Valve has released an official statement confirming that a recent data leak did not breach Steam accounts and users will not need to change passwords or phone numbers for their PC gaming accounts.
Rumours were spreading after a LinkedIn post on May 10th reported that a user on a well-known dark web forum was claiming to have found a vulnerability in Steam and had access to data of over 89 million accounts which they were offering to sell for $5k (£3.8k).
The post was then updated to state that this data included real-time two-factor authentication codes sent through Twilio and this leaked data allegedly also included phone numbers and SMS logs sent to mobiles attached to Steam accounts.
However, Valve has confirmed that this cyber attack did not affect Steam systems but are still investigating:
“We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”
While it appears this has leaked people’s phone numbers, Valve claims that all of Steam’s 132 million accounts should be safe:
“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to.
“The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
Because of this, Valve insists users do not need to change passwords or phone numbers as a result of this data leak.
Though in the statement, the company does recommend setting up the company’s own Steam Mobile Authenticator app, claiming it to be the best way to send SMS messages about Steam accounts securely.
For now, everyone’s Steam libraries are safe, but this is a reminder of how fragile accounts can be.
It’s worth setting up extra security, especially as UK gamers have some of the most valuable Steam collections.
Seems like as good a reason as any to tackle that backlog of hundreds of games you bought on sale but still haven’t played.
In my seven years of esports writing, I’ve introuduced esports coverage to newspapers, interviewed some of the biggest names in the industry, and driven viewers mad with the puns in my YouTube scripts. I’m most proud of the latter.
