A hacker known as Machine1337 has put up a massive dataset containing the personal information of 89 million Steam users for sale on the darknet.
This staggering figure represents roughly 70% of Steam’s total user base as of May 2025. The data dump includes sensitive details such as SMS codes and phone numbers, posing a significant risk to user security.
The asking price for the entire dataset is $5,000, though a sample of 3,000 records has already been released publicly for free, likely as a teaser to attract buyers.
Journalists and cybersecurity experts speculate that the breach may not stem from a direct compromise of Steam’s systems but could instead be linked to a supply chain attack on Twilio, a third-party service that handles two-factor authentication (2FA) for many platforms, including Steam.
Twilio has been a target in similar incidents in the past, where attackers exploited vulnerabilities to intercept SMS-based 2FA codes, allowing them to bypass security measures and access user accounts.
Valve, Steam’s parent company, has responded swiftly, stating that they are conducting a thorough investigation into the matter. As of now, they have found no evidence of a direct breach within their systems.
However, the scale of the leak has raised alarms, and the company is urging users to take immediate steps to protect their accounts. Valve strongly recommends enabling the Steam Guard Mobile Authenticator, which provides a more secure alternative to SMS-based 2FA by generating codes directly on a user’s device.
They also advise users to closely monitor their account activity for any suspicious behavior, such as unauthorized logins or changes to account settings.
The leak underscores the growing risks of supply chain attacks, where hackers target third-party vendors to access sensitive user data indirectly.
For Steam users, the exposure of phone numbers and SMS codes could lead to phishing attempts, account takeovers, or even SIM-swapping attacks, where attackers trick mobile carriers into transferring a victim’s phone number to a new device.
Cybersecurity experts emphasize the importance of using app-based authenticators over SMS, as the latter has become increasingly vulnerable to interception.
Also read:
- Instagram Introduces Lockable Reels: A New Era of Exclusive Content
- TON Team Unveils Empire’s Battle: A Steampunk RPG Telegram Game with NFT and Tokenomics
- Apple’s New Sci-Fi Comedy Series “Murderbot” Scores Perfect 100% on Rotten Tomatoes
As the investigation unfolds, Steam users are left on high alert, with many questioning the safety of their personal information. This incident serves as a stark reminder of the importance of robust security practices in an era where data breaches are all too common. For now, enabling Steam Guard and staying vigilant are the best defenses against potential fallout from this massive leak.
