It has been reported and noticed that the Steam clients are getting texts with one-time login codes, which are said to be a leak of Valve, however, the company has never said that it wasn’t a breach of their system. It was in reaction to reports of a supposed hacker holding 89 million user records to be auctioned off for $5,000, as per BleepingComputer. The site went through 3,000 leaked files, finding ancient SMS messages with one-time passcodes for Steam, plus the phone numbers to which the messages were sent.
Though a certain user on X tried to link the breach to Twilio, a Twilio spokesperson told BleepingComputer that they were, to their knowledge, not breached and, after reviewing samples of the data made available online, found no indication it came from Twilio. Valve clarified to the same user that they did not use Twilio. The explanation given by Valve was that such a leak involved older text messages containing one-time codes that were sent to numbers for only a very brief time, which was 15 minutes. This wasn’t the first time that Steam got compromised. In the month of February 2025 a malware game surfaced on Steam causing a security breach.
Importantly, the leaked information did not associate the phone numbers in any way with Steam accounts, passwords, payment information, or any other personal information. The company went on to confirm that such texts from the past cannot compromise the Steam account’s security. It cannot breach the security even when a code is used via SMS to change a Steam email or password, an email or secure message confirmation is sent out to users.
Though they do advise establishing the Steam Mobile Authenticator, Valve soothed customers that this leak did not call for changing their phone numbers or passwords. The company is still investigating and trying hard to figure out the possible cause of the leak that caused trouble for them as well as for customers.
