About time I refreshed all my passwords anyway. Thanks for the heads-up.

1 month ago
Permalink

Comment has been collapsed.

Still, if you use 2FA your steam account should be safe. But if you use the same password and email on other accounts, those might need a change of password, yeah...
Also, a good time to drop this here https://haveibeenpwned.com/

1 month ago
Permalink

Comment has been collapsed.

ive always used and trusteed this site, but they dont mention anything about steam. so now im unsure if this steam breach is real or not

1 month ago
Permalink

Comment has been collapsed.

1) It takes time to properly update the website
2) The breach is still alleged
3) Maybe you weren't involved

Check back in a week to be sure. No results for me either yet.

1 month ago
Permalink

Comment has been collapsed.

As per reddit, the archive is currently highly dubious. Supposedly it contains SMS support records which MAY contain temporary passwords used in reset as well as IPs, phone numbers, and usernames. It is unlikely to contain any actual login information. Supposedly it is only going for about $5000 for 90 million records, which is extremely low for breach archives. However it does come from a reputable source known to the infosec community. Chances are it is known to be at best a low density of useful data, and probably doesn't warrant defensive effort on users' parts. Still never hurts to change passwords whenever you hear about anything.

1 month ago
Permalink

Comment has been collapsed.

The article says

Fingers then pointed at Twilio, stating that it handled Steam's 2FA systems and that the leak occurred from within its systems, but Valve then got in touch with MellowOnline1 and claimed that it had never used Twilio.

Which makes sense to me, because Steam sends the code via email or to their own app, none of them using SMS, I think.

Also, even if Steam account details are leaked, I honestly doubt the Valve stores passwords as plain text. Passwords are probably hashed with proper salting.

1 month ago
Permalink

Comment has been collapsed.

Thanks for the heads up!

1 month ago
Permalink

Comment has been collapsed.

Thank you !

1 month ago
Permalink

Comment has been collapsed.

Oof, thanks for the heads up. Might install Bitwarden as well

1 month ago
Permalink

Comment has been collapsed.

Whether it's legit or not, it's literally been years since I changed my Steam password, so I have done that anyway.

1 month ago
Permalink

Comment has been collapsed.

Well, I was getting pretty tired of the old one anyway.

1 month ago
Permalink

Comment has been collapsed.

Obviously activate Steam Guard if you don't have it active, and changing password is not a bad idea, but for now this alleged leak looks highly suspect. 5000$ for tens of millions of steam accounts is pennies, no reputable outlets (or Valve for that matter) seem to have verified authenticity of the data (for now) and MellowOnline1 fella is just some rando.

Edit: Also, IMPORTANT - as always with this type of incidents, be VERY CAREFUL of phishing mails and other social engineering techniques. Regardless of whether leak is real or not other bad actors may use confusion and panic to trick you into obtaining your data. I would be especially weary for any mails from valve claiming your account has been breached and providing you with link to recover it.

1 month ago*
Permalink

Comment has been collapsed.

and MellowOnline1 fella is just some rando

Mellow has been looking out for the little guy (us users) for over 8 years. They are a Pillar of the Steam Community and consumer protection.

Keeping up to date with gaming news, investigating and reporting Steam issues like games that contain malware, scam/ripoff games (games that are copy and paste for example), games that buy reviews to cheat the system, banned developers that assume an alter ego to bypass the ban and other shady developer stuff.

Mellow even has the contact details of several Steam staff ... that kind of info isn't given to "rando" people.

1 month ago
Permalink

Comment has been collapsed.

While that is true, if you read their whole thread on X, apparently it turned out to be nothing. Changing passwords regularly and using 2FA still doesn't hurt.

1 month ago
Permalink

Comment has been collapsed.

Also it's a post on X from a rando, telling us about a post from a rando on Linkedin, who has it from another rando that he saw a rando on "a reputable blackmarket forum" make a scam offer of 5000 bucks for steam accounts.

whether leak is real or not other bad actors may use confusion and panic to trick you into obtaining your data. I would be especially weary for any mails from valve claiming your account has been breached and providing you with link to recover it.

Yeah sounds like the goal here.

1 month ago
Permalink

Comment has been collapsed.

i have steam guard is there still a chance something could happen?

1 month ago
Permalink

Comment has been collapsed.

The worst that could happen, if it turns out that the leak is true and that your personal information was part of it is:

  • You get a notification on your mobile Steam app asking to confirm your login, even when you did not login. If this happens, you know that someone has your username and password.
  • You get more targeted phishing emails / SMS.

As long as you keep using Steam Guard properly, no one else should be able to log into your account.

