Steam Users: Understanding and Responding to the Recent Data Leak

Steam Data Leak

Share

Tweet

Linkedin

Share on G+

Pinterest

Reddit

Tumblr

In the past few days, you may have heard alarming news about a potential data leak affecting Steam users. While the exact source is still under investigation, it’s crucial to understand the situation and take immediate steps to protect your account. If this is the first time your data has been involved in a leak, understand that this is serious but manageable. Decisive action on your part is key.

Background of the Leak

Details are still emerging, but initial reports indicate a potential compromise of Steam user credentials. Reports surfaced that 89 million Steam accounts were part of a major data leak. A threat actor advertised on a darknet forum that they were selling data for 89 million Steam accounts for US$5,000. Both Steam and a service provider, Twilio, have stated that the leak did not originate from their systems. This makes finding the source of the leak a complex process.

Regardless of the source, the important thing to remember is that user data has likely been compromised.

In the last 24 hours, in a posting on their blog, Valve confirms that “The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.

Regardless of personal opinions or history, TechDecode advises all readers to take this situation seriously as if account passwords were leaked. It can be a mere day or two before the next major leak happens, that will contain password (if this leak in fact did not contain passwords).

The leaked data included:

  • Expired one-time codes (valid for only 15 minutes)
  • Phone numbers linked to Steam accounts
  • Metadata about SMS deliveries

Twilio, a communications platform initially suspected, denied involvement, and Valve confirmed its systems remained secure

Implications: Why Should You Care?

While the leaked data may seem limited, it still poses risks:

  1. Phishing Attacks: Hackers could use leaked phone numbers to send fake security alerts or scam messages impersonating Steam support.
  2. Social Engineering: Scammers might exploit this data to trick users into revealing passwords or other sensitive details.
  3. SMS Vulnerabilities: The incident highlights why SMS-based 2FA is less secure than app-based alternatives (like Steam Guard).

Moreover, leaked phone data can facilitate SIM-swap fraud—where an attacker convinces a mobile carrier to port your number to a new SIM, intercepting calls and texts, including legitimate 2FA codes. Thus, even “harmless” information like your phone number is valuable to cybercriminals and must be safeguarded.

Valve emphasizes that no immediate action is required (e.g., changing passwords), but proactive steps can minimize future risks.

Always remember that you can check your account activity in your Steam Account

Immediate Steps for Every Steam User

  1. Enable or Reinforce Steam Authenticator: If you haven’t already, install the Steam Mobile Authenticator in the Steam app. This generates in-app codes immune to SMS interception. Also it works a lot easier and you can log in by scanning a QR code on your device you want to log into:
    Steam Login with QR Code
  2. Review and Update Passwords: Use a unique, strong password for Steam. Never reuse it elsewhere. Consider changing it now, especially if you haven’t done so in over six months. We know a common strategy is to use a password for a set of things, like one password for Games, one for Finance, one for Work etc. This is not a secure strategy anymore.
  3. Check Phone-Carrier Protections: Contact your mobile provider to add a PIN or password to your account to block SIM-swap attempts.
  4. Beware of Phishing: Be suspicious of any unsolicited SMS or email claiming to be Steam Support, especially if they ask for codes or login details. Always verify through the official Steam website or app.
  5. Monitor Account Activity: In Steam’s security settings, review Authorized Devices and Login History to spot unusual logins. Revoke access to any device you don’t recognize.
Steam Account Activity

Steam account activity showing authorised devices

In-Depth Protection Strategies

We have previously looked at what to do when your data gets breached, but we will touch on what users need to focus on now. In any data breach, whether large or small, we need to remember that the next data breach is just around the corner. So why not put steps in place to make a data breach less of an issue I they happen, rather if they happen.

1. Password Hygiene

  • Password Manager: Use a reputable password manager to generate and store complex, unique passwords for every site. We know this can be extremely tedious to try and remember a password for each and every site, so use a Password Manager. If you do not trust a password manager that stores data in the cloud, look at self-hosting something like VaultWarden. Also keep an eye on our Build your own homelab series as we will be explaining hosting it yourself soon.
  • Regular Rotation: Change critical passwords periodically, especially after any major leak in your broader ecosystem. If you re-used your password on other sites or services, they unfortunately would need to be rotated as well. It would be really ironic if a leaked Epic Games password give attackers access to your Ubisoft account because only Epic was rotated (This is just an example).

2. Strong Multifactor Authentication (MFA)

  • App-Based MFA: Prefer authenticator apps (e.g., Steam Authenticator, Google Authenticator) over SMS or email. Wherever possible, use the service’s main app, like Steam in this case. Important: Use MFA everywhere you can, not just on Steam. If your data gets leaked somewhere, you run risks on other services as well.
  • Hardware Tokens: For ultimate security, consider U2F keys (e.g., YubiKey) if supported. Not all “everyday” services support this, but for something like online banking, this can be almost non-negotiable.

3. Phishing and Scam Awareness

  • Verify URLs: Always check that emails or SMS links point to “steamcommunity.com” or “store.steampowered.com” not look-alike domains, like st0re.steamp0wered.com.
  • No Sharing of Codes: Steam will never ask for your 2FA code outside its official app. Treat any such request as fraudulent. This goes for any site or service that uses any type of code or password.

4. Account Monitoring & Recovery Planning

  • Check HaveIBeenPwned: Enter your email to see if it’s part of other known leaks and follow remediation guidance. Visit haveibeenpwned.com. If you haven’t already, sign up to get alerts. You will also have access to information regarding private data leaks.
  • Secure Recovery Options: Ensure your Steam recovery email is current and uses MFA, and add a backup phone or authenticator.

Data Leaks Happen – You’re Not Alone

Data leaks of this scale are increasingly common. A few notable examples:

  • LinkedIn (2021): Up to 700 million profiles scraped or aggregated, exposing names, emails, and phone numbers.
  • Adobe (2013): 153 million user records, including hashed passwords, were stolen from its Creative Cloud service.
  • Equifax (2017): Personal details (SSNs, birthdates) of 147 million people leaked, leading to widespread identity theft.
  • Facebook (2018): Data on 87 million users improperly shared with Cambridge Analytica.

These incidents show no one is immune, yet decisive action can greatly reduce your risk.

Final Thoughts: Don’t Panic, but Act

While the Steam leak isn’t catastrophic, it’s a wake-up call. Treat your online accounts like your house keys—protect them fiercely. Enable stronger 2FA, stay skeptical of unsolicited messages, and remember: security is a habit, not a one-time fix.

Stay safe, game on!

Share

Tweet

Linkedin

Share on G+

Pinterest

Reddit

Tumblr

Related Articles: