Valve has dismissed widespread reports of a data breach that supposedly compromised the account details of over 89 million Steam users.
In a brief but firm post, Valve said it has examined the leaked data and confirmed that Steam’s systems had not been breached, and users did not need to change their passwords or phone numbers.
The leak consisted of old text messages containing one-time authentication codes that had all expired. These were linked to the phone numbers they were sent to, but the phone numbers were not linked to any account details.
“The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data,” Valve said. “Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
“You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious.”
Valve said it has not determined the source of the leak, noting that SMS messages like those leaked are unencrypted and pass through multiple providers. Earlier reports had suggested that a vendor used by Valve to send the authentication codes was the source.
According to the initial reports, such as this LinkedIn post by Underdark.ai, the data had been posted on the dark web for sale at a price of $5,000.
So, we can all rest easy. But it’s a good reminder to turn on two-factor authentication for Steam (and all your online accounts), and to be suspicious of unsolicited messages.
