Valve denies 89 million Steam accounts' data leaked, but gamers concerned

Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).

These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.

Mipped alongside their sister sites is a…

However, Valve responded swiftly, stating the leaked data comprised obsolete SMS codes sent via an external communications provider and not through its own systems.

“We have examined the leak sample and have determined this was NOT a breach of Steam systems,” Valve said in a public statement.

https://store.steampowered.com/news/app/593110/view/533224478739530145

At the time of reporting, over 30 million users were concurrently online on Steam, underlining the scale of potential impact. While no passwords, payment data or account credentials were accessed, security experts have urged caution.

The root of the leak appears to be an external SMS provider previously used to deliver two-factor authentication codes.

Those codes, now expired, were likely scraped or acquired through third-party vulnerabilities rather than a direct breach of Steam.

Despite Valve’s assurance, cybersecurity researchers warn that even outdated information could be used in targeted phishing campaigns.

They advise all Steam users to:

• Change their passwords to strong, unique ones

• Replace SMS-based 2FA with Steam Mobile Authenticator

• Review login history and account activity for suspicious behaviour

• Stay alert to phishing attempts mimicking Steam Support

Users are also urged to ignore unsolicited SMS one-time passwords and avoid clicking on suspicious links, particularly in emails referencing game offers or security warnings.

While Valve appears to have dodged a direct compromise, the incident highlights ongoing risks tied to third-party security lapses — and the need for users to stay vigilant.