Steam Hack Hoax: Fake Leak, Real Security Warning for Gamers

When I first saw that 89 million Steam accounts were allegedly up for sale on the dark web, I had a mini heart attack. Like many of you, I’ve built up a library on Steam over the years that’s worth a small fortune. So the thought of it being exposed in a breach? Yeah, that got my attention.

But as the dust settled, it became clear: this was never a real breach.

Despite how fast the claim spread, and how alarming it sounded, multiple credible sources have now confirmed that the data was fabricated, and both Valve and Twilio have denied any involvement.

Still, it’s a timely reminder that security scares (even fake ones) can be the nudge we need to check our digital hygiene.

How the “Steam Breach” Story Started

According to a post on LinkedIn by a small cybersecurity outfit called Underdark AI, a hacker going by the alias “Machine1337” was offering 89 million Steam account records on a dark web forum, for just $5,000. The post claimed that the data included 2FA codes, phone numbers, and timestamps.

This claim was picked up by X user @MellowOnline1, who helped bring attention to it and even followed up with Valve for comment.

Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.

Here's what we understand from this update:

New evidence confirms some…
— Mellow_Online1 (@MellowOnline1) May 11, 2025

It sounded plausible. Steam accounts are high-value targets. But as noted by Bleeping Computer, the story began to unravel almost immediately.

Threat actor selling Steam accounts — Image: Bleeping Computer

Valve and Twilio Say: “Not Us.”

When contacted, a Valve spokesperson told MellowOnline1 that Valve doesn’t use Twilio. This is a key detail, since Twilio was being speculated as the possible leak source due to its role in handling SMS communications for some platforms.

Twilio, in a statement to Bleeping Computer, also firmly denied any breach:

There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.

That alone might have put the story to bed, but there was more.

Security Researchers: This “Leak” Doesn’t Add Up

As multiple sources, including Bleeping Computer and independent researchers, pointed out, the leaked data looked suspicious from the start:

The SMS messages had generic formatting and were clearly outdated
There were duplicate entries, inconsistent timestamps, and no real account metadata
The dataset didn’t align with how Steam formats or sends its 2FA codes

In short, it looked like someone stitched together older leaks to make it seem new. According to Bleeping Computer, the dataset lacks key elements that would normally be present in a legitimate breach, like login tokens or user IDs.

So… What Was This?

At best, this was a sloppy fake. At worst, it was a marketing stunt gone sideways. Either way, there was no breach, and no reason to believe anyone’s Steam account was compromised in this particular incident.

But you know what? I still changed my password.

Why I Acted Anyway (and You Should Too)

False alarm or not, this story reminded me that it’s easy to get complacent. So I took it as an excuse to:

Update my Steam password
Double-check that Steam Guard was enabled (Valve’s 2FA)
Audit my accounts to see which still rely on SMS-based 2FA, and started migrating them to app-based options

Because here’s the truth: this one was fake, but the next one might not be.

Real Protection for Your Digital Life

Whether you’re a gamer, a casual user, or just tired of remembering passwords, here are three real things you can do to protect yourself:

Use a password manager

Let it generate and store unique, strong passwords for every site. I use 1Password, but Bitwarden and Apple’s built-in Passwords app are solid, too.

Switch to app-based 2FA

As security researchers have long pointed out, SMS-based 2FA is vulnerable to phishing and SIM-swapping. Apps like Google Authenticator, Authy, or Steam Guard generate time-based codes locally and are much safer.

Clean out your old accounts

If you have accounts you haven’t used in years, consider closing them. They’re just attack vectors waiting to be rediscovered.

The 404 Take

So no, Steam wasn’t hacked. But this brief panic did remind me just how fragile our digital security can feel. And thanks to people like MellowOnline1 who followed up with Valve, and Bleeping Computer who dug into the details, we got to the truth quickly.

Even if this was a false alarm, it was a useful one. I’m walking away from it with tighter security, and I hope you will, too.

Categorized in:

Gaming, News, Tips & Tricks, Web,

Last Update: May 14, 2025

Tagged in:

security, steam

Press ESC to close