A sketchy AI firm tried to pass off a bogus Steam breach, but it unraveled almost immediately. This one was a fake, but the next one might not be. Here’s how to protect yourself from losing control of an account that may be worth thousands of dollars.
A recent claim on LinkedIn alleges that a database containing 89 million Steam account records, including one-time passcodes (OTPs) used for two-factor authentication (2FA), is up for sale. The asking price is $5,000, a low figure for a leak of this scale.
But despite the headline-grabbing figure and some reposts online, the evidence supporting this leak was outright fabricated. Fortunately, Apple users can take advantage of the built-in Passwords app, which now supports two-factor codes across iPhone, iPad, and Mac.
Twilio denies the breach
The claim was first amplified by a small cybersecurity firm, Underdark AI, which posted about it on LinkedIn. According to their write-up, a hacker going by “Machine1337” is offering the data on a dark web forum, supposedly exposing 2FA codes, phone numbers, and timestamps for millions of Steam users.
That would be alarming — if it were real. But Valve, which operates Steam, hasn’t issued any statement confirming a breach. Meanwhile, Twilio, the cloud communications provider speculated to be the source of the SMS logs, has directly denied involvement — and Steam doesn’t use Twilio.
The data itself raises red flags. The sample includes outdated SMS messages with generic formatting and lacks any login tokens, account IDs, or metadata that would normally accompany a legitimate breach.
Several entries are duplicates, and the timestamps show no consistent pattern, suggesting the records were stitched together from older leaks. Security researchers also pointed out that the dataset doesn’t match how Steam delivers two-factor codes.
There also hasn’t been any confirmation of a compromise from official channels or reputable threat intelligence sources.
How to secure online accounts
The saga offers a good reminder of why 2FA matters. Two-factor authentication adds an extra step to logging into your account, typically a time-sensitive code from an app or SMS.
These codes help stop attackers even if they have your password. The best method is to use app-based 2FA.
Apps like Apple’s built-in Passwords, Steam Guard, Google Authenticator, and Authy generate login codes directly on your device. These avoid the risks that come with SMS delivery.
While SMS-based 2FA is better than nothing, it’s more vulnerable to phishing attacks and SIM-swapping.
There’s no need to panic over this so-called Steam leak. Just take it as a cue to secure your accounts with app-based two-factor authentication.
This story originally appeared on Appleinsider
