A hacker nicknamed Machine1337 put up for sale a data array that allegedly contained 89 million Steam user records. The dump contained SMS messages with one-time codes for Steam, as well as the phone numbers of their recipients. Researchers suggest that this may be related to the compromise of Twilio.
Machine1337 (aka EnergyWeaponsUser) is selling the dump for $5,000, but has made 3,000 records publicly available as sample data.
Independent gaming journalist MellowOnline1, who is also the creator of the SteamSentinels group that tracks abuse and fraud in the Steam ecosystem, suggests that the leak is not related to a compromise of Steam itself, and is rather the result of a supply chain attack that affected Twilio.
MellowOnline1 notes that the dump contains technical evidence that appears to be a leak of SMS logs from Twilio's internal systems. He says this could be a compromise of an administrator account or abuse of API keys.
Twilio is a cloud PaaS provider and provides a two-factor authentication (2FA) product, Verify API . It can be used to send SMS messages, instant messages, emails, push notifications, voice calls, and TOTP (Time-based One-Time Password), which is widely used in many applications (including Steam) to authenticate users.
As reported by journalists from Bleeping Computer , who examined a free sample of the data published by Machine1337, some of the SMS messages are clearly codes for confirming access to a Steam account or linking a phone number to it. However, some of the data is relatively recent: many of them are dated early March.
However, the journalists were unable to determine whether this leak was specifically related to Twilio. According to them, the compromise could also have occurred, for example, on the side of the SMS provider, which is an intermediary in the transfer of codes between Twilio and Steam users.
Twilio representatives told the publication that they had already investigated the possible incident and found no signs of compromise.
"There is no evidence that Twilio's systems were compromised. We analyzed a sample of the data published online and found no indication that the data could have been obtained from Twilio's systems," the company said.
As a precaution, Steam users are advised to use Steam Guard Mobile Authenticator for additional protection. They should also monitor their account activity to detect suspicious activity.
UPD.
MellowOnline1 reported that today (May 14, 2025) he was contacted by Valve representatives and was told that the company does not use Twilio services at all.
The researcher explains that the new information does not indicate that Twilio is the source of the leak. However, Steam users are still advised totake precautions as the data is still for sale. UPD. 2 Valve representatives have relea
take precautions as the data is still for sale.
UPD. 2
Valve representatives have relea
sed an official statement.
The company emphasizes that this leak is not related to hacking of Steam or Valve systems.