Steam 2FA Breach

Steam 2FA Breach: What We Know About the Alleged Leak of 89 Million Accounts

On May 13, 2025, reports surfaced about a potential data breach affecting over 89 million Steam accounts. The leak reportedly involved two-factor authentication (2FA) codes, raising concerns among the gaming community. However, subsequent investigations suggest that the breach may have originated from a third-party service rather than Steam itself.

A threat actor known as “EnergyWeaponUser” advertised a database for sale on a dark web forum, claiming it contained over 89 million records of Steam users’ phone numbers and one-time passcodes (OTPs) used for 2FA. The dataset was reportedly priced at $5,000. An analysis of a sample comprising 3,000 records revealed historic SMS messages with OTPs linked to Steam accounts, including associated phone numbers.

Initial speculation pointed towards Twilio, a cloud communications platform that provides SMS services for 2FA, as the source of the breach. However, Twilio has denied any breach of its systems, stating:

“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio.”

This denial suggests that if the data was compromised, it may have originated from another intermediary SMS provider or through unauthorized access to Twilio’s services via compromised credentials or API keys.

As of now, there is no concrete evidence indicating that Steam account passwords were leaked. The breach appears to be limited to SMS-based OTPs used for 2FA. Nevertheless, the exposure of these codes could potentially allow attackers to bypass 2FA protections, especially if they have access to other user credentials through separate breaches or phishing attacks.

Valve, the company behind Steam, has not issued an official statement regarding the incident. However, reports suggest that Valve has communicated with independent security researchers, asserting that they do not utilize Twilio’s services for 2FA, further complicating the attribution of the breach.

In light of the potential risks, Steam users are advised to take the following precautions:

  • Enable Steam Guard Mobile Authenticator: This provides an additional layer of security beyond SMS-based 2FA.
  • Change Your Steam Password: Choose a strong, unique password that you haven’t used on other platforms.
  • Monitor Account Activity: Regularly check your account for any unauthorized actions or login attempts.
  • Be Cautious of Phishing Attempts: Be wary of unsolicited messages or emails requesting account information or login credentials.

This incident highlights the vulnerabilities associated with SMS-based 2FA, which can be susceptible to interception and unauthorized access. Security experts often recommend using app-based authenticators or hardware security keys for more robust protection.

While the full scope and impact of the alleged breach are still unfolding, the situation serves as a critical reminder of the importance of proactive cybersecurity measures and the need for transparency from service providers in the event of potential data compromises.

M&S Cyber Attack 2025: What Happened,
Microsoft Could Lay Off 3% of Its Workforce

For more information on securing your Steam account and updates on this developing story, stay tuned to official Valve communications and trusted cybersecurity news sources.

How to Enable Steam Guard Mobile Authenticator

Step 1: Download the Steam Mobile App
Install the Steam app on your mobile device. It’s available for both Android and iOS.

Step 2: Log In to Your Steam Account
Open the app and sign in using your existing Steam credentials. If this is your first time logging in on the app, you’ll receive a Steam Guard code via email.

Step 3: Go to Steam Guard Settings
Once logged in:

  • Tap the menu icon (☰) in the top left.
  • Select Steam Guard.

Step 4: Enable the Authenticator
Choose “Add Authenticator”. You will be prompted to:

  • Enter a phone number (if one isn’t already attached).
  • Verify your number through a confirmation SMS.

Step 5: Backup Recovery Code
Once set up, Steam will give you a recovery code. Write this down and store it in a safe place. It’s the only way to regain access if you lose your phone.

Step 6: You’re Done
From now on, each time you log into Steam, you’ll use the Authenticator code from the mobile app. The code refreshes every 30 seconds for added security.

Why This Matters

Steam Guard Mobile Authenticator provides real-time protection by generating a unique code on your device. Unlike email or SMS-based 2FA, app-generated codes are harder to intercept, making your account significantly more secure—especially in light of recent 2FA SMS breaches.

For more details, you can also visit Steam’s official guide here:
https://help.steampowered.com/en/faqs/view/06B0-4166-497E-CEB2

Meet Kathryn, a dedicated writer and blogger who immerses herself in the world of literature on Google Reads.
I create concise summaries that make complex books accessible to everyone, while also crafting engaging content to help students excel in their exams. Join me on this journey as I transform reading into a valuable resource for all, turning literature and learning into an enjoyable experience!

Similar Posts