In the ever-evolving landscape of cybersecurity, data breaches and leaks have become all too common, sparking panic among users and organizations alike. On May 13, 2025, alarming claims surfaced online, alleging a massive data breach affecting Steam, the popular digital gaming platform developed by Valve Corporation. A threat actor, operating under the alias Machine1337 (also known as EnergyWeaponsUser), claimed to possess over 89 million Steam user records, including sensitive two-factor authentication (2FA) codes and associated phone numbers, and offered to sell this data for $5,000. Initial speculation pointed to Twilio, a U.S.-based cloud communications company that provides 2FA services, as the source of the breach. However, Twilio swiftly denied any compromise, and Valve clarified that the incident was not a direct breach of Steam’s systems. This blog post delves into the details of the alleged leak, Twilio’s response, Valve’s stance, and the broader implications for cybersecurity and user protection.
The Alleged Steam Data Leak: What Happened?
The controversy began when Machine1337 advertised a trove of data supposedly extracted from Steam on an underground forum. According to BleepingComputer, a sample of the leaked files, containing 3,000 records, revealed historic SMS text messages with one-time passcodes used for Steam’s 2FA, along with recipients’ phone numbers. The sheer scale of the alleged breach—89 million records, representing roughly two-thirds of Steam’s estimated 130 million monthly active users—sent shockwaves through the gaming community. Social media platforms, particularly X, amplified the panic, with users and cybersecurity experts speculating about the breach’s origins and potential impact.
Early reports suggested that the leak might have stemmed from Twilio, a company known for its Verify API, which facilitates 2FA through SMS, voice, email, and other channels. An independent gaming journalist, MellowOnline1, pointed to technical evidence in the leaked data, such as real-time SMS log entries, that appeared to originate from Twilio’s backend systems. This led to hypotheses of a compromised admin account or misuse of API keys at Twilio. However, Twilio’s swift denial and Valve’s subsequent clarification that it does not use Twilio’s services raised more questions than answers.
Twilio’s Response: No Evidence of a Breach
Twilio, a trusted provider of communication APIs for companies worldwide, issued a statement to BleepingComputer denying any breach of its systems. “There is no evidence to suggest that Twilio was breached,” a spokesperson said. “We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.” This response was echoed across multiple reports, with Twilio emphasizing that its investigation found no signs of compromise. The company’s proactive stance aimed to quell speculation, but the inclusion of Twilio’s name in the leaked data—specifically in metadata and routing details—kept the debate alive.
Twilio’s Verify API is widely used by organizations, including gaming platforms, to deliver secure 2FA codes. The company’s reputation has been tested before, with a reported breach in July 2024 and security issues at its parent company, SendGrid. However, Twilio’s assertion that it was not the source of the Steam leak aligns with Valve’s claim that Steam’s internal systems remained uncompromised. The question then becomes: where did the data come from?
Valve’s Clarification: Not a Steam Breach
Valve, the developer of Steam, responded to the rumors via a statement reported by The Verge, asserting that the incident “was not a breach of Steam systems.” The company emphasized that users did not need to change their passwords or phone numbers as a direct result of the leak. Valve also denied any partnership with Twilio, contradicting earlier assumptions that Twilio handled Steam’s SMS-based 2FA. Instead, Valve suggested that the leaked data, consisting of outdated 2FA codes, might have originated from an intermediary SMS provider in the supply chain.
This clarification significantly reduced the perceived severity of the incident. Since the leaked 2FA codes were historic and no longer valid, they posed minimal risk to account security. However, the inclusion of phone numbers in the leaked data raised concerns about potential phishing attacks, where hackers could use this information to craft convincing scams targeting Steam users. Valve recommended enabling the Steam Guard Mobile Authenticator, a more secure 2FA method than SMS, to bolster account protection.
The Supply Chain Hypothesis
The emerging consensus among cybersecurity experts is that the leak likely resulted from a supply chain compromise rather than a direct attack on Steam or Twilio. Supply chain attacks target third-party vendors or intermediaries that provide services to larger organizations. In this case, an SMS provider handling messages between Steam and its users could have been the weak link. The leaked data’s metadata, including delivery statuses and routing costs, supports this theory, as such details are typically managed by SMS aggregators or intermediaries.
MellowOnline1’s analysis, shared on X, highlighted the complexity of the supply chain involved in delivering 2FA codes. Steam likely contracts multiple intermediaries to route SMS messages globally, and a breach at any point in this chain could explain the leak. This scenario underscores the challenges of securing modern digital ecosystems, where reliance on third-party services introduces vulnerabilities that even robust organizations like Valve cannot fully control.
Implications for Steam Users
For Steam’s millions of users, the alleged breach serves as a reminder of the importance of proactive account security. While Valve and Twilio have downplayed the incident, the exposure of phone numbers could enable phishing campaigns or social engineering attacks. Here are steps Steam users can take to protect themselves:
- Enable Steam Guard Mobile Authenticator: Unlike SMS-based 2FA, which is vulnerable to interception, the Steam Guard Mobile Authenticator generates codes directly on a user’s device, offering greater security.
- Change Passwords Regularly: Although Valve stated that password changes are not necessary, updating passwords periodically and avoiding reuse across platforms is a best practice.
- Monitor Account Activity: Users should check for unauthorized login attempts or suspicious activity in their Steam accounts.
- Beware of Phishing Scams: Hackers may exploit the leak’s publicity to send fake “Steam Support” messages. Never share login credentials or 2FA codes via email or unverified links.
The Bigger Picture: Cybersecurity in 2025
The Steam leak controversy highlights broader trends in cybersecurity as of May 2025. Data breaches, whether real or alleged, continue to dominate headlines, with 67% of companies experiencing breaches in the past 24 months despite increased cybersecurity investments. The rise of supply chain attacks, as seen in incidents involving LockBit and other ransomware groups, underscores the need for organizations to vet third-party vendors rigorously.
Moreover, the incident reflects the limitations of SMS-based 2FA. While convenient, SMS codes can be intercepted through techniques like phone number spoofing, making app-based authenticators or passkeys more secure alternatives. As cyber threats evolve, companies like Valve and Twilio must innovate to stay ahead, while users must adopt stronger security habits.
A Wake-Up Call for Vigilance
The alleged Steam data leak, while not as severe as initially feared, serves as a wake-up call for both users and organizations. Twilio’s denial of a breach, coupled with Valve’s assurance that Steam’s systems were not compromised, suggests that the incident was likely a supply chain issue rather than a direct attack. However, the exposure of phone numbers and the public’s reaction on platforms like X highlight the fragility of trust in digital ecosystems.
For Steam users, the incident is an opportunity to strengthen account security by adopting the Steam Guard Mobile Authenticator and staying vigilant against phishing attempts. For the cybersecurity community, it’s a reminder that supply chain vulnerabilities remain a critical challenge. As we navigate an increasingly connected world, collaboration between companies, transparency in addressing incidents, and user education will be key to staying one step ahead of cybercriminals.
