There have been rumors about a large-scale data breach impacting nearly 90 million Steam accounts. However, the original source was debunked, so you probably don’t have anything to worry about.

A post shared by ‘Underdark AI’ on LinkedIn, supposedly sourced from a “well-known dark web forum,” claimed that a hacker had accessed the data of more than 89 million Steam users. The stolen information was said to include usernames and passwords and private SMS logs with 2FA codes, message details, and delivery status, all for $5,000. That low price is pretty fishy, and IT professionals’ comments pointed out that this seemed like a leap.

Dr. Kunz, a security expert, pointed out in the comments that while the leaked data supposedly included phone numbers and expired one-time codes, it did not contain key details like usernames, Steam IDs, or password hashes. Basically, the information was so cheap because it wasn’t what was claimed and didn’t have “any other use than phishing campaigns.” In fact, the original poster admitted they were “not sure we should take his point as if it is science.”

Even still, the original worrying news was quickly spread further by a Twitter/X user named Mellow_Online1, who at first presented it as a major data breach. Mellow_Online1 mentioned that the data was being sold on a dark web forum, which made people even more concerned. That was spread through multiple video game websites before any confirmation that the news was real, despite the original post admitting it shouldn’t be taken as fact.

Related

When Is the Last Time You Updated Your Steam Password?

Has it been a few months, or a few years?

Steam allegedly found out about all this and contacted the user. Mellow_Online1 posted several updates and clarifications, explaining that the data did not come from a direct breach of Steam’s systems but possibly from a third-party company, which was first thought to be Twilio. This service provider handles communications, including SMS-based 2FA.

Valve allegedly confirmed to Mellow_Online1 that it does not use Twilio, which directly contradicted Mellow_Online1’s first report and the claims about where the data came from. If this response was real, it would be even more confirmation not to take this news as factual. We reached out to Valve for a statement, and we will update this article when we hear back.

While this seems to have been false information, it’s important to always have two-factor authorization on your Steam account. Even if someone gets your passwords, you will be able to see that a login attempt is being made, and it won’t go through without the code sent to you. This way, you’d be able to rest easy if this kind of thing did actually happen.

Even if you didn’t see the original post get debunked, the following tweet’s low price of $5,000 for the supposed 89 million accounts and the unknown source were already red flags. We’ll update this article when we hear back from Valve, or there are more updates to share.

Sources: ‪Neco-Tan/BlueSky, Christopher Kunz/LinkedIn