Valve’s response to the reported Steam security leak that made headlines this week. The company has confirmed a data leak did occur, but the situation is much less concerning than initially feared.
On Wednesday, Valve published an official statement on the Steam News Hub addressing the issue. They firmly stated, “We have examined the leak sample and have determined this was NOT a breach of Steam systems.”
The leaked information only contained phone numbers and expired text messages previously sent for two-factor authentication purposes. These authentication codes become invalid after just 15 minutes, rendering them useless to anyone who might access them now.
Importantly, Valve clarified that “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
Initial Reports Versus Reality
Earlier reports from cybersecurity firm Underdark had caused alarm among PC gaming communities. In a LinkedIn post published Sunday, they claimed over 89 million Steam user records were being offered for sale on dark web forums. The firm reported analyzing samples of data allegedly containing two-factor authentication records routed through Twilio.
The reality appears quite different. Twilio, a cloud communications company that provides authentication services to major clients like Shopify and Stripe, has denied involvement after investigating the incident. A Twilio spokesperson told Bleeping Computer, “There is no evidence to suggest that Twilio was breached.”
Further countering initial reports, a Valve spokesperson reportedly informed games journalist @MellowOnline1 that the company doesn’t even use Twilio services.
What Steam Users Should Know
Despite the less severe nature of this incident, Valve acknowledges a leak did occur. They continue investigating its source, noting the complexity is “compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
Given what we now know about this breach, Valve states that changing Steam passwords isn’t necessary. However, I always recommend updating passwords periodically as good security practice.
For those concerned about account security, you can take additional protective steps. First, check your authorized devices through your Steam account and remove any unfamiliar ones. Second, consider setting up the Steam Mobile Authenticator through the official Steam Mobile App for enhanced protection.
While this security incident wasn’t the catastrophic breach initially feared, it serves as an important reminder about digital security vigilance. Valve’s transparent communication about the situation should reassure Steam users that their personal and payment information remains secure.
