Valve Responds to Steam Security Incident, Claims Issue Not as Critical as Initially Thought

Uncategorized Mihnea


Valve Addresses Concerns Over Steam Data Leak, Affirms No Accounts Were Breached

Valve has officially addressed claims regarding a data leak tied to Steam, its widely-used video game distribution service. Earlier this week, the cybersecurity organization Underdark asserted that more than 89 million user records were up for sale on a dark web forum, causing significant alarm among PC gamers. Fortunately, Valve has clarified that the situation is not as alarming as initially thought.

In a statement published on the Steam News Hub on Wednesday, Valve confirmed it had evaluated the leaked data and concluded that it was not a result of a breach within Steam’s systems.

“We have analyzed the leak sample and have confirmed this was NOT a breach of Steam systems,” the company stressed.

As per Valve, the leaked information consisted of phone numbers and expired one-time texts utilized for two-factor authentication (2FA). These messages, which become invalid 15 minutes after they are sent, no longer pose any threat.

“The leaked data did not link the phone numbers to a Steam account, password details, payment data, or any other personal information,” Valve explained. “Old text messages cannot be used to compromise the security of your Steam account.”

Valve also assured users that any attempts to modify account credentials via SMS would trigger confirmation notifications through email or Steam’s secure messaging platform.

The initial report from Underdark had caused concern by implying that the leaked data contained 2FA messages routed through the cloud communications provider Twilio. However, Twilio refuted any involvement, indicating that there was no proof of a breach on their side. “We have scrutinized a sample of the data found online and see no signs that this data was sourced from Twilio,” a representative told Bleeping Computer.

Compounding the confusion, Valve later confirmed that it does not utilize Twilio’s services at all. This information was communicated by independent gaming journalist @MellowOnline1, who posted the update on social media.

Despite the encouraging news, Valve acknowledged that a leak did indeed take place and is actively probing its origin. The company pointed out that SMS messages are fundamentally vulnerable, as they are unencrypted and traverse multiple providers before delivering to users’ phones.

While Valve asserts there is no need to change your Steam password in light of this incident, it still advocates for good security practices. Users who are worried about their account security can examine their list of authorized devices and eliminate any that are unfamiliar. Moreover, activating the Steam Mobile Authenticator via the Steam Mobile App provides an additional layer of security.

For now, Steam users can relax, but this incident highlights the crucial nature of digital security and vigilance.