## Steam Security Scare: Valve Responds, Calming Widespread Fears The PC gaming world experienced a collective jolt when reports surfaced of a massive Steam security breach, allegedly compromising a staggering 89 million user records . News of such a significant data leak from the dominant gaming platform sent ripples of alarm through its vast user base. However, Valve, the company behind Steam, quickly stepped in to address the concerns, delivering a message that, for many, was a significant sigh of relief: the situation wasn't as dire as it initially sounded . ### The Initial Alarm: 89 Million Records Allegedly Exposed The panic began over a weekend when cybersecurity firm Underdark published a LinkedIn post. The post claimed that a massive trove of over 89 million Steam user records was being offered for sale on a dark web forum . The asking price for this data was reportedly $5,000 . This news, picked up by various outlets and social media users, understandably caused considerable concern among Steam users, who entrust the platform with personal information and payment details . The sheer scale of the reported breach suggested a catastrophic failure in Steam's security. ### Valve's Clarification: Not a Steam System Breach In response to the growing unease, Valve issued a statement through the Steam News Hub on a Wednesday, directly addressing the reported breach . The company's core message was unequivocal: "We have examined the leak sample and have determined this was NOT a breach of Steam systems" . Valve stressed that no user accounts on its popular video game distribution platform had actually been compromised as a result of this specific incident . This clarification was crucial. While a breach of any kind is concerning, Valve's statement differentiated between a direct attack on Steam's core infrastructure and a leak from a peripheral source. ### Unpacking the "Breach": Old SMS Logs, Not Account Details So, if Steam itself wasn't hacked, what was the nature of the leaked data? According to Valve's investigation and subsequent announcements, the files circulating were not full account logins, passwords, or sensitive financial information . Instead, the data consisted of old SMS logs . These logs contained: * One-time 2FA (two-factor authentication) codes sent via SMS. * The phone numbers to which these codes were sent . Crucially, Valve highlighted several mitigating factors: 1. **Time-Sensitive Codes:** The 2FA codes found in the leak were only valid for a very short period – typically 15 minutes . Once expired, these old codes could not be used to gain unauthorized access to accounts. 2. **No Direct Link to Accounts:** The leaked data did not associate the phone numbers with specific Steam accounts, nor did it include passwords, payment information, or other personal data . 3. **Confirmation Safeguards:** Valve also reminded users that whenever a 2FA code is used to change a Steam email address or password via SMS, a confirmation email is sent to the account holder, providing an additional layer of security and notification . Valve suggested the data likely originated from "somewhere further down the SMS delivery chain—a third-party vendor that handled message delivery" . This indicates the vulnerability lay with an external service provider rather than Steam's own authentication systems. Valve stated it is "continuing to investigate the source of the leak," acknowledging the complexity due to "the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone" . ### A Separate Glitch: The Account Information Display Bug It's worth noting that around the same time, a separate and seemingly unrelated issue caused some confusion and concern. A bug was reported where Steam users attempting to access their own account information were instead shown details belonging to other users . This exposed information reportedly included buying history, Wallet information, and in some cases, full names, phone numbers, and addresses . While Shacknews reported a sense of "cautious optimism" that this particular issue was resolved relatively quickly, Valve's response to this specific bug was criticized by some. Shacknews noted, "No apology and no comment on the fact that people saw full names, phone numbers, and addresses for other users. Still better than the usual silence from Valve" . This incident, though different from the SMS log leak, added to the general anxiety surrounding Steam's security at the time. ### Community Reaction: A Mix of Relief and Lingering Criticism The news that 89 million Steam accounts had _not_ been hacked was met with significant relief by the PC gaming community . Many users had feared the worst, and Valve's clarification helped to dispel those immediate concerns. However, the incidents also brought familiar criticisms of Valve's communication practices to the forefront. Comments on platforms like Shacknews and SteamGifts reflected a range of reactions. Some users expressed frustration with what they perceived as delayed or insufficient communication from Valve, with one user describing the company's typical silence as "even scarier" than the bug itself . Another comment described the chain of events as "weird," highlighting the initial claim of a hack, then a correction about an external 2FA service, and finally Valve stating they didn't use that specific service, suggesting the leaked data might be "completely unrelated" in the way initially feared . Despite the good news regarding the main "breach," the episode served as a reminder of the complexities of online security and the importance of clear, timely communication from service providers. ### Staying Secure on Steam While this particular scare turned out to be less severe than initially portrayed, Valve advised users that it's always a good practice to review their Steam security setup . This includes ensuring strong, unique passwords and utilizing Steam Guard, Valve's own two-factor authentication system, preferably through the mobile app rather than SMS if users have concerns about SMS security. Ultimately, the "89 million Steam accounts hacked" headline was a misrepresentation of the actual event. While a data leak involving SMS logs did occur through a third-party vendor, Valve's core systems remained secure, and user accounts were not directly compromised by this incident . The situation underscores the importance of verifying information and awaiting official statements before jumping to conclusions, especially in the fast-paced world of online security news.
