A sketchy AI firm tried to pass off a bogus Steam breach, but it unraveled almost immediately. This one was a fake, but the next one might not be. Here’s how to protect yourself from losing control of an account that may be worth thousands of dollars.
A recent claim on LinkedIn alleges that a database containing 89 million Steam account records, including one-time passcodes (OTPs) used for two-factor authentication (2FA), is up for sale. The asking price is $5,000, a low figure for a leak of this scale.
But despite the headline-grabbing figure and some reposts online, the evidence supporting this leak was outright fabricated. Fortunately, Apple users can take advantage of the built-in Passwords app, which now supports two-factor codes across iPhone, iPad, and Mac.
Twilio denies the breach
The claim was first amplified by a small cybersecurity firm, Underdark AI, which posted about it on LinkedIn. According to their write-up, a hacker going by “Machine1337” is offering the data on a dark web forum, supposedly exposing 2FA codes, phone numbers, and timestamps for millions of Steam users.
That would be alarming — if it were real. However, Twilio, the cloud communications provider speculated to be the source of the SMS logs, has directly denied involvement — and Steam doesn’t use Twilio.
The data itself raises red flags. The sample includes outdated SMS messages with generic formatting and lacks any login tokens, account IDs, or metadata that would normally accompany a legitimate breach.
Several entries are duplicates, and the timestamps show no consistent pattern, suggesting the records were stitched together from older leaks. Security researchers also pointed out that the dataset doesn’t match how Steam delivers two-factor codes.
There also hasn’t been any confirmation of a compromise from official channels or reputable threat intelligence sources.
Steam denies the breach
Steam provided a statement via email to some that asked about the rumored breach. According to a transcript of the email posted on GamingOnLinux, Steam denies there was a breach of its systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event.
How to secure online accounts
The saga offers a good reminder of why 2FA matters. Two-factor authentication adds an extra step to logging into your account, typically a time-sensitive code from an app or SMS.
These codes help stop attackers even if they have your password. The best method is to use app-based 2FA.
Apps like Apple’s built-in Passwords, Steam Guard, Google Authenticator, and Authy generate login codes directly on your device. These avoid the risks that come with SMS delivery.
While SMS-based 2FA is better than nothing, it’s more vulnerable to phishing attacks and SIM-swapping.
There’s no need to panic over this so-called Steam leak. Just take it as a cue to secure your accounts with app-based two-factor authentication.
