Massive Alleged Steam Data Breach Results in Over 89 Million Records for Sale

• Steam could have been hit by a huge data breach, exposing millions of users.
• Evidence points to vendor-side compromise – more specifically, U.S. messaging giant Twilio.
• The dark net seller claims these 89 million records are a partial and fresh leak.

A significant data breach reportedly hit Steam, the gaming platform owned by Valve. A threat actor under the alias Machine1337 posted on a prominent dark web forum, offering a dataset allegedly containing over 89 million user records for $5,000. 

The dark web post includes:

• Contact for Purchase: A Telegram handle provided by the threat actor for negotiations.
• Sample Data: The sample information is hosted publicly on Gofile, fueling plausibility.
• Internal Vendor Mentions: References to internal vendor data suggest compromise at a deeper level beyond simple platform scraping.

Shortly after the initial announcement, fresh evidence emerged suggesting an upstream compromise at the vendor level. A leaked sample of the data reportedly includes two-factor authentication (2FA) SMS logs sent via Twilio, a third-party U.S. communications platform. 

The logs point to access of internal vendor systems and include SMS contents and metadata, delivery statuses and routing costs, and evidence of potential API or dashboard exploitation.

This development indicates that the data breach might not have targeted Steam directly but instead exploited vulnerabilities in its supply chain. 

Supply chain compromises amplify the impact by introducing additional attack vectors, including session hijacking via intercepted 2FA codes and spear phishing users with knowledge of recent 2FA activity or other personal details.

If verified, this breach could have severe implications for Steam’s global user base. Steam accounts often hold not just gaming data but also personal and financial information, making them a prime target for cybercriminals. 

Potential consequences include large-scale phishing campaigns targeting affected users, account takeovers, particularly for high-value accounts tied to rare virtual assets or games, or credential stuffing attacks leveraging reused passwords.

These risks demand immediate action from Steam users to safeguard their accounts and mitigate exposure.

While investigations by the infosecurity community and Valve are ongoing, impacted users and the broader Steam community should enable 2FA on Steam accounts and change passwords immediately, ensuring they’re unique and not reused across multiple accounts.