Hackers are reportedly selling a trove of 89 million Steam user records on a dark web forum, raising concerns over the security of digital gaming platforms and their service providers.
Hackers Advertise Massive Steam Data Leak on Dark Web
Cyberthreat intelligence firm Underdark.ai discovered a dark web post this week advertising the sale of a large data set allegedly linked to Steam accounts. The seller, using the alias EnergyWeaponUser (Machine 1337), listed the database for US$5,000.
Steam, a digital game distribution platform developed by Valve Corporation, currently serves over 132 million monthly active users. The leaked dataset is said to include user phone numbers and other metadata, raising speculation about a possible breach of the platform.
Supply Chain Compromise Suspected—Not Steam Itself
Underdark.ai clarified that the incident does not appear to be a direct breach of Steam systems. Instead, the leaked data likely originated from unauthorized access to a vendor dashboard, suggesting a supply chain attack involving one of Steam’s service providers.
“New evidence confirms that a leaked sample contains real-time 2FA SMS logs routed via Twilio,” Underdark.ai reported.
Twilio, a major cloud communications provider, offers SMS-based two-factor authentication (2FA) services. However, in a statement to Bleeping Computer, Twilio denied being the source of the breach.
Valve Confirms No Breach of Steam Systems
Valve issued a statement to Metroland Media addressing the incident. The company confirmed that it had reviewed the sample and found “this was not a breach of Steam systems.”
“The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data,” Valve said.
Valve acknowledged that tracing the source is complex due to how unencrypted SMS messages are routed through multiple third-party providers. The company is continuing its investigation but assured users that there is no immediate need to reset passwords or phone numbers.
“We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already,” Valve advised, highlighting its role in account protection.
Risks of Exposed Personal Information
If confirmed, the leak could still present substantial risks. Exposed data such as phone numbers and 2FA messages may be used in:
- Phishing and smishing campaigns
- Account takeovers
- Spear phishing with social engineering
- Credential stuffing if usernames are linked elsewhere
Data exposed on the dark web can be combined with social media data for more targeted attacks, increasing the threat to both users and organizations.
Tools to Check If Your Data Was Leaked
Security experts recommend checking exposure using tools like:
- HaveIBeenPwned.com
- Free dark web scan tools from providers like Norton and Avast
Users should watch for:
- Unrequested password reset emails
- Unknown login notifications
- Suspicious activity on their accounts
What to Do If Your Data Is Compromised
Cybersecurity expert Abbas Yazdinejad recommends immediate action if your personal information is exposed:
- Change all passwords associated with the affected accounts
- Enable multifactor authentication to prevent unauthorized access
- Contact banks or freeze credit if sensitive financial data was involved
- Alert fraud protection agencies if national ID or passport data was leaked
Affected individuals should continue to monitor accounts for unusual activity and be cautious of follow-up phishing attempts.
