89 million Steam accounts reportedly leaked. Change your password now.
89 million Steam accounts reportedly leaked. Change your password now.
 |
| Stay vigilant, Steam users. Credit: Jakub Porzycki / NurPhoto / Getty Images |
The account details of 89 million Steam users have reportedly been hacked.
Although how the breach happened is unclear, this is a good time to change your password and enable two-factor authentication.
The past Sunday, cybersecurity firm Underdark posted on LinkedIn about a data breach. That post was then picked up and widely spread by gaming-focused X user Mellow_Online1, as reported by tech outlet XDA. According to Underdark's post, "a threat actor going by Machine1337 posted on a well-known dark web forum claiming to have breached Steam, offering a dataset of over 89 million user records for $5,000."
This claim from Machine1337 reportedly also included a Telegram contact, a link to sample data, and internal vendor data "indicating deeper access."
The breach was believed to have come from a third party service, not directly from Steam. Initially, Mellow_Online1 thought it was from a vendor called Trillio. But Valve, Steam's parent company, confirmed to Mellow_Online1 that it doesn't use Trillio.
Details are hazy at this point. Mashable has reached out to Valve for confirmation and specifics of how the breach occurred and will update this story if we receive a response. In the meantime, Steam users are advised to change their password, turn on 2FA, check their email for any suspicious activity, and be extra vigilant about phishing scams that seem to be related to Steam.
Have a story to share about a scam or security breach that impacted you? Tell us about it. Email submissions@mashable.com with the subject line "Safety Net" or use this form. Someone from Mashable will get in touch.
Topics Cybersecurity Gaming
Fake, it's a AI claiming that.
ReplyDeleteTwilio*, not Trillio
ReplyDeleteNo, it's Trillio.
DeleteFor those with 2FA, your fine. Just don't accept any random 2FA requests or prompts. Lets use some common sense. As for holding agencies accountable for FAILING to protect your account, data, and financial information, i think its high time we start holding them accountable.
ReplyDeleteCompanies should employ every possible measure to be secure. Problem is though; nothing is 100% secure. Companies will get hacked. It's not an if more of a when.
DeleteThese corpo-heathens must be held LIABLE ! ! !
DeleteThis comment has been removed by a blog administrator.
DeleteThis comment has been removed by a blog administrator.
DeleteThis comment has been removed by a blog administrator.
DeleteNot only is this only a minor concern if you have 2fa, nothing was leaked in plain text.
ReplyDeleteI've had steam since it came out Sept 12, 2003. I have not changed my email or password for 22 years, despite other leaks.
you will still want to change your password, but yes correct, dont approve random MFA prompts and its a minor thing..
Deletehowerver, a mass majority of people use the same password for multple things.. and a hashed password can be cracked eventually.. people use a passkey or password manager, make sure the password manager has a unique password .. and use it to stop reusing passwords
You can say that Steam is a victim, and they are, but companies need to be held accountable for these hacks instead of people having to accept that this will eventually happen to every major platform. Despite being a target, they weren't secure enough with so many people's private information. The reason I get flooded with scam calls all day is because a website asked for my phone number verification and that site got hacked along with my personal information.
ReplyDeleteMaybe you should stop assuming that every single site is going to be 100 percent secure all the time - that's statistically impossible. There is a reason there is a concept called "Zero Trust". Using things like Multifactor Authentication and Passkeys where possible will help prevent account breaches even if a password is compromised. You have to assume - that at some point - everything is going to be breached because at some point....it will - it's just about minimizing the amount of damage that can be done if it is.
DeleteI stopped assuming 5 years ago when a site hack occurred, and I'm still getting harassing and scam phone calls 20+ daily to this very day. Even if they don't, it's still the fault of the site and the users who suffer the most damage, even if they don't take your advice (and the vast majority don't).
Deleteaccidentally replied to this dude but see my comment about #662#
DeleteDoesn't help because they keep spoofing different numbers that fail the spam test.
DeleteThe truth is though it will happen. The safest computer is one thats turned off and unplugged. What Steam usually does is stores their information in encrypted files so the extent to how useful this hack is unknown.
DeleteEveryone should be using 2FA for something like Steam anyways. I have over 1K games so yea I won't be leaving it open to easy access.
The alleged "Steam data breach" appears to be SMS delivery logs from some provider, if it is true at all. Twilio says there is no indication that this data was obtained from Twilio.
ReplyDeleteYou don't have to change your password, such a provider would not have your account information.
As per Christopher Kunz: This alleged leak just contains SMS delivery logs with carrier metadata and phone numbers from 2025. The sample contains Portuguese numbers, where only 60% are unique numbers. Main risk is targeted phishing.
This article is clickbait.
