• The scale of the incident: Supposed, that the data is compromised 89 Millions of Steam accounts, which is about two -thirds of all users of the platform.
• Source of leakage: Leak is associated with Twilio, third -party service, used to send two -factor authentication codes (2FA), Although Twilio denies the fact of hacking.
• Potential risks: Flowing data, Including 2FA codes, can be used for phishing and interception sessions.
• Uncertainty: Neither steam, Neither Twilio was officially confirmed by hacking, What raises questions about the exact source of data.
• Recommendations: Users are advised to change passwords, Update 2FA and be vigilant to phishing attacks.

What happened?

Reported, that data 89 Millions of Steam accounts were at risk due to the alleged leakage, associated with Twilio, service, which Steam uses to send SMS with 2FA codes. Flowing data, Including SMS logs, 2FA codes and metadata, Sold on the dark side of the Internet for $5,000. However, Twilio denies, that their systems were hacked, which adds uncertainty to the situation.

Why is it important?

If the data really flowed, hackers can use them for phishing attacks, PROSED STEAM, or to intercept sessions, Going around the entrance protection. This is especially dangerous for users, relying on SMS for 2FA, since such methods are less safe, than alternatives, such as Steam Guard.

What to do to users?

To protect your accounts, Steam users must:

• Change Steam password and make sure, that he is unique.
• Switch to safer 2FA methods, such as Steam Guard, Instead of SMS.
• Monitor suspicious activity in e -mail.
• Avoid clicks by links in messages, which seem official notifications from Steam.

---

Detailed report on the alleged hacking of Steam data

Introduction

Recently information about the alleged data leak, Touching Ascentingly, which potentially at risk of personal information about 89 Millions of Steam users - about two -thirds of all accounts of this popular game platform. Leakage, which was first announced by an independent game journalist (@MellowOnline1),

Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).

These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.

Mipped alongside their sister sites is a…

— Mellow_Online1 (@MellowOnline1) May 11, 2025

not related to direct hacking of Steam servers, A, presumably, is the result of compromising a third -party Twilio service, used to send two -factor authentication codes (2FA) through SMS. However, Twilio denies the fact of hacking his systems (BleepingComputer: Twilio denies breach), which raises questions about the exact source of leaked data.

Details of the incident

According to the reports, attacker, Using the pseudonym Machine1337 (Also known as Energyweaponsuser), offers for sale a set of data for $5,000 on the forum, reminiscent of MIPPED - platform, previously related to shadow, such as blackmailing developers and manipulations with reviews. The flowed data include:

Type of data	Description
The contents of the messages	2fa codes, sent to users via SMS
Delivery status	Information about that, Whether the message was sent, delivered or not delivered
Metadada	Temporary marks, recipients and other information
The cost of routing	Data on the cost of sending each message

Analysis of the data sample, containing 3,000 records, confirmed the presence of historical SMS messages with disposable access codes, including recipient phone numbers (MobileSyrup: Steam accounts 89 million accounts impacted). This indicates that, that attackers could access Twilio systems, Maybe, through compromised account, API key or server control panel.

Denial of Twilio and uncertainty

Twilio categorically denies, that their systems were hacked, Saying in the commentary for BleepingComputer, that there is no evidence of compromising their infrastructure. This raises the question, could the data be obtained from the previous leak or other source. For example, In July 2024 year Authy service, belonging to Twilio, He was hacking, as a result of which were stolen 33 Million phone numbers. Also recently reported a hacking Sendgrid, another Twilio company, Although Sendgrid denies the presence of evidence. Lack of official confirmation from Twilio and the silence of Valve, Steam owner, Add uncertainty.

Potential risks

Data leaks create serious threats for Steam users:

• Fishing: Attackers can use flowing data to send fake messages, Seeing them for official notifications Steam, To lure the accounting data or money.
• Interception sessions: If hackers can intercept or re -use 2FA codes, They can go around the entrance protection, getting unauthorized access to accounts.

These risks are especially relevant for users, which use SMS for 2FA, since this method is less safe compared to alternatives, such as Steam Guard, Using a mobile application.

Communication with MIPPED

Platform, on which data are sold, resembles MIPPED - site, which, According to the Steam Sentinels group, for years associated with shadow practices, Including blackmailing, Manipulations with reviews and wrapping votes in Steam Greenlight (Techraptor: Shady Russian market). Despite the repeated warnings from Steam Sentinels, Steam did not take action against Mipped, What, Maybe, contributed to the scale of the current incident.

Recommendations for users

In the light of the estimated leakage, security experts and Steam Sentinels (Steam Community: Sentinels of the Store) recommend users to take the following measures:

1. Change the Steam password: Make sure, that the password is unique and is not used on other platforms.
2. Switch to Steam Guard: Use Steam mobile application for 2FA instead of SMS, since it is safer.
3. Monitor email: Follow the suspicious activity, such as unexpected attempts to enter or strange letters.
4. Beware of Fishing: Do not follow links in messages, which seem official notifications from Steam, and check their authenticity.
5. Join Steam Sentinels: Subscribe to the Sentinels of the Store group to receive updates and security tips.

Users are also recommended to consider the removal of saved credit cards from their Steam accounts and regularly check on card statements for unauthorized transactions.

Key sources:

• BleepingComputer: Twilio denies breach following leak of alleged Steam 2FA codes
• MobileSyrup: Over 89 million Steam accounts impacted in alleged data breach
• Tech.co: Data Breaches That Have Happened in 2024 & 2025 – Updated List
• Techraptor: Shady Russian market for asset-flip games uncovered
• BBC News: Valve’s online game service Steam hit by hackers
• X Post: MellowOnline1 on Steam data breach details
• X Post: MellowOnline1 clarifying supply-chain compromise