Steam suffers a large-scale leak — 89 million accounts for $5000 are in the darknet

89 million Steam accounts leaked to the darknet — users are advised to change their passwords immediately.

If the leak is genuine, users’ entire game libraries may be at risk. This is especially true for those who do not use two-factor authentication (2FA). Still, there are questions about this information.

If we follow the chronology, the first to pay attention to the situation were users in X. User MellowOnline1 published screenshots from a LinkedIn post by Underdark AI. The image shows that an attacker under the nickname Machine1337 offered to sell a large Steam database for $5000. He posted the offer on one of the most reputable black market forums.

У Steam масштабний витік — в даркнеті опинилися 89 млн акаунтів за $5000 — LinkedIn

The post indicates that the database contains:

contact in Telegram to communicate with the seller,
links to data samples (posted on Gofile),
references to the supplier’s internal data (probably meaning the provider of two-factor authentication services).

Users noticed that the post itself looked like Cross-site scripting (XSS). This web security vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. This can be used to steal data, hijack sessions, or even change the content of a page.

Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).

These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.

Mipped alongside their sister sites is a…

— Mellow_Online1 (@MellowOnline1) May 11, 2025

The authors of the LinkedIn post subsequently updated the information: «new evidence confirms that the leaked sample contains real-time logs of 2FA SMS messages transmitted via Twilio». These logs include message content, delivery status, metadata, and routing costs. This may indicate access not to Steam itself, but to the interfaces of the SMS service provider. This creates a risk of phishing attacks and session hijacking — especially for those who do not use Steam Guard or have a weak password.

Valve has already responded, as reported by the same MellowOnline1. A company representative denied using Twilio, which was mentioned in the original Underdark AI post.

Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.

Here’s what we understand from this update:

New evidence confirms some…

— Mellow_Online1 (@MellowOnline1) May 11, 2025

The source of the leak is still unknown. At first, users assumed that it was Steam itself, but then attention was shifted to Twilio. However, there is still no confirmation, and the situation remains unclear. Valve has not released any official statements at the time of publication, but regardless, experts advise Steam users to immediately change their passwords and make sure that 2FA is enabled.

Steam Guard — is Valve’s own two-factor authentication system, and according to available data, the stolen data does not allow it to be bypassed. But those who do not use it can become an easy target. There is also a risk that attackers will use the information obtained for phishing campaigns.

As for account security tips, they are classic. In particular, you should avoid obvious passwords and not repeat the same password in several services. It is also worth checking whether your data has been leaked through services such as HaveIBeenPwned. Valve hasn’t confirmed the leak yet, but it hasn’t completely denied it either. So if you feel sorry for your native library — it’s better to be safe.

Source: XDA Developers