This is a big nothing, and probably greatly exaggerated. If you pay through paypal and not your direct card, they really didn't get much of your information. if you have 2fa your good too.
ReplyDeleteCouldn't happen to a nicer thick client with a EULA that says they can basically do whatever they want to your machine, whenever they want.
ReplyDeleteSteam sux - always has. And this kind of breach should've been, and was, expected. All these GaaS are hard targets.
If you want to blame anyone, blame Garter.
ReplyDeleteFor 30 years Gartner publishes the "Gartner Quadrant". And in the upper right are the "Leaders".
It's 90% politics who ends up in the leaders quadrant. And companies go buy the "leaders"; and they're terrible.
I mean, for God's sake, in cybersecurity, CrowdStrike is a "leader". Despite the fact that bypassing their EDR has been elementary school trivial for two years.
Companies buy what they're told because most CISOs are dumb.
And those that do, will, not may, but WILL get breeched.
Spending on cybersecurity increases every year, yet so do compromises.
So clearly what we're spending on is wrong.
PRO TIP.. no account you have an form of payment attached to, should be without MFA.. if not available don't use that service, if you chose not to turn it on, I feel no empathy for you
ReplyDeletesoo, if i have 2 factor already. should i rreally care?
ReplyDelete2FA is even better than just a password change
DeleteIf it's a password you use somewhere else, you should probably change it
DeleteSeriously? this is an online service, protecting the accounts should be one of their top priorities.
ReplyDeleteI have the 2 factor security, and only use the Steam Gift Cards for any purchases I make, so no real worry for me.
ReplyDelete89 million accounts for $5k sounds so incredibly bogus.
ReplyDeletemaybe that explains last 4 days at 3 am my steam triggers and starts up alerting me and starts a game
ReplyDeleteMe when I lie 💀
ReplyDeleteI hope everyone remembers this OG video 😁
ReplyDeletehttps://www.youtube.com/watch?v=gYs9nS8LlZ8
Would be an interesting purchace that you can then use to analyze user accounts used as C2.
ReplyDeleteTwilio says it didn't come from them. Valve says it didn't come from them, and that all it was is phone numbers and 2FA codes that were only valid for an extremely short amount of time.
ReplyDeleteSo, all that got is a list of phone numbers that may be associated with a Steam account.
Overblown.
I wonder if the alleged data is outdated or incomplete. Maybe from a databroker? Or a collection of known breaches? Steam currently has about 132 million monthly active users. So this is just a subnet of accounts. All we can do is wait.
ReplyDeleteThe seller claims it is a partial and fresh leak.
Delete🇫🇷🔒 Arnaud Lasgorceix 🔒🇫🇷
ReplyDeleteWhat is this screenshot? It's really tiny.
ReplyDeletehttps://imgur.com/a/zlaPL5o
Deletethe original post from the forum.
If this is indeed a valid leak, why is it in the SPAM subforum? This seems odd.
ReplyDeleteit is probably there because the threat actor is a noob, and posted it wrongly. With that said, the other subforums include: "data bases", which are more relevant to the post the TA made.
DeleteAccording to Mellow_Online1 on X, Valve has contacted them and stated that they do not use Twilio
ReplyDeletehttps://x.com/MellowOnline1/status/1922458722485317664?t=CdZhxMOWzBLr1hF2PelxhQ&s=19
Valid point. Yet as we saw in the past, shadow IT is something that companies often forget about. One group claims they do not work with Vendor A, the other group forgot it does. Let's wait and see
DeleteI was just trying to share additional information. Truth is, we cannot trust companies regarding privacy/breach issues as the would be stupid to admit them, if it cannot be proven undeniably. Too much bad PR and trust issue would merge if they did. Shareholders don't like that.
Delete100%. We agree with you fully
Deletesteam is owned by Valve which is a private company held by Gabe Newell and Valve employees. There's no public shareholders to speak of here, no market to influence share price. Given Valve's past behaviours and tendencies, they would be all over this if this was an actual threat to users.
DeleteI was talking about companies globally by then. Sorry for the confusion. What Steam itself has, is its own market, where real money transactions are a thing, so if those accounts are compromised, that would be a huge deal. I wouldn't give Valve that much credit tho. In 2011 even though they confirmed that hackers accessed a Steam database (containing usernames, hashed passwords, email addresses, billing information, and encrypted credit card details) they initially stated there was no evidence that sensitive information was taken or decrypted. Then later revelations indicated that a backup file from 2004–2008 containing encrypted transaction data was likely compromised. So they did not initially disclose this information, so no transparency there. Nobody remembers this. More recently, they initially dismissed a report from a security researcher about a privilege escalation vulnerability. Their hacker program rejected the report, stating such vulnerabilities were out of scope. Only after public backlash, did they acknowledge the mistake and patched the issue. Both of these incidents should raise questions about the company's commitment to security and responsibility Valve takes IMO.
