89 Million Accounts Allegedly Leaked—Is Your 2FA at Risk?– In an unfolding cybersecurity controversy, Twilio has officially denied any breach of its systems after a hacker claimed to sell a massive dataset involving over 89 million Steam users, including one-time passcodes sent via SMS. The bold claim has sent ripples to gaming and cybersecurity communities, raising questions about data privacy, SMS authentication security, and possible supply-chain vulnerabilities. In this article, we’ll dive deep into the situation, examining what happened, what’s being claimed, who is involved, and what users need to know to stay safe.
What Is Twilio and Why Is It in the Spotlight?
Twilio is a cloud communications platform that provides APIS to developers for sending SMS, voice calls, and emails and implementing two-factor authentication 2FA). Many large tech companies, including Valve’s Steam platform, rely on Twilio’s services to deliver secure login verification codes and user alerts.
Because it handles sensitive communications, Twilio is often a critical part of the authentication process, but also a high-value target for attackers looking to intercept verification credentials.
The Alleged Data Leak: What Did the Hacker Claim?
A threat actor using the pseudonym Machine1337, also known as EnergyWeaponsUser, recently claimed to possess over 89 million Steam user records, which allegedly include SMS-delivered one-time access codes.
The dataset was advertised on a hacking forum, with the attacker offering to sell it for $5,000. To validate the claim, a sample of 3,000 records was leaked. Upon inspection by BleepingComputer, the sample contained historic SMS messages with Steam codes and recipient phone numbers.
This raised immediate concerns about the potential compromise of a messaging provider or intermediary system.
️ Twilio’s Firm Denial: “Our Systems Were Not Breached”
In response to inquiries by BleepingComputer, Twilio issued an explicit denial of any breach in its infrastructure. A Twilio spokesperson stated:
“Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available.”
Later, Twilio followed up with a definitive statement that there was no breach of their systems, emphasising the integrity and security of their backend services.
Despite this, the source of the data remains unclear, and speculation continues regarding whether an intermediary service provider might be involved.
What’s at Stake for Steam and Its Users?
Steam, operated by Valve Corporation, is the world’s largest digital distribution platform for PC gaming, boasting over 120 million monthly active users. With such a large user base, even the suggestion of a data leak—especially involving authentication codes—raises alarm bells across the gaming world.
The leaked messages appear to include confirmation codes used for:
- Logging into Steam accounts,
- Associating phone numbers with Steam profiles,
- Approving transactions and other secure actions.
If authentic, this type of data could be used in targeted attacks, account takeovers, or phishing schemes.
Independent Investigations Suggest a Supply Chain Compromise
MellowOnline1, an independent games journalist and founder of the SteamSentinels fraud-monitoring group, weighed in with a theory:
The incident may stem from a supply-chain compromise, potentially involving an abused admin account or compromised API key within Twilio or one of its downstream providers.
They noted that the technical structure of the leaked data resembles real-time logs from Twilio’s backend systems, though Twilio has not confirmed this.
This kind of attack, where a system isn’t directly breached but is affected by a compromised partner or vendor, highlights a growing concern in cybersecurity known as supply-chain risk.
Could an SMS Intermediary Be the Weak Link?
Another possibility is that the breach did not originate from Twilio or Valve but rather from a third-party SMS aggregator or telecom provider that acts as a middleman.
These intermediaries facilitate the routing of messages between Twilio and end users and often store logs of sent messages, at least temporarily.
If such a provider was hacked—or if an insider leaked logs—it could explain how someone obtained real-time SMS records without directly breaching Twilio or Steam.
This theory gains traction due to the freshness of some leaked messages, many dated from March, indicating this is not just old data resurfacing.
How Do One-Time Passcodes Get Exposed?
Let’s break down how this kind of sensitive data might end up in the wrong hands:
- Compromised Admin Account: An internal user at a provider like Twilio or an SMS intermediary misuses or leaks data.
- Leaked API Keys: Hackers gain unauthorised access to logs via abused API credentials.
- Insecure Storage: Logs or message histories are stored insecurely and accessed by unauthorised actors.
- Third-Party Aggregator Breach: An intermediary between Twilio and telecom networks experiences a breach.
- Phishing or Social Engineering: Employees are tricked into providing access.
Any of these could provide a hacker with thousands—or even millions—of messages, especially if logging weren’t properly secured or encrypted.
Is SMS-Based 2FA Still Safe?
This incident reignites a longstanding debate in the security world: Is SMS-based 2FA still safe?
SMS remains one of the most widely used forms of two-factor authentication thanks to its simplicity and accessibility. However, it’s also one of the most vulnerable, susceptible to:
- SIM swapping attacks
- Message interception
- Provider breaches
- Social engineering
Security experts frequently recommend using app-based 2FA solutions like:
- Steam Guard Mobile Authenticator
- Google Authenticator
- Authy
- YubiKey or other hardware tokens
These methods don’t rely on telecom networks and are much harder to intercept or fake.
Valve’s Silence: No Official Response (Yet)
So far, Valve Corporation has not responded to multiple requests for comment from BleepingComputer or independent journalists. This silence has only fueled further speculation and concern among users and experts.
While Valve’s infrastructure may not have been directly compromised, its reliance on external services for authentication means users deserve clarity and reassurance.
What Should Steam Users Do Now?
Regardless of the origin of the leak, Steam users should take immediate steps to protect their accounts:
- Enable Steam Guard Mobile Authenticator via the Steam mobile app.
- Change your account password if you suspect any suspicious activity.
- Revoke active sessions on unrecognised devices.
- Be wary of phishing messages or emails posing as Valve support.
- Use a secure email provider with 2FA enabled for your Steam-linked address.
Remember: The sooner you act, the less vulnerable your account will be to ongoing or future threats.
️ How Companies Can Strengthen 2FA Security
This incident also serves as a wake-up call for companies relying on SMS 2FA. To prevent similar controversies, tech providers should:
- Audit all third-party integrations and logs regularly.
- Rotate and protect API keys using encryption and vaulting tools.
- Limit internal access to sensitive logs or message data.
- Encourage or require users to use stronger 2FA methods.
- Use anomaly detection to monitor abuse of APIS or sudden spikes in SMS traffic.
Zero-trust security frameworks can also ensure that even trusted systems are constantly verified before access is granted.
Wrap Up: A Mystery Unfolds, Vigilance Required
While Twilio denies any breach, and the origin of the leaked Steam user records remains uncertain, one thing is clear: the cybersecurity landscape is more fragile than ever. With supply-chain attacks and third-party breaches becoming more common, end users and companies must proactively protect sensitive data.
Steam users, in particular, should remain vigilant, adopt multi-layered security, and follow best practices regarding their online accounts. Meanwhile, companies like Valve and Twilio must lead transparently, providing users with the facts they need to stay safe.
Until more details emerge, this incident will likely remain a case study in modern digital security, showcasing the complexities of trust, data handling, and user protection in the interconnected tech ecosystem.
Selva Ganesh is the Chief Editor of this Blog. He is a Computer Science Engineer, An experienced Android Developer, Professional Blogger with 8+ years in the field. He completed courses about Google News Initiative. He runs Android Infotech which offers Problem Solving Articles around the globe.
Leave a Reply