Steam suffers an 89 million account data leak : complete information

UPDATE: 2025/05/14 19:52 EST BY SIMON BATT

Twilio denies leaking data as more details emerge

Now that the news has had time to go around, we have a statement from Twilio that matches the Valve spokesperson's claim made below. In a message to Bleeping Computer, a Twilio spokesperson said the following:

There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.

We've looked at the leaked data, and we can see why Twilio was mentioned in the first place. The file specifically names Twilio in the spreadsheet as one of the vendors, but given that both Valve and Twilio have denied the leak, it raises more questions than answers. Bleeping Computer suspects that the data came from an SMS provider that handled messages between Twilio and Steam, as the leaked messages show one-time access codes and tie phone numbers to accounts.

While we're still unsure as to where this data came from, it's worth erring on the side of caution and using 2FA to secure your Steam account.

89 million Steam account details just got leaked, so now's a good time to change your password

 If you frequently use Steam, now would be an excellent time to change your password. There has been news that 89 million account details have gone up for sale on the dark web, and if it turns out to be legitimate, it would mean a ton of user accounts are now at risk. Given how some accounts can contain hundreds (if not thousands) of games, this could mean people losing their entire selection of PC games.

Steam suffers an 89 million account data leak

In a post on X, user MellowOnline1 drew attention to another post on LinkedIn from Underdark AI. In it, Underdark AI claims they found a post from someone called Machine1337 on a reputable black market forum, offering to sell 89 million Steam account details for $5,000. If this is true, not only will the purchaser have access to anyone's account that doesn't use 2FA or change their password, but they can use the other details to send convincing phishing messages to the people they can't hack.

This opened up the question: how did the leak occur? At the time of writing, it doesn't seem like people really know. The first port of call was Valve itself, but that didn't seem to be the source. Fingers then pointed at Twilio, stating that it handled Steam's 2FA systems and that the leak occurred from within its systems, but Valve then got in touch with MellowOnline1 and claimed that it had never used Twilio.

As such, we're in a strange limbo, and we're not totally sure where this leak came from. Until the dust clears, it's a good idea to change your Steam password if you don't have any additional security. Those with 2FA enabled (which Valve calls "Steam Guard") should be fine, as the leak doesn't contain any information that could allow a hacker to crack it.

If you need some advice on how to set up a new password, make sure you don't fall into the common pitfalls people encounter when making one. Check out these fairytales about password security that are pretty grim for more information.