What just happened? News recently circulated indicating that details of around two-thirds of Steam accounts have been leaked onto the dark web. No passwords, payment information, or other personal data were compromised, but users should probably begin using Steam's mobile authenticator app if they haven't already.
A recent Steam security bulletin confirms that hackers have accessed phone numbers and SMS two-factor authentication records linked to most Steam accounts. Steam's internal systems weren't penetrated, and Valve hasn't recommended that users change their passwords. However, now is a good time to review security settings for accounts potentially containing hundreds or thousands of PC games.
The leaked data includes unencrypted but expired 2FA codes and the phone numbers they were sent to. However, Valve stressed that the phone numbers can't be used to identify Steam accounts and that no passwords were leaked. The source of the leak remains unclear, but one of the third-party services that transmit SMS 2FA codes to users is suspected.
Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).
– Mellow_Online1 (@MellowOnline1) May 11, 2025
These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.
Mipped alongside their sister sites is a…
Although the leaked codes alone cannot grant hackers access to Steam accounts, the incident should serve as a reminder that 2FA codes sent over SMS are less secure than authenticator apps. While most services use third-party authenticators like Authy or Google Authenticator, Valve employs a proprietary system through the Steam mobile app. It transmits temporary login codes, handles confirmations for account actions, and scans login QR codes.
According to LinkedIn user Underdark.ai, someone recently offered to sell data on 89 million Steam accounts on Mipped, a known dark web forum. After reviewing the data, Valve confirmed that a third-party service that transmits 2FA codes over SMS was breached.
Although reports initially suggested that an internal Twilio account was compromised, the company later denied this. Furthermore, Valve told the security group Sentinels of the Store that Steam doesn't use Twilio. Still, an administrative account for one of the other data handlers might have been the attack vector.
Regardless, users should beware of suspicious communications regarding their Steam accounts. Hackers often disguise phishing attacks as tech support messages and game promotions. Valve states that users will only receive account-related communications that they explicitly requested.
Users should also watch for unusual account activity and review authorized devices. Although Valve confirmed that no passwords were accessed, it might be a good time to change old passwords, begin using a password manager, and check whether you're reusing passwords across multiple accounts.
Valve confirms Steam 2FA leak affecting 89 million users, no passwords compromised
