- Registrado
- 7 de Abr, 2025
Summary
A potentially serious incident is unfolding in the cybersecurity and gaming worlds: a threat actor known as Machine1337 (also known as EnergyWeaponsUser) is claiming to possess a dataset of 89,218,378 SMS messages that include Steam one-time login codes (used for two-factor authentication), along with associated phone numbers. The dataset is currently being offered for sale for $5,000 USD on known underground forums.
Leak Details
According to a sample of around 3,000 messages reviewed by security researchers and journalists, the data contains legitimate-looking Steam Guard 2FA codes, timestamps, and mobile numbers. These messages are formatted in the exact style Steam uses when delivering login codes to users.
This points toward a massive interception or exfiltration of SMS traffic, not necessarily a breach of Steam itself. The messages appear to originate from Twilio, a major cloud communications company that delivers SMS-based 2FA for numerous organisations – including, allegedly, Steam.
Response From Twilio
Twilio has issued a strong denial. According to their statement:
They also clarified that they have not found any signs of unauthorised access or system compromise related to Steam data.
However, this hasn't stopped industry experts from speculating that a supply chain compromise may have occurred. In particular, independent security researcher MellowOnline1, founder of the group SteamSentinels, analysed the leaked data and believes it may stem from a historic compromise of an internal or external 2FA-related component.
Response From Valve
Valve has not yet issued an official statement on the situation. However, several analysts familiar with Steam’s 2FA system believe that even if the messages are authentic, they may be historical or expired, and thus of limited direct threat to user accounts.
That said, the leak still represents a major potential data privacy issue, particularly as it may allow attackers to match phone numbers to Steam accounts, a form of passive recon that could be used in phishing campaigns or SIM swapping attempts.
Source:
A potentially serious incident is unfolding in the cybersecurity and gaming worlds: a threat actor known as Machine1337 (also known as EnergyWeaponsUser) is claiming to possess a dataset of 89,218,378 SMS messages that include Steam one-time login codes (used for two-factor authentication), along with associated phone numbers. The dataset is currently being offered for sale for $5,000 USD on known underground forums.
Leak Details
According to a sample of around 3,000 messages reviewed by security researchers and journalists, the data contains legitimate-looking Steam Guard 2FA codes, timestamps, and mobile numbers. These messages are formatted in the exact style Steam uses when delivering login codes to users.
This points toward a massive interception or exfiltration of SMS traffic, not necessarily a breach of Steam itself. The messages appear to originate from Twilio, a major cloud communications company that delivers SMS-based 2FA for numerous organisations – including, allegedly, Steam.
Response From Twilio
Twilio has issued a strong denial. According to their statement:
“There is no evidence of a breach in our systems. We are aware of the claims and are actively investigating.”
They also clarified that they have not found any signs of unauthorised access or system compromise related to Steam data.
However, this hasn't stopped industry experts from speculating that a supply chain compromise may have occurred. In particular, independent security researcher MellowOnline1, founder of the group SteamSentinels, analysed the leaked data and believes it may stem from a historic compromise of an internal or external 2FA-related component.
Response From Valve
Valve has not yet issued an official statement on the situation. However, several analysts familiar with Steam’s 2FA system believe that even if the messages are authentic, they may be historical or expired, and thus of limited direct threat to user accounts.
That said, the leak still represents a major potential data privacy issue, particularly as it may allow attackers to match phone numbers to Steam accounts, a form of passive recon that could be used in phishing campaigns or SIM swapping attempts.
Source:
Última edición: