Still, if you use 2FA your steam account should be safe. But if you use the same password and email on other accounts, those might need a change of password, yeah...
Also, a good time to drop this here https://haveibeenpwned.com/
Comment has been collapsed.
1) It takes time to properly update the website
2) The breach is still alleged
3) Maybe you weren't involved
Check back in a week to be sure. No results for me either yet.
Comment has been collapsed.
As per reddit, the archive is currently highly dubious. Supposedly it contains SMS support records which MAY contain temporary passwords used in reset as well as IPs, phone numbers, and usernames. It is unlikely to contain any actual login information. Supposedly it is only going for about $5000 for 90 million records, which is extremely low for breach archives. However it does come from a reputable source known to the infosec community. Chances are it is known to be at best a low density of useful data, and probably doesn't warrant defensive effort on users' parts. Still never hurts to change passwords whenever you hear about anything.
Comment has been collapsed.
The article says
Fingers then pointed at Twilio, stating that it handled Steam's 2FA systems and that the leak occurred from within its systems, but Valve then got in touch with MellowOnline1 and claimed that it had never used Twilio.
Which makes sense to me, because Steam sends the code via email or to their own app, none of them using SMS, I think.
Also, even if Steam account details are leaked, I honestly doubt the Valve stores passwords as plain text. Passwords are probably hashed with proper salting.
Comment has been collapsed.
Obviously activate Steam Guard if you don't have it active, and changing password is not a bad idea, but for now this alleged leak looks highly suspect. 5000$ for tens of millions of steam accounts is pennies, no reputable outlets (or Valve for that matter) seem to have verified authenticity of the data (for now) and MellowOnline1 fella is just some rando.
Edit: Also, IMPORTANT - as always with this type of incidents, be VERY CAREFUL of phishing mails and other social engineering techniques. Regardless of whether leak is real or not other bad actors may use confusion and panic to trick you into obtaining your data. I would be especially weary for any mails from valve claiming your account has been breached and providing you with link to recover it.
Comment has been collapsed.
and MellowOnline1 fella is just some rando
Mellow has been looking out for the little guy (us users) for over 8 years. They are a Pillar of the Steam Community and consumer protection.
Keeping up to date with gaming news, investigating and reporting Steam issues like games that contain malware, scam/ripoff games (games that are copy and paste for example), games that buy reviews to cheat the system, banned developers that assume an alter ego to bypass the ban and other shady developer stuff.
Mellow even has the contact details of several Steam staff ... that kind of info isn't given to "rando" people.
Comment has been collapsed.
Also it's a post on X from a rando, telling us about a post from a rando on Linkedin, who has it from another rando that he saw a rando on "a reputable blackmarket forum" make a scam offer of 5000 bucks for steam accounts.
whether leak is real or not other bad actors may use confusion and panic to trick you into obtaining your data. I would be especially weary for any mails from valve claiming your account has been breached and providing you with link to recover it.
Yeah sounds like the goal here.
Comment has been collapsed.
The worst that could happen, if it turns out that the leak is true and that your personal information was part of it is:
As long as you keep using Steam Guard properly, no one else should be able to log into your account.
Comment has been collapsed.
this chain of events is weird, first the guy claims steam was hacked, then corrects himself saying it wasn't steam but their external 2fa auth service and then he says Valve approached him and said they don't use said service... so it's actually completely unrelated?
Comment has been collapsed.
But i can't remember having done something to have logged in around that day, but that was sunday, and i still can login and never had such an email anymore, so hopefully it's good yeah.
Email authentication, i can't really be bothered having to use my mobile each time, i hate using mobiles in general too. Maybe i am old.
Comment has been collapsed.
As others have said, the IP location information is just not that accurate.
