Valve has issued a statement addressing reports of a recent leak involving old text messages sent to Steam users, clarifying that its own systems were not breached. The clarification follows growing speculation about the source of the leaked data, which included SMS messages containing one-time passcodes and associated phone numbers.
News of the leak surfaced on May 13, when a hacker identifying as “Machine1337” reportedly began selling a cache of data allegedly tied to Steam, including metadata, phone numbers, and expired two-factor authentication codes. The data set is claimed to contain information on up to 89 million users, according to BleepingComputer, which also reviewed a sample of 3,000 leaked files. The files contained old login passcodes and recipients’ phone numbers, raising concerns among users about a potential breach of Valve’s security infrastructure.
In response, Valve released a public statement to confirm the authenticity of the leaked messages while firmly denying any compromise of its systems. “This was NOT a breach of Steam systems,” the company said. Instead, Valve attributes the exposure to the inherently insecure nature of SMS, noting that such messages are unencrypted in transit and are routed through multiple third-party providers before reaching users’ devices.
Valve clarified that the leaked messages were limited to older one-time codes, which were valid only for brief 15-minute windows, and did not contain any identifying information linking the phone numbers to specific Steam accounts. No passwords, payment data, or other personal information were included. As such, Valve reassured users that the leak poses no immediate threat to account security and that there is no need for users to change their passwords or phone numbers.
The company also addressed speculation around the messaging infrastructure, particularly rumours connecting the breach to Twilio. Both Valve and Twilio have denied any association, with the former stating explicitly that it does not use the latter’s services, whereas Twilio asserting that there is no evidence of a breach on its end after reviewing available samples of the leaked data.
Although the exact origin of the leak remains under investigation, Valve used the incident to remind users to remain cautious. The company advised treating any unsolicited security messages with suspicion and recommended regular reviews of account activity. Additionally, it encouraged users to enable the Steam Mobile Authenticator for stronger security, as it offers a more secure channel for account-related communications.
(Source: BleepingComputer, Valve / Steam)
