Valve has confirmed that your Steam password, or other private information, did not leak. On top of that, Valve stated that the leak came from a different source than Steam, and does not provide info linked to your Steam account in any way you need to worry about.
In a statement sent to GameSpot, a Valve representative said “Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.”
The security company Underdark was the first to report the alleged leaks, writing on LinkedIn that information from 89 million Steam accounts was being sold on the dark web. However, Valve has corrected that, as the leak came from the SMS service that sends temporary two-factor login codes. Valve said that the phone numbers were leaked, but that any information related to your Steam account, including which account the phone numbers are tied to, was not leaked.
Valve continued the statement by saying that Steam users don’t need to change their passwords or be concerned following this scare, but Valve will continue to investigate to determine the origin of the breach. The company does recommend that users activate the Steam Mobile Authenticator because it provides a more secure way to authenticate your account compared to SMS authorization.
You can read Valve’s full statement to GameSpot below:
“Yesterday we were made aware of reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time.
We also recommend Steam users set up the Steam Mobile Authenticator if they haven’t already, as it gives us the best way to send secure messages about their account and that account’s safety.”
