News Games 05-14-2025 at 17:59 comment views icon

UPDATED: Steam suffers a large-scale leak — 89 million accounts for $5000 are in the darknet

author avatar

Margarita Yuzyak

News writer

UPDATED: Steam suffers a large-scale leak — 89 million accounts for $5000 are in the darknet

89 million Steam accounts leaked to the darknet — users are advised to change their passwords immediately.

If the leak is genuine, users’ entire game libraries may be at risk. This is especially true for those who do not use two-factor authentication (2FA). Still, there are questions about this information.

UPDATED 15th April, 11:28: Valve has officially commented on the reports of a possible data leak. According to it, the platform’s systems remain secure. The company stated that the leak only contained old SMS codes that do not threaten user accounts. Valve also recommended that gamers use Steam’s mobile authenticator for additional protection.

«The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages», — Valve added.

If we follow the chronology, the first to pay attention to the situation were users in X. User MellowOnline1 published screenshots from a LinkedIn post by Underdark AI. The image shows that an attacker under the nickname Machine1337 offered to sell a large Steam database for $5000. He posted the offer on one of the most reputable black market forums.

У Steam масштабний витік — в даркнеті опинилися 89 млн акаунтів за $5000
LinkedIn

The post indicates that the database contains:

  • contact in Telegram to communicate with the seller,
  • links to data samples (posted on Gofile),
  • references to the supplier’s internal data (probably meaning the provider of two-factor authentication services).

Users noticed that the post itself looked like Cross-site scripting (XSS). This web security vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This can be used to steal data, hijack sessions, or even change the content of a page.

The authors of the LinkedIn post subsequently updated the information: «new evidence confirms that the leaked sample contains real-time logs of 2FA SMS messages transmitted via Twilio». These logs include message content, delivery status, metadata, and routing costs. This may indicate access not to Steam itself, but to the interfaces of the SMS service provider. This creates a risk of phishing attacks and session hijacking — especially for those who do not use Steam Guard or have a weak password.

Valve has already responded, as reported by the same MellowOnline1. A company representative denied using Twilio, which was mentioned in the original Underdark AI post.

As for account security tips, they are classic. In particular, you should avoid obvious passwords and not repeat the same password in several services. It is also worth checking whether your data has been leaked through services such as HaveIBeenPwned. Valve hasn’t confirmed the leak yet, but it hasn’t completely denied it either. So if you feel sorry for your native library — it’s better to be safe.

Source: XDA Developers



Spelling error report

The following text will be sent to our editors: