Good News: 89 Million Steam Accounts Were Not Hacked

Valve just cleared the air. After a viral LinkedIn post claimed that over 89 million Steam accounts were leaked and up for sale on the dark web, panic started spreading.

But Valve says it’s all false.

“We have examined the leak sample and have determined this was NOT a breach of Steam systems.”

That’s straight from Valve’s new statement, published after a wave of alarm fueled by Underdark.ai and picked up by X user Mellow_Online1. The claims sounded serious—sample data, Telegram contact, a $5,000 asking price—but the reality? Not so much.

So What Was Leaked?

The files making the rounds weren’t full of account logins or passwords. They were old SMS logs—specifically, the text messages that contain Steam’s one-time 2FA codes. You know, those six-digit numbers you get when logging in.

Valve says these codes are:

• Only valid for 15 minutes
• Not tied to account credentials, passwords, or payment info
• Contain nothing but a phone number

So even if someone did get access to these texts, they’re basically useless. There’s no way to log into your Steam account without that real-time code and your password, and if a code is ever used to change anything important, Steam also sends a confirmation to your email.

“Old text messages cannot be used to breach the security of your Steam account,” Valve emphasised.

No need to panic. No need to change your password or phone number.

Valve Was Never Breached—and Neither Was Twilio

Earlier theories pointed fingers at Twilio, a company known for handling SMS for two-factor authentication. But both Valve and Twilio confirmed that this leak had nothing to do with either of them.

The data appears to have come from somewhere further down the SMS delivery chain—a third-party vendor that handled message delivery. So this wasn’t a breach of Steam itself or its authentication systems. It was a leak of old delivery logs, probably scraped or scraped second-hand.

Even if your password is safe, it’s still worth reviewing your Steam security setup:

• Enable Steam Guard Mobile Authenticator for better 2FA protection.
• Review your authorized devices to make sure there’s nothing shady.
• Use a password manager (like 1Password or Bitwarden) to generate unique, secure passwords.

Those SMS codes were always meant to be a stopgap. These days, Steam’s mobile-based 2FA is far more secure, and way harder to intercept or spoof.

And seriously—if you’re still typing “dota2rocks” as your password, it’s time to retire that bad boy.

Remember the Early Scam Bots?

This whole mess also brings back memories of Steam’s darker days in the first half of the 2010s—when trade scams were running wild and bots would spam your inbox with shady links like:

“Hey, is this your item? Check stearncommunity(dot)com”

Yeah. They used a sneaky typo—“stearn” instead of “steam”—and fooled thousands. Back then, scam bots abused Steam’s chat and trade system constantly. Users would get fake offers or alerts, click bad links, and lose access to entire inventories filled with CS:GO skins.

Compared to that era, this fake breach feels mild. But it’s still a reminder that scammers haven’t gone anywhere. They’ve just gotten more subtle.

No, 89 million accounts weren’t hacked. No, your Steam library isn’t at risk. But if this caused a little heart rate spike, maybe that’s your cue to double-check your settings and tighten things up.

Steam Guard. Secure passwords. No clicking random Telegram links. You know the drill.

And hey, at least this time, nobody had to watch their entire inventory of Doppler knives vanish into a scammer’s account.