Steam has not been breached – Valve confirms
No, Steam’s security has not been breached
Following reports of an alleged Steam security leak, Valve has confirmed that none of its systems have been breached. The company had examined a sample of the leaked data and confirmed that it didn’t come from Valve. Furthermore, the leaked data does not associate phone numbers with Steam accounts, password information, or other personal data.
The leak contains old text messages that include one-time codes for Steam logins. These codes become unusable after fifteen minutes. These codes cannot be used to breach the security of Steam accounts.
Valve has stated that Steam users will not need to change their passwords following this event. However, Valve has recommended that users use Steam’s Mobile Authenticator for added security. This allows Valve to send users secure messages and removes the need for Valve to use SMS messages entirely.
A note about the security of your Steam account
The recent leak being reported did NOT breach Steam systemsYou may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
Weâre still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
https://store.steampowered.com/account/authorizeddevices
We also recommend setting up the Steam Mobile Authenticator if you havenât already, as it gives us the best way to send secure messages about your account and your accountâs safety.
Has Steam been breached? No. So, where did this leak come from? It likely came from an SMS supplier. The good news is that these messages contain no account information, and the codes within these emails became invalid 15 minutes after they were sent. Even with this information, hackers cannot use it to compromise anyone’s Steam account.
You can join the discussion on Valve comments on Steam’s reported security breach on the OC3D Forums.