89 million Steam accounts leaked to the darknet — users are advised to change their passwords immediately.
If the leak is genuine, users’ entire game libraries may be at risk. This is especially true for those who do not use two-factor authentication (2FA). Still, there are questions about this information.
UPDATED 15th April, 11:28: Valve has officially commented on the reports of a possible data leak. According to it, the platform’s systems remain secure. The company stated that the leak only contained old SMS codes that do not threaten user accounts. Valve also recommended that gamers use Steam’s mobile authenticator for additional protection.
«The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages», — Valve added.
If we follow the chronology, the first to pay attention to the situation were users in X. User MellowOnline1 published screenshots from a LinkedIn post by Underdark AI. The image shows that an attacker under the nickname Machine1337 offered to sell a large Steam database for $5000. He posted the offer on one of the most reputable black market forums.
The post indicates that the database contains:
- contact in Telegram to communicate with the seller,
- links to data samples (posted on Gofile),
- references to the supplier’s internal data (probably meaning the provider of two-factor authentication services).
Users noticed that the post itself looked like Cross-site scripting (XSS). This web security vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This can be used to steal data, hijack sessions, or even change the content of a page.
Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).
These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.
Mipped alongside their sister sites is a…
— Mellow_Online1 (@MellowOnline1) May 11, 2025
The authors of the LinkedIn post subsequently updated the information: «new evidence confirms that the leaked sample contains real-time logs of 2FA SMS messages transmitted via Twilio». These logs include message content, delivery status, metadata, and routing costs. This may indicate access not to Steam itself, but to the interfaces of the SMS service provider. This creates a risk of phishing attacks and session hijacking — especially for those who do not use Steam Guard or have a weak password.
Valve has already responded, as reported by the same MellowOnline1. A company representative denied using Twilio, which was mentioned in the original Underdark AI post.
Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.
Here’s what we understand from this update:
New evidence confirms some…
— Mellow_Online1 (@MellowOnline1) May 11, 2025
As for account security tips, they are classic. In particular, you should avoid obvious passwords and not repeat the same password in several services. It is also worth checking whether your data has been leaked through services such as HaveIBeenPwned. Valve hasn’t confirmed the leak yet, but it hasn’t completely denied it either. So if you feel sorry for your native library — it’s better to be safe.
Source: XDA Developers
Spelling error report
The following text will be sent to our editors: