UPDATE: 2025-08-24 13:56 EST BY BEN STEGNER
This article originally claimed that Twilio had been breached and was the source of this issue. The company has since clarified that it has not been breached; the actual source of the attack has not been discovered at this time. The text has been updated accordingly.
If you think your Steam account is safe, think again—there’s word of a massive data breach affecting Steam on the dark web. I’m off to reset my Steam password and enable Steam Guard, just to be sure.
Your Steam Records Might Be for Sale on the Dark Web
A hacker dubbed Machine1337 claims to be selling 89 million Steam records on a dark web forum for a mere $5,000. The data initially appeared to originate from Twilio, a third-party service that Steam uses to send two-factor authentication (2FA) codes via SMS. However, this was later discovered to be incorrect.
Independent video game journalistMellow_Online1spotted the hackers' post andlater claimednew evidence confirms that at least some of the data is real. The hacker has also provided a sample of the leaked data, including the following information:
Twilio’s parent company, SendGrid, was the target of a data breach in April 2025. Twilio’s 2FA app, Authy, was also breached in July 2024, leaking over 33 million phone numbers. As the company confirmed it hasn’t been breached again, there’s a chance the dataset for sale might be repackaged old data from a previous breach.
Since the original publication, we have received the following statement from Twilio:
There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio.
Mellow_Online1’s assessment of the breach discovered real-time SMS logs that were linked to Twilio as Valve used its services to send 2FA codes. However,Valve has clarifiedthat they don’t use Twilio. There’s no clear source of the breach apparent at the moment.
Steam’s servers and databases appear to be unharmed.
Is Your Steam Account at Risk?
Hackers can use the compromised data to send some very convincing phishing messages, and if they can intercept or gain access to your 2FA codes, they can bypass login protection measures entirely. Thankfully, protecting yourself isn’t very difficult.
Start by changing your Steam password. If you were reusing the password on any other platform, now’s the time to update those passwords as well. Next, install the Steam app on your phone and enable Steam Guard for two-factor authentication.
I Was Phished on Steam: How to Prevent It, and How to Respond
I was gaming with a friend right before his account was phished, and “he” asked me to vote for a CS:GO team. Unfortunately, I took the bait.
Keep an eye out for suspicious email activity like a game promotion or support message from Steam asking you to take some urgent action at the risk of losing your account. There are plenty ofphishing scams on Steam, and if you’re not careful, you’ll find your account and Steam wallet balance going up in smoke.
The rest falls on Steam to update its internal systems so the breach does as little harm as possible. Steam support can be quite helpful, so if you do lose your account, you can reach out to them for help.
