If you think your Steam account is safe, think again—there’s word of a massive data breach affecting Steam on the dark web. I’m off to reset my Steam password and enable Steam Guard, just to be sure.

Your Steam Records Might Be for Sale on the Dark Web

A hacker dubbed Machine1337 claims to be selling 89 million Steam records on a dark web forum for a mere $5,000. The data appears to be originating from Twilio, a third-party service that Steam uses to send two-factor authentication (2FA) codes via SMS.

Independent video game journalist Mellow_Online1 spotted the hackers’ post and later claimed that new evidence confirms that at least some of the data is real. The hacker has also provided a sample of the leaked data, including the following information:

• Message contents: includes the actual 2FA codes received from Steam.
• Delivery status: whether the message was sent, delivered, or failed.
• Metadata: timestamps of message status updates, recipient phone numbers, and more.
• Routing costs: the cost involved with sending each message.

Looking at the leaked data, it seems Twilio has suffered yet another data breach. Its parent company, SendGrid, was the target of a data breach in April 2025, and Twilio’s 2FA app, Authy, was also breached in July 2024, leaking over 33 million phone numbers. We don’t have official confirmation from Twilio about a data breach yet, so there’s a chance the dataset for sale might be old data from one of Twilio’s previous breaches being repackaged and sold.

The presence of the aforementioned data implies that the hacker has access to Twilio’s backend. Steam’s servers and databases appear to be unharmed, but since Steam uses Twilio to send 2FA codes, you might still be at risk.

Should You Be Worried?

Hackers can use the compromised data to send some very convincing phishing messages, and if they can intercept or gain access to your 2FA codes, they can bypass login protection measures entirely. Thankfully, protecting yourself isn’t very difficult.

Start by changing your Steam password. If you were reusing the password on any other platform, now’s the time to update those passwords as well. Next, install the Steam app on your phone and enable Steam Guard for two-factor authentication.

Related

I Was Phished on Steam: How to Prevent It, and How to Respond

I was gaming with a friend right before his account was phished, and “he” asked me to vote for a CS:GO team. Unfortunately, I took the bait.

Keep an eye out for suspicious email activity like a game promotion or support message from Steam asking you to take some urgent action at the risk of losing your account. There are plenty of phishing scams on Steam, and if you’re not careful, you’ll find your account and Steam wallet balance going up in smoke.

The rest falls on Steam and Twilio to update their internal systems so the breach does as little harm as possible. Steam support can be quite helpful, so if you do lose your account, you can reach out to them for help.