Valve has commented on the Steam data breach, in which details of 89 million user accounts were said to have been leaked online. The company said the reported leak did not disrupt Steam systems, but it is investigating the source of the leak. Valve further confirmed that the leaked data does not link users’ phone numbers to Steam accounts, password information, payment information or other personal data. Steam users do not need to change their passwords or phone numbers as a result of the breach, the company said.
Steam account data reportedly leaked
Reports of a major Steam data breach surfaced online earlier this week after a LinkedIn user claimed to have discovered malicious actors offering the data of more than 89 million Steam accounts on a popular dark web forum for $5,000.
According to initial claims, X user @MellowOnline1, who owns the Steam user advocacy group Sentinals of the Store, shared an update on the leak earlier this week, saying the leak may have originated outside of Steam. According to the user, the leaked data includes real-time text message logs used in two-factor authentication (2FA) for Steam accounts, which points the finger at a third-party vendor used by Valve.
Update: An update indicates that the alleged Steam data breach was not a direct breach of Steam itself, but a supply chain compromise – meaning that external services that Steam relies on were targeted.
Here’s what we know from this update:
New evidence confirms some…
— Mellow_Online1 (@MellowOnline1) May 11, 2025
Valve says steam system is safe
In a post on Thursday, Valve acknowledged the leak but confirmed that Steam’s systems were not compromised.
“You may have seen reports of old text messages being previously sent to Steam customers being leaked. We have examined the leaked samples and determined that this was not a breach of Steam systems,” the company said.
“We are still digging into the source of the leak, which is compounded by the fact that any text messages are not encrypted in transit and routed to your phone through multiple providers.”
According to Valve, the leaked content includes older text messages containing a one-time code valid for 15 minutes and the phone number it was sent to.
Valve assures Steam users: “The leaked data does not link phone numbers to Steam accounts, password information, payment information, or other personal data. Old text messages cannot be used to breach the security of your Steam account, and you will receive confirmation via email and/or Steam Security message whenever you use a code to change your Steam email or password via text message.”
Therefore, users do not need to change their Steam password or associated phone number. However, Valve urges Steam users to treat any account security messages they have not explicitly requested as suspicious and to regularly check account security on the platform.
Valve also recommends that users set up Steam Mobile Authenticator to receive messages about their account and its security in a more secure way.