1 month ago
Permalink

Comment has been collapsed.

Also, you should add that if you get a notification on your mobile Steam app asking to confirm your login then you should change your password immediately, even if you have 2FA enabled and you will not receive those notifications anymore.

1 month ago
Permalink

Comment has been collapsed.

You're right, that is important information to know and share. Thanks for pointing it out!

1 month ago
Permalink

Comment has been collapsed.

this chain of events is weird, first the guy claims steam was hacked, then corrects himself saying it wasn't steam but their external 2fa auth service and then he says Valve approached him and said they don't use said service... so it's actually completely unrelated?

1 month ago
Permalink

Comment has been collapsed.

I had an email someone logged into the same country but a different town, mostly i would shrug it off as bad location detection but now?

1 month ago
Permalink

Comment has been collapsed.

IP location is oftentimes not that accurate, so it was probably your own login. Also if you read the whole source, probably nothing has happened. Changing passwords regularly and using 2FA still doesn't hurt.

1 month ago
Permalink

Comment has been collapsed.

But i can't remember having done something to have logged in around that day, but that was sunday, and i still can login and never had such an email anymore, so hopefully it's good yeah.

Email authentication, i can't really be bothered having to use my mobile each time, i hate using mobiles in general too. Maybe i am old.

1 month ago
Permalink

Comment has been collapsed.

Does every rumored breach count as 'regularly'? Asking for a lazy friend...

1 month ago
Permalink

Comment has been collapsed.

I mean... nowadays... kinda? ^^

1 month ago
Permalink

Comment has been collapsed.

With my old ISP I'd sometimes get the geolocation thing telling me I was in a whole different province, I don't exactly trust that thing's accuracy. So my guess is that there's nothing to worry.

1 month ago
Permalink

Comment has been collapsed.

Thanks.

1 month ago
Permalink

Comment has been collapsed.

As others have said, the IP location information is just not that accurate.

Out of an overabundance of caution, you can see and sign out all devices from your Steam account on this page (at the bottom):
https://store.steampowered.com/account/authorizeddevices

1 month ago
Permalink

Comment has been collapsed.

Granted but suddenly also being asked a 5 digit login code to login my steam again (which always starts automatically on boot) made me change the password just in case because it all happens overnight when i am sleeping.

1 month ago
Permalink

Comment has been collapsed.

I think I figured it out. You are a sleepwalker.

1 month ago
Permalink

Comment has been collapsed.

For 5 months (and waiting another 3 months just to have a chat with a doctor) my body decides to wake up me to pee up to 3 times a night (even when it's just a spoonful) i wish i could sleep...

1 month ago
Permalink

Comment has been collapsed.

Thanks for letting us know about this

1 month ago
Permalink

Comment has been collapsed.

Yeah, I'm calling bullshit on this one.

1 month ago
Permalink

Comment has been collapsed.

on reddit

satoru1111 MOD • 5m ago

To clarify why changing your passwords is basically pointless

1 Steam does not use Twillo for its MFA implementation. Twillo doesnt store the keys for the MFA implementation.

2 Twillo doesn't store passwords, meaning even if you assume Twillo was breached, it has no passwords to leak.

3 Twillo only has a centralized MFA app similar to Google Authenticator. Again this does NOT STORE PASSWORDS

4 If Twillo was compromised, the only possible vector would be an SMS hijacking attack, and that's IF Steam uses Twillo as its SMS intermediary

5 If we assume #4 then, which is a stretch, CHANGING YOUR PASSWORD IS POINTLESS. Its attacking the SMS network. You can change your password every other minute. The attacker can simply generate and SMS code and take over your account that way. Your password is pointless in this scenario

6 If you are 'paranoid' and want to do something 'actually useful' remove your phone number from your account, which still again makes a LOT of assumptions above everything

1 month ago
Permalink

Comment has been collapsed.

1 month ago
Permalink

Comment has been collapsed.

Happy Cakeday!

1 month ago
Permalink

Comment has been collapsed.

Thank You!

1 month ago
Permalink

Comment has been collapsed.

These datasets are being sold for over $5,000

Until some research entity actually buys said dataset and confirms what it actually contains, I would take anything being claimed with a grain of salt

1 month ago
Permalink

Comment has been collapsed.

I use Steam Guard for my account tho, but I don't know what to say if this information is legit..

1 month ago
Permalink

Comment has been collapsed.

Happy cake day!

1 month ago
Permalink

Comment has been collapsed.

Thanks!

1 month ago
Permalink

Comment has been collapsed.

