89 Million Steam Accounts Allegedly Compromised in Massive Breach: What You Need to Know
A potential cybersecurity disaster is unfolding for the global gaming community. Reports are surfacing that nearly 89 million Steam accounts may have been compromised in what could be one of the largest data breaches in gaming history. With growing concern over the origin of the data and the lack of official communication from Valve Corporation—the company behind Steam—users are being urged to take immediate protective action.
Hacker Claims Sale of Millions of Steam User Accounts
The incident first gained traction online when a notorious dark web user going by the alias “Machine1337” (also known as “EnergyWeaponsUser”) began advertising a database allegedly containing sensitive data from tens of millions of Steam accounts. The listing appeared on a dark web forum, with the entire trove of information being offered for just $5,000—an alarmingly low price considering the value such data can hold.
According to the hacker’s claims, the breach includes one-time passcodes, linked phone numbers, and even authentication-related SMS messages. These details, if verified, could provide a roadmap for cybercriminals to take control of user accounts or launch sophisticated phishing attacks.
From Forums to Mainstream: How the News Spread
The first major flag was raised by cybersecurity firm Underdark AI, which identified and posted about the breach on LinkedIn. The post quickly caught the attention of the online cybersecurity and gaming communities.
Soon after, independent journalist and digital security advocate MellowOnline1—known for spearheading the SteamSentinels initiative focused on monitoring Steam-related fraud—shared the news more broadly on X (formerly known as Twitter). The community response was swift, with thousands of users expressing concern and confusion.
Steam’s Massive User Base Makes It a Prime Target
Steam is the world’s largest digital distribution platform for PC gaming, boasting over 120 million monthly active users. Many Steam accounts hold years of gaming history, collections worth hundreds or even thousands of dollars, and linked payment information. That makes any data breach not only significant but potentially catastrophic for the average user.
Given the scale of the alleged compromise, the potential fallout extends beyond just login credentials. It could lead to financial fraud, identity theft, and the resale of hijacked accounts on black-market platforms.
Twilio or Not? The Mystery of the Breach’s Origin
One of the biggest puzzles surrounding this breach is determining how the data was obtained. There’s currently no confirmed explanation, and both Valve and Twilio—the latter being a popular cloud-based SMS platform—have denied any security incident involving their systems.
Interestingly, technical analysis of the leaked data by cybersecurity outlet BleepingComputer found evidence suggesting that the data may have come from Twilio or an associated third-party provider. They examined a subset of 3,000 leaked records and discovered what appeared to be legitimate, recent SMS messages—some dating back to March 2025—that were consistent with two-factor authentication processes.
Despite this, Twilio released an official statement claiming:
“There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio.”
Instead, Twilio suggested that a third-party intermediary that handles SMS communications between Twilio and end-users might be the source of the breach. This raises broader concerns about the vulnerability of the supply chain in digital communication services.
The API Key Theory: A Backdoor Breach?
MellowOnline1 offered a compelling theory that’s gaining traction among experts: the possibility that a compromised API key or an admin-level access point may have been exploited to harvest the user data.
If true, this would point toward a supply-chain vulnerability rather than a direct attack on Steam or Twilio. Essentially, someone may have gained access through a less secure third-party integration, underscoring how interconnected—and thus potentially fragile—the modern digital service ecosystem has become.
The Silence from Valve: Fueling More Concern
Perhaps most troubling to the Steam community is Valve’s complete lack of public response. As of now, the company has not issued any statement acknowledging or refuting the breach. While it’s possible Valve is still investigating the situation internally, the absence of transparency is leaving millions of users in the dark.
This silence has led to widespread speculation. Some believe Valve may be attempting to confirm the source of the breach before going public, while others worry that the company may be underestimating the threat or attempting damage control behind the scenes.
For a platform of Steam’s scale and influence, this kind of communication void is unusual—and, for many users, deeply frustrating.
Authenticity of the Data: Experts Weigh In
While the full extent of the breach has not yet been independently confirmed, several cybersecurity experts and researchers who’ve reviewed the leaked data say it appears legitimate. The fact that some messages are dated just months ago—March 2025—suggests the breach is recent and still highly relevant.
This timeline has major implications. It means that affected accounts might still be vulnerable, and the stolen information could actively be used in targeted attacks as we speak.
Why Steam Guard Matters Now More Than Ever
Valve’s built-in two-factor authentication system, Steam Guard, is emerging as the most effective line of defense against account hijacking. Users who have Steam Guard Mobile Authenticator enabled are believed to be significantly more protected, as access would still require the time-sensitive authentication code generated through the app.
Unfortunately, many users either haven’t enabled Steam Guard or are unaware of its capabilities. That gap in security readiness could now be the difference between maintaining control of an account and losing it entirely.
What Users Should Do Immediately
Until Valve issues an official statement, the best course of action is to assume worst-case scenarios and take defensive steps right away. Security experts are offering the following urgent recommendations:
1. Change Your Steam Password Immediately
Regardless of whether your account is directly affected, it’s crucial to update your Steam password. If you’ve reused the same password elsewhere, change those accounts too. Use a strong, unique password for each site.
2. Enable Steam Guard Mobile Authenticator
If you haven’t already, activate Steam Guard on your account. This feature adds an extra layer of protection through time-based codes generated on your mobile device. It’s widely regarded as one of the most secure 2FA implementations in gaming.
3. Monitor Account Activity
Check your Steam account for any unfamiliar activity. Look for unauthorized logins, friend requests, game purchases, or changes to your settings. Report anything suspicious immediately to Steam Support.
4. Be Cautious of Phishing Attempts
With phone numbers and partial authentication information allegedly in the wild, you should be extremely wary of any unexpected emails, text messages, or phone calls claiming to be from Steam. Never share login information or click on suspicious links.
5. Use a Password Manager
If you find it difficult to manage unique passwords across accounts, consider using a trusted password manager. These tools can generate and store secure passwords while protecting them with encryption.
A Wake-Up Call for the Gaming Industry
This incident, whether ultimately traced back to Valve, Twilio, or a third-party intermediary, highlights the immense security challenges facing the gaming world. Platforms like Steam aren’t just for fun anymore—they’re massive digital ecosystems involving financial transactions, personal data, and real money assets.
That makes them prime targets for increasingly sophisticated cybercriminals. As digital entertainment continues to grow, the need for airtight security protocols and prompt transparency becomes even more critical.
What This Means for Other Platforms
While this breach is currently focused on Steam, the ripple effects could extend across the broader tech and gaming industries. If a third-party service like an SMS gateway or authentication provider was exploited, other platforms that rely on similar vendors may also be vulnerable.
Expect more companies to start conducting internal audits and issuing their own statements over the coming weeks. The pressure is now on for digital platforms to proactively reinforce their cybersecurity systems before becoming the next headline.
Final Thoughts: Stay Vigilant, Stay Informed
In the absence of concrete answers from Valve, users must take their digital safety into their own hands. While it’s unclear how this story will unfold, what is clear is that the threat is real and potentially ongoing.
This isn’t just another data breach—it’s a pivotal moment that could redefine how gaming platforms handle security and communicate with their users during times of crisis.
If you’re a Steam user, now is the time to act. Update your credentials, enable every available security measure, and stay alert. Until we hear more from Valve or a trusted authority, it’s better to be safe than sorry.
Read Also: