A major data breach reportedly impacted Steam, the gaming platform owned by Valve, exposing over 89 million records. A threat actor named Machine1337 allegedly offered these records for $5,000 on a dark web forum. The post included a sample of the data, hosted publicly on Gofile, to prove its legitimacy. The compromised data is believed to involve both platform and internal vendor systems, indicating a deeper breach beyond simple data scraping.
The breach also points to a potential supply chain compromise, suggesting that attackers exploited vulnerabilities within Steam’s vendor systems.
Leaked SMS logs, including two-factor authentication (2FA) data, revealed internal vendor access and additional metadata, such as delivery statuses and routing costs. These logs provide evidence of API or dashboard exploitation, raising concerns about a broader scale of exploitation. The breach might not have targeted Steam directly, but instead, leveraged weaknesses in its supply chain for access.
This breach, if confirmed, poses significant risks for Steam users, who often store not just gaming data but also personal and financial information. Cybercriminals could launch phishing attacks or perform account takeovers, especially targeting high-value accounts with rare virtual assets. Additionally, credential stuffing attacks using reused passwords could compromise even more accounts, amplifying the breach’s impact.
Steam users are urged to take immediate action to protect their accounts from these threats.
Valve and the infosecurity community are investigating the breach, but users should proactively enable two-factor authentication (2FA) and change their passwords. Passwords should be unique and not reused across other accounts to minimize the risk of further exploitation. Steam’s global user base must remain vigilant as investigations continue, and additional details about the breach emerge.
Reference:
