Valve recently confirmed reports of a significant Steam data leak involving approximately 89 million user accounts. The leaked data surfaced on a dark web marketplace, offered by an individual operating under the alias “Machine1337.” Cybersecurity firm Underdark AI first uncovered and publicized details of the leak, which includes phone numbers, SMS metadata, usernames, and expired two-factor authentication (2FA) codes associated with Steam accounts.
Valve stated explicitly that this leak did not originate from within their own infrastructure, emphasizing their internal systems remain secure. Instead, the leak occurred via an external third-party provider used to send SMS-based authentication codes. Initial suspicion fell on Twilio, a major SMS provider mentioned within the leaked dataset, but both Valve and Twilio have denied any breaches in their own systems.
Statement from Valve to XDA
“Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.”
Valve’s investigation confirms the leaked data consists solely of older SMS authentication codes, which are no longer valid, and associated phone numbers. Importantly, Valve assured users that no passwords, financial information, or direct account access was compromised through this leak.
Nevertheless, this leak presents genuine risks. Although attackers cannot directly use the leaked codes to access your Steam or Counter-Strike accounts, the exposed phone numbers and usernames create opportunities for targeted phishing and social engineering attacks. Hackers might exploit this information to send highly convincing messages that appear to originate from Steam, tricking users into giving away sensitive information or credentials.
Recommendations for Counter-Strike Players to Stay Safe
As a Counter-Strike player and active Steam user, follow these immediate steps to ensure your account remains secure:
1. Switch to Steam Guard Mobile Authenticator
If you currently rely on SMS for Steam’s two-factor authentication, it’s vital to switch immediately to Valve’s Steam Guard Mobile Authenticator.
How to activate Steam Guard Authenticator:
- Open Steam and navigate to Settings → Account → Manage Steam Guard Account Security.
- Select the option: “Get Steam Guard codes from the Steam app on my phone.”
The Steam Guard Mobile Authenticator is significantly safer than SMS, protecting your account more effectively against unauthorized access attempts.
2. Change Your Steam Password
Even though passwords weren’t leaked directly, changing your Steam password is a prudent measure.
Password security recommendations:
- Create a strong password with at least 12 characters, including uppercase and lowercase letters, numbers, and special characters.
- Use a reliable password manager to generate and securely store unique passwords for Steam and other services.
3. Regularly Monitor Your Steam Account
Keep track of your recent account activities and authorized devices.
Steps to monitor your account:
- Visit Steam → Account Details → Recent Login History regularly.
- Immediately report any unfamiliar or suspicious activity to Valve’s support.
4. Stay Alert to Phishing Attempts
With phone numbers and usernames exposed, attackers might increase phishing attempts targeting Steam users.
Phishing safety tips:
- Never click on unsolicited links claiming to come from Steam.
- Verify the sender’s address carefully. Authentic Steam communications always originate from official Valve domains.
- If uncertain, manually type the official Steam website URL instead of clicking links from emails or messages.
5. Your Counter-Strike Inventory is Safe
Valve has explicitly stated no Steam wallet balances, payment methods, passwords, or in-game items such as Counter-Strike skins were compromised. Your items and inventory remain secure as long as your account stays secure.
However, staying vigilant is essential to preventing indirect compromise attempts through phishing or social engineering.
Final Advice for Counter-Strike Players
Valve’s clarification provides reassurance that Steam’s internal systems remain uncompromised. Nevertheless, this incident serves as an important reminder to adopt best practices for online security.
Quick Security Checklist for All Players:
- ✅ Immediately enable Steam Guard Mobile Authenticator.
- ✅ Update your Steam account password.
- ✅ Regularly monitor account activity.
- ✅ Stay vigilant against phishing and social engineering attacks.
- ✅ Trust communications only from verified Valve and Steam sources.
By following these recommendations, Counter-Strike players can confidently secure their Steam accounts and continue enjoying the game without worry.
