
Valve Denies Steam Data Leak Was a System Breach, Calls It Old SMS Cache
Valve Corporation pushed back on reports of a massive Steam user data sale. The company says that what surfaced online was not evidence of a breach of Steam's systems but rather an archive of older SMS messages. Security outlet BleepingComputer reported that a hacker was offering roughly 89 million records for about $5,000. Those records allegedly included one-time passcodes sent to Steam users by text message along with their phone numbers. According to Valve, all of the codes were expired by the time they landed in the hacker's hands, and none of the files included any passwords, payment details, or direct ties between phone numbers and Steam accounts. Valve's statement reads, "This was not a breach of Steam systems. The data consisted of older text messages containing one-time codes valid for only 15 minutes and the phone numbers they were sent to. There is no account information, passwords, payment information or other personal data in that cache."
The company also reminded users that whenever an SMS code is used to change a Steam email address or password, they will receive confirmations by email and through Steam's secure messaging system. The incident prompted speculation that third-party messaging provider Twilio might have been hacked. A user on X, formerly Twitter, suggested that Twilio was to blame, but both Valve and a Twilio spokesperson denied the claim. Twilio said it found no evidence that its infrastructure was involved, and Valve confirmed it does not use Twilio for Steam authentication texts. Valve says users do not need to change their passwords or phone numbers, but it encourages everyone to enable the Steam Mobile Authenticator for stronger protection. The company's security team is still investigating how these historical messages were exposed.
The company also reminded users that whenever an SMS code is used to change a Steam email address or password, they will receive confirmations by email and through Steam's secure messaging system. The incident prompted speculation that third-party messaging provider Twilio might have been hacked. A user on X, formerly Twitter, suggested that Twilio was to blame, but both Valve and a Twilio spokesperson denied the claim. Twilio said it found no evidence that its infrastructure was involved, and Valve confirmed it does not use Twilio for Steam authentication texts. Valve says users do not need to change their passwords or phone numbers, but it encourages everyone to enable the Steam Mobile Authenticator for stronger protection. The company's security team is still investigating how these historical messages were exposed.