UPDATE: 2025-07-07 10:33 EST BY CORBIN DAVENPORT

Valve Statement

Valve has provided the following statement toHow-To Geek, confirming the leak did not associate Steam account information with phone numbers:

“Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determinedthis was NOT a breach of Steam systems.We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.”

“The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to.The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages. From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. […] We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.”

The original story continues below.

There have been rumors about a large-scale data breach impacting nearly 90 million Steam accounts. However, the original source was debunked, so you probably don’t have anything to worry about.

A post shared by ‘Underdark AI’ on LinkedIn, supposedly sourced from a “well-known dark web forum,” claimed that a hacker had accessed the data of more than 89 million Steam users. The stolen information was said to include usernames and passwords and private SMS logs with 2FA codes, message details, and delivery status, all for $5,000. That low price is pretty fishy, and IT professionals' comments pointed out that this seemed like a leap.

Dr. Kunz, a security expert,pointed outin the comments that while the leaked data supposedly included phone numbers and expired one-time codes, it did not contain key details like usernames, Steam IDs, or password hashes. Basically, the information was so cheap because it wasn’t what was claimed and didn’t have “any other use than phishing campaigns.” In fact, the original poster admitted they were “not sure we should take his point as if it is science.”

Even still, the original worrying news was quickly spread further by a Twitter/X user namedMellow_Online1, who at first presented it as a major data breach. Mellow_Online1 mentioned that the data was being sold on a dark web forum, which made people even more concerned. That was spread through multiple video game websites before any confirmation that the news was real, despite the original post admitting it shouldn’t be taken as fact.

Steam allegedly found out about all this and contacted the user. Mellow_Online1 posted several updates and clarifications, explaining that the data did not come from a direct breach of Steam’s systems but possibly from a third-party company, which was first thought to be Twilio. This service provider handles communications, including SMS-based 2FA.

Valve allegedly confirmed to Mellow_Online1 that it does not use Twilio, which directly contradicted Mellow_Online1’s first report and the claims about where the data came from. If this response was real, it would be even more confirmation not to take this news as factual. We reached out to Valve for a statement, and we will update this article when we hear back.

While this seems to have been false information, it’s important to always havetwo-factor authorization on your Steam account. Even if someone gets your passwords, you will be able to see that a login attempt is being made, and it won’t go through without the code sent to you. This way, you’d be able to rest easy if this kind of thing did actually happen.

Even if you didn’t see the original post get debunked, the following tweet’s low price of $5,000 for the supposed 89 million accounts and the unknown source were already red flags. We’ll update this article when we hear back from Valve, or there are more updates to share.