Valve has officially denied claims that Steam suffered a security breach affecting millions of user accounts. In a statement released Wednesday night, the company confirmed that no attack took place and its systems remain secure.
The clarification follows growing speculation online about a possible leak involving nearly 90 million Steam accounts. According to circulating reports, a hacker was allegedly attempting to sell a large user database on the dark web for $5,000. This sparked anxiety across the gaming community, given the scale of the claimed breach.
Valve addressed the concerns directly, stating that it had thoroughly reviewed the data in question and found no evidence of any intrusion into Steam’s infrastructure.
The rumored leak mostly referenced old SMS messages sent to users containing two-factor authentication (2FA) codes. These codes are typically used as an extra layer of protection when signing in or modifying account details. Despite the fears, Valve emphasized that the platform’s security has not been compromised.
Valve comments on the leak
Valve has reviewed the alleged data leak tied to Steam accounts and found no evidence of a security breach within its systems. After analyzing samples of the leaked data, the company concluded that “there was no violation of Steam systems.”
While the platform itself remains secure, Valve is actively investigating where the leaked information came from. The company noted that the nature of SMS communication complicates this process. Since text messages aren’t encrypted and often pass through multiple third-party providers before reaching users, tracing the exact source of the leak is challenging.
“We are still investigating the leak source,” Valve explained in its statement, “which is complicated by the fact that any SMS message is not encrypted in transit and routed through multiple providers until it reaches your phone.”
Although the incident involved older two-factor authentication (2FA) messages sent via SMS, Valve assured users that no passwords or sensitive account data were exposed. The company also said there is no need for users to change their passwords or phone numbers at this time. However, it encouraged everyone to regularly review their account security settings to ensure maximum protection.
What really leaked and the risks involved
Valve, along with cybersecurity site BleepingComputer, has analyzed a sample of roughly 3,000 leaked files that recently surfaced online. Their findings confirm that the data did not include sensitive personal details, account credentials, or payment information.
According to Valve, the leaked SMS messages contained one-time security codes used for two-factor authentication (2FA). These codes were only valid for 15 minutes and are long since expired. More importantly, the messages were not linked to specific Steam accounts or user identities.
Early speculation suggested the leak might have stemmed from a breach at Twilio, a well-known provider of communication APIs. However, both Valve and Twilio have firmly denied any connection. Valve stated that it does not use Twilio’s services, and Twilio has also confirmed it has not experienced any security breach related to this incident.
At this stage, Valve continues to investigate the origin of the leaked messages, particularly given the complexity of tracing unencrypted SMS messages that pass through multiple providers.
Beware of other real threats
While the recent SMS leak tied to Steam may not pose a direct threat to users, more serious dangers still exist on the platform. One of the latest concerns is a piece of advanced malware known as Arcane, which has been flagged by cybersecurity firm Kaspersky.
Arcane is specifically designed to steal login credentials from a wide range of services, including Steam, messaging apps, and VPN platforms. Unlike the expired authentication codes involved in the recent leak, Arcane can extract active passwords and full account details that can be used immediately for unauthorized access.
What makes Arcane especially dangerous is how it spreads. Cybercriminals are distributing it through fake YouTube videos that advertise cheats, hacks, or mods for popular games. Unsuspecting users who download these files end up installing the malware on their systems. Once active, Arcane can quietly harvest sensitive information, which is often sold later on black market forums.
The incident is a reminder that while data leaks are concerning, malware like Arcane poses a much more immediate risk—especially when disguised as game-related content.
How to protect your Steam account
To ensure the safety of your Steam account, Valve recommends some preventive measures:
- Use the Steam Mobile Authenticator instead of SMS codes. This is the safest way to protect your account against unauthorized access
- Check the authorized devices regularly to access your account on the official website.
- Distribute unquited messages about account security. Never click links sent by unknown sources, even if they seem to come from Steam
- Use strong and unique passwords for your account, preferably managed by a password manager
- Keep your email safe with two-factor authentication of two factors, as it is often used to recover accounts
Valve has said it will continue to investigate the origin of the leakage and update users if new relevant information is discovered.
