Valve refutes reports of a Steam data leak – “This was NOT a breach of Steam systems”
Following reports of a Steam data leak over the weekend, Valve has investigated the issue and issued a statement to firstly refute reports that this is a breach of their systems, and to reassure users that there is no need to change passwords or amend security settings.
A LinkedIn post claimed that a trove of leaked data from Steam included over 89 million user records, but while this initially appeared concerning, fears were allayed somewhat when an update explained that this related to real-time TFA SMS logs – time-sensitive codes that are sent via text message for two factor authentication. This still suggested that a hacker had infiltrated the overarching security system, but had only gained “backend access to a vendor dashboard or API, not Steam directly.”
Valve has now issued a statement following their own analysis and confirmed that “was NOT a breach of Steam systems,” that details within the leak “did not associate the phone numbers with a Steam account, password information, payment information or other personal data,” and that users “you do not need to change your passwords or phone numbers as a result of this event.”
What they do advise, however, is that users should set up the Steam Mobile Authenticator.
Using SMS messages for TFA is an outdated and less secure method of providing a time-sensitive code to users. SMS messages are not encrypted, so if a bad actor were able to intercept those authentication codes in time, they would be able to use them in conjunction with account details and passwords to gain access to an account.
Using an authenticator app with an automatically rotating and generated code from a secure key or that is reliant on encrypted push notifications is much more secure, as this requires access to a trusted device in addition to login and password. Furthermore, Steam now has a more automated login system where you can scan a QR code using the Steam Mobile Authenticator and not have to input account details at all.
Even with these security options, you do still need to be wary of unexpected emails and messages prompting you to login to personal accounts. There’s always more and more advanced attempts by naughty people to try and fool you into giving them your stuff.
But for now, if you’re happy and content with your Steam login set up, there’s nothing to worry about.
Valve’s statement in full:
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.
Source: Steam
