of digital assets like game libraries and in-game purchases.
Steam, with its 120 million monthly active users, is a prime target.
Additionally, the reliance on SMS-based 2FA, long known to be insecure, continues to be a weak point for many platforms.
Security experts have advocated for years to move away from SMS authentication in favor of app-based or hardware-based methods, yet many companies, including those in the gaming sector, have been slow to adapt.
The hacker, Machine1337, is a known figure in cybercrime circles, previously linked to breaches involving major companies like Cisco and Ford.
The low asking price of $5,000 for 89 million records is unusual and could indicate either a rushed sale to offload the data quickly or a potential hoax.
However, the presence of recent data from March 2025 and the technical details in the sample suggest the leak may be legitimate, even if its origins remain unclear.
What’s Next for Steam and Its Users?
Valve’s silence on the matter has fueled uncertainty, leaving users to take precautions based on limited information.
If the breach is confirmed, it could lead to a surge in phishing attempts and account takeovers, particularly for users who fail to update their security settings.
Steam may face pressure to overhaul its authentication processes and strengthen its vendor relationships to prevent future supply-chain attacks.
For now, the gaming community is on high alert.
Posts on X reflect a mix of concern and skepticism, with some users questioning the legitimacy of the leak while others are already changing their passwords.
The incident serves as a reminder of the importance of cybersecurity in an increasingly digital world, especially for platforms like Steam that hold significant personal and financial value for millions of users.
The alleged Steam data breach affecting 89 million accounts in 2025 has raised serious concerns about user security, even if Steam itself wasn’t directly compromised.
With hackers potentially exploiting a supply-chain vulnerability, the risks of phishing and session hijacking loom large.
By changing passwords, enabling Steam Guard, and staying vigilant, users can protect their accounts while the gaming industry grapples with the broader implications of third-party vulnerabilities.
Stay updated with CTC News.
