Massive Steam Data Breach: 89M Accounts Compromised
Massive Steam Data Breach Exposes 89 Million Accounts
A massive data breach affecting an estimated 89 million Steam accounts has been reported, raising concerns about the security of one of the world's largest digital game distribution platforms. The breach, first publicized by cybersecurity firm Underdark on LinkedIn and subsequently amplified by gaming journalist MellowOnline1, allegedly involves a threat actor known as Machine1337 offering the stolen data for $5,000 on a dark web forum.
The leaked data reportedly includes one-time passcodes linked to SMS messages, phone numbers, and potentially other sensitive information. A sample of 3,000 records examined by BleepingComputer confirmed the presence of these historic SMS messages containing one-time passcodes. While the origin of the breach remains unclear, initial suspicions focused on a potential compromise of Twilio, a cloud communications company used by Steam for two-factor authentication (2FA). However, Twilio has explicitly denied being breached, stating that their investigation found no evidence linking the leaked data to their systems.
MellowOnline1 initially suggested a supply-chain compromise involving Twilio, citing technical evidence in the leaked data. This theory points to a possible compromised admin account or misuse of API keys within Twilio's systems or a third-party SMS provider used in conjunction with Twilio. However, BleepingComputer could not independently verify the data's origin or the authenticity of the threat actor's claims, although some data appears relatively recent, with messages dating back to early March.
Valve, the parent company of Steam, has yet to publicly comment on the alleged breach. Given the scale and potential impact of this incident, Steam users are urged to take immediate preventative measures. These include changing their passwords, enabling Steam Guard Mobile Authenticator (2FA), and carefully monitoring their accounts for any unauthorized activity or suspicious emails. Experts also advise users to remain vigilant against phishing attempts related to Steam. The situation highlights the critical importance of robust security practices for both users and online platforms.
A massive data breach affecting an estimated 89 million Steam accounts has been reported, raising concerns about the security of one of the world's largest digital game distribution platforms. The breach, first publicized by cybersecurity firm Underdark on LinkedIn and subsequently amplified by gaming journalist MellowOnline1, allegedly involves a threat actor known as Machine1337 offering the stolen data for $5,000 on a dark web forum.
The leaked data reportedly includes one-time passcodes linked to SMS messages, phone numbers, and potentially other sensitive information. A sample of 3,000 records examined by BleepingComputer confirmed the presence of these historic SMS messages containing one-time passcodes. While the origin of the breach remains unclear, initial suspicions focused on a potential compromise of Twilio, a cloud communications company used by Steam for two-factor authentication (2FA). However, Twilio has explicitly denied being breached, stating that their investigation found no evidence linking the leaked data to their systems.
MellowOnline1 initially suggested a supply-chain compromise involving Twilio, citing technical evidence in the leaked data. This theory points to a possible compromised admin account or misuse of API keys within Twilio's systems or a third-party SMS provider used in conjunction with Twilio. However, BleepingComputer could not independently verify the data's origin or the authenticity of the threat actor's claims, although some data appears relatively recent, with messages dating back to early March.
Valve, the parent company of Steam, has yet to publicly comment on the alleged breach. Given the scale and potential impact of this incident, Steam users are urged to take immediate preventative measures. These include changing their passwords, enabling Steam Guard Mobile Authenticator (2FA), and carefully monitoring their accounts for any unauthorized activity or suspicious emails. Experts also advise users to remain vigilant against phishing attempts related to Steam. The situation highlights the critical importance of robust security practices for both users and online platforms.
