Alleged Steam hack: Data leak contains SMS transmission logs
The seller announced 89 million data records from the gaming platform's inventory on the darknet. They contain telephone numbers and one-time codes.
(Image: Rokas Tenys/Shutterstock.com)
An alleged data leak from the gaming platform Steam is said to contain 89 million data records – an unknown person has been trying to sell them on the Darknet for 5,000 US dollars since last Saturday. However, the response has been poor and the explosive nature of the data is questionable.
Data from attacks against game publishers and distribution platforms is constantly circulating on the Darknet. The market leader Steam, which has over 130 million customers, is particularly popular. In addition to credit card or PayPal payment information, criminals can also capture virtual collectibles in Steam accounts, which can fetch considerable sums of money. The offer for sale by user "Machine1337" in a relevant forum therefore quickly caused a stir on the Clearweb: he claimed to have captured 89 million data records and now wanted to sell them for 5,000 dollars.
Videos by heise
On darknet marketplaces, the word "record" often refers to individual rows of data, but not to different accounts. This is also the case here: What Machine1337 is apparently offering for sale are logs of two-factor text messages sent to Steam users. A test file comprising three thousand lines contains around 1,800 different Portuguese phone numbers as well as metadata about the sending, its cost and the text of the SMS sent. The authenticity of the data cannot be independently verified, but at first glance the file looks plausible.
(Image: heise security)
The reactions in the forum are therefore rather underwhelmed: "There was a lot of hype, but in fact it was just a storm in a teacup" (the Russian idiom "пук в лужу" literally means "a fart in a puddle"), is one opinion.
Phone numbers included, access data not
The data set contains phone numbers and (expired) one-time codes, but no references to access data such as user name, Steam ID or even password hashes. Whether Steam customers should now change their passwords as a precaution or install the "Steam Guard" security app seems questionable to say the least.
However, anyone who has used SMS codes as a second factor to log in to Steam in the recent past – some of the data dates back to March 2025 – should take a closer look at text messages on the affected mobile device in future. Cybercriminals could use the captured phone numbers to set up convincing phishing campaigns offering Steam vouchers or threatening to block accounts.
Origin unclear – Twilio and Steam deny this
The data apparently originated from text messages sent via the service provider Twilio, which denied a security incident to Bleeping Computer. Steam operator Valve also denied any cooperation with Twilio. It is possible that the transfer protocols were lost by a service provider.
Steam is one of the largest marketplaces for PC games, but customers only acquire a right of use that expires if their Steam account is deleted or hacked, for example. We explain how to acquire PC games on other download platforms and keep them forever in a c't article.
(cku)
