Major Steam 2FA Leak Alleged - Twilio Denies Breach Involving Millions of Users

  • 🇵🇦 Nuestro primer dominio localizado está en español en kiwifarms.pa. Our first localized domain is on Spanish on kiwifarms.pa.
  • Want to keep track of this thread?
    Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
    Create account

Nothing Is Written

:(){:|:&};:
kiwifarms.net
Registrado
7 de Abr, 2025
Summary
A potentially serious incident is unfolding in the cybersecurity and gaming worlds: a threat actor known as Machine1337 (also known as EnergyWeaponsUser) is claiming to possess a dataset of 89,218,378 SMS messages that include Steam one-time login codes (used for two-factor authentication), along with associated phone numbers. The dataset is currently being offered for sale for $5,000 USD on known underground forums.

Leak Details
According to a sample of around 3,000 messages reviewed by security researchers and journalists, the data contains legitimate-looking Steam Guard 2FA codes, timestamps, and mobile numbers. These messages are formatted in the exact style Steam uses when delivering login codes to users.

This points toward a massive interception or exfiltration of SMS traffic, not necessarily a breach of Steam itself. The messages appear to originate from Twilio, a major cloud communications company that delivers SMS-based 2FA for numerous organisations – including, allegedly, Steam.

Response From Twilio
Twilio has issued a strong denial. According to their statement:

“There is no evidence of a breach in our systems. We are aware of the claims and are actively investigating.”

They also clarified that they have not found any signs of unauthorised access or system compromise related to Steam data.

However, this hasn't stopped industry experts from speculating that a supply chain compromise may have occurred. In particular, independent security researcher MellowOnline1, founder of the group SteamSentinels, analysed the leaked data and believes it may stem from a historic compromise of an internal or external 2FA-related component.

Response From Valve
Valve has not yet issued an official statement on the situation. However, several analysts familiar with Steam’s 2FA system believe that even if the messages are authentic, they may be historical or expired, and thus of limited direct threat to user accounts.

That said, the leak still represents a major potential data privacy issue, particularly as it may allow attackers to match phone numbers to Steam accounts, a form of passive recon that could be used in phishing campaigns or SIM swapping attempts.

Source:
 
Última edición:
Old 2FA codes are useless, there's no real value in them. If they were getting the codes in real time, that could be exploited, but the code and phone number are pointless unless they also come with an account ID. Me knowing that 555-420-6969 is the phone number of a Steam user is not getting me any closer to getting into their account. If I knew that phone number belonged to xXx_SonGoku420_xXx, then I would actually have a workable piece of the puzzle, but the phone number on its own is nothing.
 
Valve has responded. Key excerpt:
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.
You won't be able to identify an user account with a phone number or vice versa with this leak, which was the greatest concern as Steam accounts are immutable, only that at some point an account with that number connected existed. That's also why it wasn't being sold for significantly more. Either way, Twilio denies it but they're still a cancerous company that has been breached and had their shit leaked over and over in the past (and loves incentivizing fraud), so I wouldn't trust whatever they say, and was the obvious first suspect because of their incompetency. And another good example how SMS 2FA is fake, gay, and a great way for your data to be sold and/or leaked all over the place online.
 
Última edición:
Corporate America never takes security seriously. The mindset is this. We will do something after a problem occurs. This kind of thinking can be seen all over corporate America. Security costs money. Doing nothing until a problem arises is cheap.
 
Seems to be a load of bullshit. If it were legit, the supposed hacker would be wanting WAY MORE than $5,000.

But if it gets lazy people (like me) to remember to change their passwords, I guess...net positive?
It could be a little kid who has no idea how much this kind of information is worth. Remember, the underage shitskin that hacked R* and leaked GTA 6 gameplay footage didn't even know what GTA was or how big the franchise is, let alone how anticipated the game was.
 
Steam Guard 2FA codes, timestamps, and mobile numbers.

Why is this important?
It can be fed into already existing databases to build profiles of potential targets by threat actors. It's not the leak itself, it's the leak acting as a vertice in triangulation to inform accurate attack vectors.

may stem from a historic compromise of an internal or external 2FA-related component

"It's just SMS" - @robobobo
No. As stated by security researchers, it can indicate MitM attack vectors because of external handling of the 2FA process.

If they were getting the codes in real time, that could be exploited, but the code and phone number are pointless unless they also come with an account ID. Me knowing that 555-420-6969 is the phone number of a Steam user is not getting me any closer to getting into their account.

See above.

And another good example how SMS 2FA is fake, gay, and a great way for your data to be sold and/or leaked all over the place online.

That's the rub. It's more information for dormant databases that are being built.

You won't be able to identify an user account with a phone number or vice versa with this leak

True, but it depends on what else is being monitored (e-mail, etc). In any case, do you want your SMS messages with timestamps leaked regardless?
 
It's not the leak itself, it's the leak acting as a vertice in triangulation to inform accurate attack vectors.
Indeed, it's not very difficult to put together all leaks and slowly adding data to them matching PII as leaks and breaches are made publicly available, all you need is one match to link them and form an extensive graph. That's what all those """osint""" services online do, too. Phone numbers are very sensitive due to how close they are to a person, how nearly every service online asks for one, and that most people have only one and don't bother doing anything about it (because it's inconvenient, costs money and the average person has other, far more important things to worry about); Google Voice was great for this stuff, you could forward messages from your VoIP number to your own, but they stopped that years ago and the service always feels on the brink of closure in their classic fashion anyway. Mozilla has added a phone masking feature in their Relay service, but it's select users only for now and still a considerable expense for a very abstract threat.

Steam has an excellent security track record. But you need to give up your number, not only for purchases, but also to enable the proprietary Steam Guard authentication program (in my experience at least), otherwise no 2FA and limited service functionality. You can extract the security key after the fact and use it in something else that supports it so long as they allow it, and the excuse is that it serves as much more than just login but also market transactions and all that, but it's still less than ideal. It helps phone numbers are almost always used as a layer in protection against fraud and are somewhat effective against the most unprepared, along with blacklisting VoIP providers.
True, but it depends on what else is being monitored (e-mail, etc). In any case, do you want your SMS messages with timestamps leaked regardless?
It would always be preferable not to have any bits of information released, we cannot know what else may be leaked in the future that could be used to match against that, but just a phone number, a timestamp, and other info you can extrapolate from that (an account with that number linked existed at that point, somebody with credentials logged in at that time) is not a big deal for the vast majority of people. It's an interesting subject anyway, basically death by a thousand cuts.
 
Atrás
Top Abajo