Steam hacker’s data leak debunked: Only SMS verification codes were stolen

Written by Michael Anthony Bitoon

Published 16 May 2025

Fact checked by

Sophia Feona Cantiller

Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Steam's Annual Golden Week Sale Begins Next Week | Game Rant

A dark web seller’s claim of holding 89 million Steam accounts captive crumbled Thursday when Valve Corporation confirmed only temporary text verification codes had been intercepted.

The hacker, known as Machine1337 or EnergyWeaponsUser, advertised the dataset for $5,000 on dark web forums starting May 12. Security researchers from BleepingComputer who looked at samples found text messages with temporary login codes sent to Steam users.

“We have examined the leak sample and have determined this was NOT a breach of Steam systems,” Valve stated on May 15. The company explained that the data consisted of “older text messages that included one-time codes that were only valid for 15-minute time frames.”

Valve’s investigation revealed a key detail: the leaked messages weren’t linked to user accounts. “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data,” Valve confirmed.

The incident highlights vulnerabilities in SMS-based authentication. Valve noted that “any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone,” making them easier to intercept.

Early reports suggested the breach came from Twilio, a company that delivers authentication messages for many businesses. Twilio denied this claim.

“There is no evidence to suggest that Twilio was breached,” a company spokesperson told BleepingComputer. “We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.”

Security experts now think the leak likely came from a middleman SMS provider handling messages between Steam and its users. Games journalist MellowOnline1 described the incident as a “supply-chain compromise,” where attackers target third-party services instead of the main platform.

Though there’s no immediate risk to users, Valve recommends using Steam Guard Mobile Authenticator and checking account activity regularly. Unlike text message verification, app-based security can’t be intercepted during transmission.

This incident follows other gaming industry breaches, including attacks on Game Freak and Insomniac in 2023, though those exposed company data rather than user information.

Users worried about account security can visit Steam’s authorized devices page at https://store.steampowered.com/account/authorizeddevices to check for unauthorized access.