Valve, the company behind Steam, has denied any breach of its systems following claims that attackers leaked 89 million records allegedly stolen from the platform.
Valve Confirms No Breach of Steam Systems
The claims surfaced earlier this week on a dark web forum where a known threat actor advertised the data as a Steam breach. In response, Valve issued a statement saying their review found no compromise of Steam systems.
“We have examined the leak sample and have determined this was NOT a breach of Steam systems,” Valve told Cybernews.
The company explained that the leaked data consisted only of one-time authentication codes, which are valid for just 15 minutes. No account credentials, payment details, or personal identifiers were included.
“Old text messages cannot be used to breach the security of your Steam account,” Valve said.
“From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event.”
Multiple posts by the same threat actor.
Source: Cybernews.
Nature of the Leaked Data
The leak appears to contain only SMS-based one-time passcodes and phone numbers, with no usernames, email addresses, or passwords. This significantly limits the potential for abuse.
Valve clarified that:
- SMS codes expire quickly and are useless once used.
- Changing a Steam password or email using SMS always triggers a confirmation via email and secure Steam notifications.
- No phone numbers were directly tied to identifiable Steam accounts in the sample.
Analysis Points to Third-Party SMS Data or Hoax
Cybernews researchers who reviewed the leak confirmed that:
- The data does not point to a Steam-specific breach.
- Some messages were recent (dated March 2025), but still contained only short-lived OTPs.
- The same attacker posted multiple similar databases within minutes, all containing SMS logs and numbers.
“This is either a bulk SMS sending provider data breach, or a complete fake,” Cybernews stated.
Researchers also noted one of the earlier posts by the threat actor promoted a real-time SMS validation service, raising suspicion that the leak originated from a third-party SMS provider.
No Action Required by Steam Users
Valve has not issued a password reset or recommended security changes, but it does advise users to remain alert and enable additional protections.
“We remind customers to treat all messages regarding account security with caution and to set up the Steam Mobile Authenticator,” Valve added.
