Hacker Claims to Possess 89 Million Steam User Records
Twilio has denied any breach of its systems after a hacker claimed to possess 89 million one-time passcodes (OTPs) used by Steam users. The threat actor, known online as Machine1337 (also referred to as EnergyWeaponsUser), advertised the dataset for $5,000, suggesting the codes were obtained via Twilio.
When asked, a Twilio spokesperson responded:
“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio.”
Leaked SMS Messages Contain Steam OTPs and Phone Numbers
An analysis of the leaked sample, which included around 3,000 records, revealed historical SMS messages sent to users with Steam access codes. Each message contained both the one-time passcode and the recipient’s phone number. These codes are used for:
- Verifying logins to Steam accounts
- Associating a phone number with a Steam profile
The leaked messages appear authentic and include delivery timestamps, some as recent as March 2025, suggesting a recent compromise.
Twilio Acknowledges Investigation, Rules Out Internal Breach
Twilio confirmed it is actively investigating the situation. A spokesperson stated:
“Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available.”
Twilio emphasized that its own systems remain secure, and that no compromise was found in its infrastructure.
Possible Compromise of Third-Party SMS Provider
While Twilio systems remain unbreached, experts suspect a third-party SMS provider could be the weak link. These providers operate between Twilio and mobile carriers, handling large volumes of message delivery.
Some possible explanations include:
- A compromise of an SMS aggregator working with Twilio
- Interception of messages in transit between services
- Leakage from misconfigured or exploited backend systems
According to BleepingComputer, they could not confirm the true source of the leak, nor the full extent of the hacker’s dataset.
What Is Twilio and Why Steam Relies on It
Twilio is a cloud communications platform that offers APIs for Sending SMS and voice messages, Delivering 2FA and OTP codes, Implementing multi-channel user authentication,
Steam, operated by Valve, is among many platforms that utilize Twilio’s Verify API, a product used to send 2FA codes via SMS, WhatsApp, email, push, or TOTP.
Steam Users Urged to Secure Their Accounts
Given the potential exposure, security experts recommend that Steam users take proactive measures:
- Enable Steam Guard Mobile Authenticator — which relies on in-app code generation rather than SMS
- Monitor account activity for unauthorized login attempts
- Avoid SMS as a sole method for authentication when possible
Broader Concerns About SMS-Based Authentication
This incident underscores the persistent supply chain risks in modern authentication systems. Even if a major provider like Twilio remains uncompromised, attackers can exploit intermediary services to access sensitive communications.
