Valve has addressed the concerning reports of a potential data breach involving Steam, where information from approximately 89 million user accounts was allegedly found online. The company clarified that the leak did not originate from its own systems, while it continues to probe the circumstances surrounding the incident. Valve reassured users that the exposed data did not connect users’ phone numbers with their Steam accounts, nor did it include passwords, payment information, or other private data. Therefore, users are not required to change their passwords or phone numbers.
Details of the Alleged Steam Data Breach
This week, rumors of a significant data breach involving Steam emerged following a claim by a LinkedIn user, who reported encountering a malicious actor advertising the data of over 89 million Steam accounts for sale on a dark web forum for $5,000.
The initial report was shared by X user @MellowOnline1, who leads the Steam user advocacy group ‘Sentinels of the Store.’ They indicated that the data leak likely occurred outside of Steam, suggesting that the data included SMS logs related to two-factor authentication (2FA) used for Steam accounts, potentially implicating a third-party service contracted by Valve.
Update: An update suggests that the alleged Steam data breach is not a direct breach of Steam itself, but rather a supply chain compromise — meaning an external service that Steam relies on was targeted.
Here’s what we understand from this update:
New evidence confirms some…
— Mellow_Online1 (@MellowOnline1) May 11, 2025
Valve Assures Users of Steam System Integrity
In a statement released on Thursday, Valve confirmed awareness of the leak while maintaining that Steam’s systems were secure.
“You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems,” the company stated.
Valve pointed out that they are investigating the source of the leak, noting that SMS messages are unencrypted during transmission and pass through multiple service providers to reach users’ devices.
The leaked information reportedly consists of older messages that contained one-time codes valid for brief periods, along with the phone numbers to which they were sent.
“The leaked data did not associate the phone numbers with a Steam account, password information, payment information, or other personal data. Old text messages cannot be used to breach the security of your Steam account,” Valve emphasized, adding that users would receive confirmation via email and/or Steam secure messages if a code was used to alter their account settings.
Consequently, users are not obliged to change their Steam passwords or phone numbers. However, Valve has urged all Steam users to remain vigilant regarding any unfamiliar account security messages and to routinely check their account security settings.
Furthermore, Valve encouraged users to activate the Steam Mobile Authenticator to enhance the security of their messaging regarding account safety.
