Game developer Valve says Steam data wasn’t breached
Update May 15, 2025 at 11:15 a.m. ET: Valve has responded to reports about the Steam data breach, noting that Steam systems weren’t breached. The company also said that customers don’t need to worry about changing passwords. It confirmed that it does not use Twilio.
Read more about Valve’s response to the breach allegations in our latest coverage.
Update May 14, 2025 at 4:14 p.m. ET: Twilio denied involvement in the data breach impacting Steam. In a statement to Bleeping Computer, the company said it reviewed a sample of the data circulating online and saw “no indication that this data was obtained from Twilio.”
Bleeping Computer suggests the data could have come from an SMS provider instead, but ultimately, the source of the Steam data remains unclear.
The original story follows below.
It might be time to change your Steam password.
Valve’s popular PC gaming store is allegedly impacted by a data breach that appears related to Twilio, a third-party service that Steam uses for two-factor authentication (2FA) codes sent via SMS. Hackers are reportedly selling 89 million Steam records on a dark web forum for just US$5,000 (about C$6,992).
The details come from independent games journalist @MellowOnline1, who spotted the hackers’ post and shared about it on Twitter/X.
In a later tweet, @MellowOnline1 clarified it doesn’t appear to be a direct breach of Steam, but instead a breach of an external service that Steam relies on. They shared that a sample of the leaked data includes real-time SMS logs, which are used in 2FA, message content (e.g., the 2FA codes), the delivery status, routing costs (how much it costs to send messages), and metadata like timestamps, recipient numbers, and more.
Moreover, the leaked data implies that the hacker had or has access to Twilio’s systems. While Steam itself doesn’t appear to have been hacked, users still face significant risks. The hack opens up possible phishing attacks where hackers could send fake but convincing messages to users. It could also lead to session hijacking, where hackers could intercept or replay 2FA codes to bypass login protections.
Twilio is the company behind the Authy 2FA app, and this isn’t the first data breach it has faced. It suffered a breach in July 2024, while Twilio’s parent company SendGrid was hacked last month (though SendGrid claims there’s no evidence of a breach). It’s worth noting there’s no official confirmation of another breach from Twilio yet, and there’s a possibility that this Steam data stems from a previous hack.
Regardless, Steam users should be on guard for phishing scams and should take steps to protect themselves. A good first step would be changing Steam passwords. It’d also be wise to change 2FA methods to avoid using Twilio. Perhaps the best option would be to use Steam Guard, which requires installing the Steam app on a smartphone to access 2FA codes instead of receiving them over SMS.