UPDATE: Phew, Valve confirms alleged data breach was "not a breach of Steam systems" and says you don't need to change your password

UPDATE (15/05/25, 9:20 AM BST) Valve has now published a statement confirming that "the recent leak being reported did not breach Steam systems" and that Steam account passwords aren't affected.

"We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone," the company wrote, "The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data."

It added that: "You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious." Setting up Steam's Mobile Authenticator on your account was also recommended.

UPDATE (14/05/25, 5:40 PM BST): SteamDB has flagged a LinkedIn post from Dr. Christopher Kunz, a security writer at German tech site Heise, who wrote in an article on the alleged breach: "The dataset contains phone numbers and (expired) one-time codes, but no references to access data such as usernames, Steam IDs, or even password hashes. Whether Steam customers should now change their passwords as a precaution or install the 'Steam Guard' security app seems at least questionable."

He added that stolen phone numbers could potentially be used "to launch convincing phishing campaigns enticing users with Steam vouchers or threatening account suspension", meaning you might want to be vigilant if you've recently used SMS codes as part of your Steam 2FA.

Original story follows:

Steam is one of the most popular platforms on PC, but it’s also been among the most secure. Unfortunately, it looks like one vendor that Valve may have worked with at some point has suffered a data breach, which has compromised the credentials of over 89 million users.

That’s close to 70% of the entirety of Steam's active user base, so there’s a good chance your username and password is included in this leak.

The information comes from Mellow_Online1 on Twitter, who brought attention to an Underdark AI Linkedin post about the discovery. It reveals that a hacker, who goes by the handle Machine1337, claims in post on a popular dark web forum that they’re in position of over 89 million Steam user records.

According to the seller, this is a “fresh” leak that includes more than user names and passwords - though they didn't share specifics. Further analysis by Underdark AI has apparently revealed that the batch contains two-factor SMS logs, message contents, metadata, delivery status and other details.

The vendor, which Valve had likely worked with in the past, appears to be the source of this breach. The vendor’s name appears in the logs, according to the post. It’s not unusual for Valve and other major companies to rely on third-party cloud hosts for tasks like sending users 2FA texts, but, so far at least, it appears Steam itself has not been breached.

While it’s not clear what, exactly, the bad actor is in position of, you should assume the leak includes user names and passwords, among other things. If a third-party 2FA vendor has indeed been breached, this could allow hackers to utilise their services to send fake messages to Steam users, or hijack real 2FA requests.

Whenever user details leak online, the first thing bad actors try to do is to also see if the same credentials are in use on multiple sites, which is something most of us are guilty of. This is why it’s crucial to change your Steam password, just to be safe. You should also enable two-factor authentication (Steam Guard) on all your accounts, and make sure to only use codes sent at the moment you initiated the request.

Thanks, XDA Developers.