A Steam logo of a video game digital distribution service is seen on a smartphone and a pc screen.
Over the past day or so, a viral story spread that there was a Steam data breach that could expose account information millions of players. At the very least, it seemed worth changing your password as of course no one wants to get hacked and lose potentially thousands of dollars of a game library. I was even paranoid enough to do that myself.
Well, about that.
This whole saga started in the Dark Web, a thing that yes, really does exist, where a user reported that they were selling 89 million accounts’ data, and word subsequently spread like wildfire.
However, Valve has now commented that this was not a breach of Steam systems, but a leak of “older text messages” that had been sent to Steam users, which include one-time codes and the phone numbers they were sent to. But those codes don’t work. And the phone numbers are not able to be linked to specific Steam accounts. You can just read the entire thing here:
“Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at https://store.steampowered.com/account/authorizeddevices.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.”
So no, Valve says this is not a breach that endangers your Steam account and you do not have to do anything as elaborate as change your password or phone number associated with your account. That said, they say any time is a good time to check out your Steam security especially by setting up Two-Factor Authentication.
What can I say? I was swept up in the paranoia. But Valve says that wasn’t necessary and what was exposed here appears to be useless in going after specific accounts.
Follow me on Twitter, Threads, YouTube, and Instagram.
Pick up my sci-fi novels the Herokiller series and The Earthborn Trilogy.