Deletehttp://underdark.ai/
Deletehypothesizing without evidence or data is incredibly harmful. Your team should have more due diligence and follow responsible disclosure rules.
I acknowledge your points completely. No-one is perfect. But the same Valve went onto develop Steam Guard, which Gabe Newell publicly issued a challenge to try and bypass, but no-one did or has since.
DeleteThanks for sharing
ReplyDeleteChanging a password or fiddling with the authentication while there's a suspect active breach is at best useless and at worst can aid the attacker. Unless the service owner asks you to do something specific, I would not recommend to listen to random journalists taking potshots at incident remediation.
ReplyDeleteCorrection received! Thank you. But http://underdark.ai/ is not a "random journalist". Worth checking what we do :-)
DeleteI'd suggest anyone reading this to read the twitter thread from Mellow_Online1 as it has additional information that this article doesn't mention in much detail and to take the headline with a grain of salt as while yes i'd recommend changing passwords.
ReplyDeleteWhile it never hurts to change your password every now and then, there is currently no proof that any such breach happened.
ReplyDeleteSources are conflicting on the details and no-one has actually seen the contents of the supposed leak.
Edit: Official statement is out, just uninformed people fearmongering for clicks and clout, no need to change your passwords.
I cant reply to Adam for some reason, so I'll place it here. Like Cantimule said, I dont think anyone is against the idea of being safe. But the fact that you posted the title "The leak DID happen" is bonkers. This is grabbing threads and pushing it as fact.
DeleteTo be honest, why didnt you label it as "Steam has potentially been breached - we will keep an eye on it"?
I had access to the data already and confirmed some details from it. As well, Valve has now confirmed the leak in a statement they provided. Our article is now live on that.
DeleteDude, steam specifically says it was not a breach of steam systems, and not a leak associated with steam account information. They also said it is unnecessary to change your password or phone numbers.
DeleteBleepingComputer has said that the breach appears legitimate from the data they have seen.
ReplyDeleteThis comment has been removed by a blog administrator.
Delete3 hours before this was published the twitter account (which is the only cited source) admitted that the supposed "hack" is literally impossible: Valve has never used Twilio.
DeleteThis is journalistic malpractice. You don't publish a claim that hundreds of millions of dollars in digital assets are about to be stolen because of a 5-day-old tweet from some guy on twitter who heard it from some guy on linkedin who heard it from some guy on the dark net who is offering those hundreds of millions of dollars in assets for a mere $5k.
ANY amount of critical thinking should have halted this publication, frankly it reflects poorly on XDA. Do better.
BleepingComputer received a copy of some of the data and has said that it appears legitimate. MellolwOnline1 is the person who claimed the Twilio link; BleepingComputer didn't. Nor does our article. I have also come into possession of the sample data and can confirm that it certainly looks legitimate.
DeleteAs well, any breach of this kind of any system should still be taken seriously. Just because the published data appears to reflect 2FA confirmations (so far) doesn't mean that the attack is simply limited to that vector. Gaining access to any internal system can allow an attacker to move laterally and gain further access to other systems, so yes, there is cause for concern for Steam users at present.
wow this site sure has gone downhill to spread AI generated news stories as real...
DeleteThis comment has been removed by a blog administrator.
ReplyDeleteJesus Christ XDA, you used to be a reputable source, but literally ANY amount of research would've shown this to be entirely untrue.
ReplyDeleteAlso, that's not a Steam Deck on your pic, it's an ASUS ROG
No evidence of a breach and if anything did get breached then it was 2FA codes. I guess XDA's really desperate for a news break.
ReplyDeleteLazy journalism steam doesn't even use twilio
DeleteThey use twilio for the 2FA SMS codes
DeleteLol the fact they used a ROG instead of a steam deck for the image is great.
ReplyDeleteYou're not sure how this happened because you just copy+pasted the story without doing any checking, or you;d have seen it was debunked.
ReplyDeleteI mean i use steam guard and regularly change my passwords on everything
ReplyDeletepeak 2025 journalism
ReplyDeleteSteam Guard and 2fa are different things for Steam.
ReplyDeleteGuard uses a second app, while 2fa is just sending you a text or email.
your fine ,,, u prove the account is yours by the way u paid for games dont worry about it , paypal/bank card ,,,,,, hopefully u didnt use the same password for paypal LOL
ReplyDeleteHacker: "All your games are belong to us"
ReplyDeleteAh yeah, now people who steal your account will have cheaters get you VAC banned and Valve will not reverse it, but they will reverse stolen wallet funds.
ReplyDeleteValve are scumbags.
this was an AI slop story that XDA somehow still thinks is real.
Deletealso don't let people on your account.