As a reaction to recent rumors of a possible security violation, Valve Corporation has made it clear that Steam’s systems are still intact. The company has credited the rumors circulating with a leak of old SMS messages carrying one-time codes, which had a validity period of 15 minutes. The messages, sent by a third-party service provider, did not contain any explicit links to Steam accounts, passwords, payment information, or other sensitive user data.
Valve assures users that passwords and accompanying phone numbers do not need to be changed. Nevertheless, the company suggests caution against possible phishing attacks since the exposed phone numbers may be attacked by malicious people. Users are advised to be wary of unsolicited account security messages.
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
Steam’s Statement
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
https://store.steampowered.com/account/authorizeddevices
We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.
In support of account security, Valve has implemented major upgrades to the Steam Mobile App. The new app now includes QR code login features, enabling users to log into their accounts without the need for usernames and passwords. This feature utilizes two-factor authentication (2FA) credentials saved on the user’s phone, offering an easy and secure login process.
In addition, the app has an “Authorized Devices” page, which allows users to track and control devices that are connected to their accounts. The feature supports checking recent activity and revoking access from unknown devices, in turn improving account security.
Valve recommends the use of Steam Guard Mobile Authenticator, which is a 2FA feature that creates time-based codes directly within the Steam Mobile App. This adds a layer of protection, so even if a password is stolen, unauthorized access is not possible. The authenticator is especially important for players actively trading virtual objects, as it protects valuable in-game content from potential theft.