A new cybersecurity scare rippled through the gaming community this week. Allegedly, Steam data leaked online with reports speculating that data from 89 million Steam accounts has been breached. However, Valve, the company behind the world’s largest PC gaming platform, has responded swiftly, stating that no breach occurred and user accounts remain secure.
What Happened?
On May 15, 2025, reports began surfacing across forums and tech blogs suggesting that a massive cache of Steam user data had been leaked. The dataset allegedly contained SMS messages with one-time authentication codes and linked phone numbers, leading to fears of a major compromise of personal information.
Understandably, the news spread rapidly. Steam has over 120 million monthly active users, and a breach of this scale could have serious implications for user privacy and trust in the platform.
But according to Valve, the situation isn’t nearly as alarming as it first appeared.
Valve’s Official Response: No Breach Occurred
Valve has publicly confirmed that Steam’s systems were not breached and that no user credentials, passwords, or payment information were exposed. The leaked data reportedly consists of outdated SMS authentication codes which were only valid for 15 minutes at the time they were sent. These codes, Valve emphasized, pose no risk to current user accounts.
“There is no evidence of a breach of Steam’s infrastructure,” Valve stated. “The leaked messages are outdated and useless on their own. No sensitive account information was compromised.”
So, Where Did the Leak Come From?
While Valve’s systems are intact, the company believes the leak may have originated from a third-party SMS service provider used to deliver the authentication codes. Some early reports speculated that Twilio (a major player in the SMS delivery space) may have been involved. However, Valve clarified that it does not use Twilio, and Twilio has since confirmed it was not breached.
The true source of the leak remains under investigation, but current evidence points to a third-party issue unrelated to Steam’s own infrastructure.
What Was in the Leak?
According to security analysts reviewing the dataset, the leaked content includes:
- Phone numbers linked to Steam accounts.
- SMS messages containing Steam Guard one-time authentication codes.
However, these codes were time-limited, not reusable, and do not include passwords or access tokens. There is no indication that hackers could gain access to Steam accounts using this information.
Do Steam Users Need to Take Action?
For now, no action is necessary, according to Valve. There’s no need to change your password or phone number due to this incident. Still, the company is encouraging users to take basic security precautions to further protect their accounts.
The most important step? Enable Steam Guard Mobile Authenticator, which provides two-factor authentication (2FA) through the Steam mobile app. This feature generates unique login codes and offers stronger protection than traditional SMS-based 2FA.
How to Enable Steam Guard Mobile Authenticator
- Download the Steam mobile app on your smartphone.
- Log in and go to the Steam Guard menu.
- Tap on “Add Authenticator” and follow the instructions.
Once set up, your phone will generate time-sensitive codes that are required for login. This makes it significantly harder for attackers to access your account even if they have your password.
No Cause for Panic, But Stay Vigilant
While the initial reports were cause for concern, it appears the alleged Steam data leak is not a result of any compromise of Valve’s systems, and the exposed data is of minimal security value. Valve has been transparent in its communication and has reassured users that their accounts remain safe.
That said, it’s always wise to stay on top of your account security. Make sure 2FA is enabled, avoid phishing scams, and regularly review your account activity.
For now, Steam users can breathe a little easier, but this incident is a stark reminder of how even indirect data leaks can cause major confusion and fear in the digital world.
