Valve responds to Steam security breach, and it isn't as bad as it sounded

Valve has addressed Steam's security breach reported earlier this week, a leak which allegedly involved over 89 million user records. Fortunately, it apparently isn't as bad as it initially seemed.

In a post to the Steam News Hub on Wednesday, Valve acknowledged the issue but stressed that no user accounts for its popular video game distribution platform had actually been compromised.

"We have examined the leak sample and have determined this was NOT a breach of Steam systems," read the post (emphasis original).

While there was a leak, it apparently only included phone numbers and old, one-time text messages sent to them for two-factor authentication. These text messages expire 15 minutes after they're sent, so this archive of past authentication codes seems pretty useless to any bad actors who may access it.

"The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data," Valve continued (emphasis original). 

"Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages."

This news is a significant relief to PC gamers, many of whom were alarmed by the news of Steam's security breach over the weekend. In a LinkedIn post on Sunday, cybersecurity firm Underdark had reported that over 89 million Steam user records were being offered for sale on a dark web forum. 

Stating that they had analysed a sample of the data provided by the seller, Underdark claimed that it contained two-factor authentication text messaging records routed through Twilio. The cloud communications company offers products such as two-factor authentication software, and lists Shopify and Stripe among its clients.

However, Twilio denied any involvement in the Steam breach after investigating the incident. "There is no evidence to suggest that Twilio was breached," a Twilio spokesperson said in a statement to Bleeping Computer. "We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio."

What's more, Valve apparently doesn't even use Twilio. A Valve spokesperson reportedly told independent games journalist @MellowOnline1 on Tuesday that the company doesn't utilise Twilio's services at all.

Still, regardless of how it occurred or how harmless it may ultimately turn out to be, it's clear that there has been a breach. Valve is continuing to investigate the source of the leak, "which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone."

Considering the nature of this breach, Valve advises that changing your Steam password isn't necessary. Even so, it's still good general security hygiene to change your passwords every now and then.

If you're concerned about securing your Steam account, you can check your authorised devices and remove any you don't recognise. You can also set up the Steam Mobile Authenticator on the Steam Mobile App.