Just as I was looking at this, I was DMed by a random account claiming to report me accidentally on steam (with screenshot of my profile) and I will be banned, contact the steam discord admin (what...) and you can solve this, watch out!

1 month ago
Permalink

Comment has been collapsed.

Wow, somebody posted something on X. What a reliable and totally trustworthy source.

1 month ago
Permalink

Comment has been collapsed.

Yes, but on the other hand; sometimes changing your passwords isn't a bad idea. :) Better safe than sorry.

1 month ago
Permalink

Comment has been collapsed.

"8bitdefender

4h ago
Why risk the biscuit. Go look at the original Solarwinds, Oracle and Okta responses to a group claiming to compromise them. All of them were deny, deny, deny. Then oh yeah we did leak user information.

Not changing your password now is just dumb with how little effort it takes to do so… and if you don’t have Steam Guard enabled, enable ASAP. Hope for the best, prepare for the worse."

amen

1 month ago
Permalink

Comment has been collapsed.

Here is the original post by the person who reported it initially, which is Underdark.ai on linkedin. Mellow reported what he saw and warned people and he's added updates from the 11th until today via his Twitter/X account concerning this which included info that Valve provided him. Reading all the updates Mellow made will explain things better.

1 month ago*
Permalink

Comment has been collapsed.

Likely those 89 million accounts leaked are all the bots that keep begging me to play cs with them and if I can vote for their team.

1 month ago
Permalink

Comment has been collapsed.

That I call wishful thinking :)

1 month ago
Permalink

Comment has been collapsed.

Turns out it was just 2FA codes that were leaked from some messaging app, which means nothing relevant got leaked other than a 6 digit number that you could randomly generate at any moment and it wouldn't work because they were temporary 15 minute codes.

But it wouldn't hurt to change the password once in a while not just on steam.

1 month ago
Permalink

Comment has been collapsed.

I do hope some users changed their password from "password" to p@ssw0rd" \s

1 month ago
Permalink

Comment has been collapsed.

Lol true, those are the easy ones they test for, you gotta imagine it can't be easy to crack a 2FA considering Gaben went live like 20 years ago and gave his e-mail and password and no one has ever taken his account. If they can't be bothered to go for him, even if your password is leaked, likely it wont happen to you.

But, then people go and login with their credentials and give the 2FA code to some site that impersonates valves clearly with a different address or using some tactic like faking the steam login but if you're signed in they still ask for the creds, and then they say they got hacked. Like no, you gave your info.

1 month ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 1 month ago.

1 month ago
Permalink

Comment has been collapsed.

so Valve answered about this situation

https://steamcommunity.com/games/593110/announcements/detail/533224478739530146

A note about the security of your Steam account
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.

We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.

The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.

You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at

https://store.steampowered.com/account/authorizeddevices

We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.

1 month ago
Permalink

Comment has been collapsed.

Steam announcement about the affair
https://store.steampowered.com/news/app/593110/view/533224478739530145
tl; dr Steam wasn't hacked

1 month ago
Permalink

Comment has been collapsed.

In a nutshell, was it clickbait to scare people? If so, to report the guy on X 🙌🏻.

1 month ago
Permalink

Comment has been collapsed.

"Was it clickbait to scare people?" - No

https://x.com/MellowOnline1/status/1922818352436646377

1 month ago
Permalink

Comment has been collapsed.

No, but Steam claims the severity isn't too high. At most your phone number may receive some unwanted spam in the future.

1 month ago
Permalink

Comment has been collapsed.

^ This

1 month ago
Permalink

Comment has been collapsed.

It sounds more coherent than alarmist title of this thread and another that I saw on Alienware Arena last night, and probably that I will watch on YouTube recommendations next days...

1 month ago
Permalink

Comment has been collapsed.

I don't like the thought of my phone number being leaked for any reason, but yeah, at least it's not a full-on account breach.

1 month ago
Permalink

Comment has been collapsed.

I share your feelings; I dislike that my phone number bein' leaked into on the deep web and such. And it is funny, 'cause last month I watched a documentary on DW Documentary about the hackers and how many people in Swiss was part of an enormous leak of their citizens personal information..But I prefer this, instead of a full-on account breach.

Thanks for your usefull info, mate! I wish you a great weekend 🙋🏻‍♂️!

1 month ago
Permalink

Comment has been collapsed.

"Allegedly"
Side effect of Monetization on X. Engagement Farm.
Please kindly do the needful and do not engage, sir / ma'am.

1 month ago
Permalink

Comment has been collapsed.

I'm not monetized on X

1 month ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.