In the last few hours, several media and cybersecurity experts have warned about a possible massive leak that has put Steam, the world's largest video game distribution platform for PCs, in check. An alleged hacker, identified as Machine1337, has posted on a forum on the dark web that he has a database with information on more than 89 million accounts, which would be available for as little as $5,000.
The magnitude of the alleged attack has generated a wave of concern among the gaming community, not only because of the volume of accounts affected, but also because, if confirmed, it would mean that about 70% of Steam's monthly active users (a platform that exceeds 120 million) would be at risk. But beyond the games, what is really at stake is your privacy and the security of your personal information.
What's in that alleged data package?
According to a report shared by the Underdark.ai team on LinkedIn, the file the hacker put up for sale is no small thing. In theory, it includes quite sensitive data, such as:
-
Emails and possibly phone numbers.
-
One-time verification codes sent via SMS.
-
Information related to two-step authentication (2FA), apparently managed through the provider Twilio.
To test how real all this is, some media outlets like BleepingComputer analyzed a sample of 3,000 records. The result? They found real SMS messages, with access codes, send dates, phone numbers and other technical details that point to the fact that at least part of the batch could be legitimate.
Read more: Hackers Sell Access to .gob.mx Site for 300 Dollars
Did Steam get hacked directly?
For now, there is no evidence that Steam's servers or Valve's databases have been directly compromised. In fact, Valve has not made any official statement on the matter and, for the time being, has decided not to answer questions about this alleged attack.
Some experts believe that the origin of the problem could be in an external provider. That is, they would not have entered through the front door, but through a vulnerability in the supply chain: some external service that manages important functions for Steam, such as sending verification codes by SMS.
So it was Twilio's fault?
One of the names that started to sound loud in the midst of this incident was Twilio, a company fairly well known for handling communication services, such as sending SMS, and which many platforms use to implement two-factor authentication (2FA). Some started to point to them as possibly responsible for the leak, but the company was clear: they didn't do it.
Twilio reviewed the leaked samples and assured that there is no evidence that the data left their systems. So, at least for now, there is no solid reason to blame them directly.
The confusion grew when MellowOnline1, a freelance journalist quite followed on networks, posted that the incident would be related to Twilio. Shortly after, he corrected himself and said that Valve would have confirmed to him that Steam does not use Twilio. But beware: that statement should also be taken with a grain of salt, as Twilio has not entirely denied whether or not it is related to Steam. In short, everything is still pretty murky.
Is this for real?
The truth is that the situation is in a strange spot. On the one hand, there are clues that suggest the data could be real: the sample includes authentic SMS, technical data that makes sense, and a format that looks legitimate. But on the other hand, there are several details that cast doubt:
-
The alleged data package sells for a mere $5,000, a rock-bottom price if it really contains what they claim.
-
There has been no wave of victims or reported cases to confirm the real impact.
-
Valve has said nothing officially, nor has it issued warnings or launched a public investigation.
-
Some believe the data may have come from an intermediary provider, not directly from Steam or Twilio.
And what can Steam users do?
While all this is being cleared up, the best thing to do is not to sit idly by. If you have a Steam account, there are several things you can do right now to put your mind at ease:
-
Change your password, especially if you use the same one on other services (spoiler: you shouldn't).
-
Enable Steam Guard, the two-step authentication that adds an extra layer of security.
-
Watch out for possible phishing attempts: if they have your email or phone number, they might try to trick you with fake messages.
-
Check your account from time to time for strange movements, access from strange places or modified settings.
Conclusion
It is not yet confirmed that there has been a direct leak from Steam. But there are enough signs to take the matter seriously. Everything points (for now) to a possible leak through an external provider, although we remain without clear answers. In the meantime, the most sensible thing to do is to apply basic security precautions. It costs nothing and can save you a lot of headaches if it turns out that the leak is real.