Out of an overabundance of caution, you can see and sign out all devices from your Steam account on this page (at the bottom):
https://store.steampowered.com/account/authorizeddevices
Comment has been collapsed.
on reddit
satoru1111 MOD • 5m ago
To clarify why changing your passwords is basically pointless
1 Steam does not use Twillo for its MFA implementation. Twillo doesnt store the keys for the MFA implementation.
2 Twillo doesn't store passwords, meaning even if you assume Twillo was breached, it has no passwords to leak.
3 Twillo only has a centralized MFA app similar to Google Authenticator. Again this does NOT STORE PASSWORDS
4 If Twillo was compromised, the only possible vector would be an SMS hijacking attack, and that's IF Steam uses Twillo as its SMS intermediary
5 If we assume #4 then, which is a stretch, CHANGING YOUR PASSWORD IS POINTLESS. Its attacking the SMS network. You can change your password every other minute. The attacker can simply generate and SMS code and take over your account that way. Your password is pointless in this scenario
6 If you are 'paranoid' and want to do something 'actually useful' remove your phone number from your account, which still again makes a LOT of assumptions above everything
Comment has been collapsed.
Wow, somebody posted something on X. What a reliable and totally trustworthy source.
Comment has been collapsed.
Comment has been collapsed.
"8bitdefender
•
4h ago
Why risk the biscuit. Go look at the original Solarwinds, Oracle and Okta responses to a group claiming to compromise them. All of them were deny, deny, deny. Then oh yeah we did leak user information.
Not changing your password now is just dumb with how little effort it takes to do so… and if you don’t have Steam Guard enabled, enable ASAP. Hope for the best, prepare for the worse."
amen
Comment has been collapsed.
Here is the original post by the person who reported it initially, which is Underdark.ai on linkedin. Mellow reported what he saw and warned people and he's added updates from the 11th until today via his Twitter/X account concerning this which included info that Valve provided him. Reading all the updates Mellow made will explain things better.
Comment has been collapsed.
Turns out it was just 2FA codes that were leaked from some messaging app, which means nothing relevant got leaked other than a 6 digit number that you could randomly generate at any moment and it wouldn't work because they were temporary 15 minute codes.
But it wouldn't hurt to change the password once in a while not just on steam.
Comment has been collapsed.
Lol true, those are the easy ones they test for, you gotta imagine it can't be easy to crack a 2FA considering Gaben went live like 20 years ago and gave his e-mail and password and no one has ever taken his account. If they can't be bothered to go for him, even if your password is leaked, likely it wont happen to you.
But, then people go and login with their credentials and give the 2FA code to some site that impersonates valves clearly with a different address or using some tactic like faking the steam login but if you're signed in they still ask for the creds, and then they say they got hacked. Like no, you gave your info.
Comment has been collapsed.
so Valve answered about this situation
https://steamcommunity.com/games/593110/announcements/detail/533224478739530146
A note about the security of your Steam account
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
https://store.steampowered.com/account/authorizeddevices
We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.
Comment has been collapsed.
Steam announcement about the affair
https://store.steampowered.com/news/app/593110/view/533224478739530145
tl; dr Steam wasn't hacked
Comment has been collapsed.
I share your feelings; I dislike that my phone number bein' leaked into on the deep web and such. And it is funny, 'cause last month I watched a documentary on DW Documentary about the hackers and how many people in Swiss was part of an enormous leak of their citizens personal information..But I prefer this, instead of a full-on account breach.
Thanks for your usefull info, mate! I wish you a great weekend 🙋🏻♂️!
Comment has been collapsed.
32 Comments - Last post 13 minutes ago by devotee
9 Comments - Last post 1 hour ago by devotee
187 Comments - Last post 1 hour ago by Foxhack
11 Comments - Last post 1 hour ago by devotee
7 Comments - Last post 1 hour ago by lext
5 Comments - Last post 2 hours ago by tariko
265 Comments - Last post 3 hours ago by eldar4k
4,194 Comments - Last post 3 minutes ago by KPopPoyehavshiy
6 Comments - Last post 16 minutes ago by Littleone24
31 Comments - Last post 16 minutes ago by pierd0la
30,499 Comments - Last post 19 minutes ago by taboocoffeemaker
15 Comments - Last post 20 minutes ago by Janediel
95 Comments - Last post 26 minutes ago by Chris76de
120 Comments - Last post 32 minutes ago by Myrsan
https://www.xda-developers.com/89-million-steam-account-details-leak/
https://x.com/MellowOnline1/status/1921672313608823002
Comment has been collapsed.