Company says data consists of old text messages that included expired one-time codes.
Valve has confirmed that its systems were not breached, despite claims that an attacker was attempting to sell user data of over 89 million Steam accounts.
According to media reports, a hacker named ‘Machine1337’ shared what they claimed was “sample data” and a Telegram contact to attract potential buyers.
In response, Valve issued a detailed statement on its blog explaining that the leaked information consisted of old text messages that included one-time codes valid only for 15 minutes and the phone numbers to which they were sent.
Valve clarified that these codes were not linked to any specific Steam accounts and that the leak contained no passwords, payment details, or other personally identifiable information. The company reassured users that these outdated codes cannot be used to compromise accounts, as every email or password change on Steam still requires a fresh code via SMS.
A report by Bleeping Computer, which reviewed approximately 3,000 of the leaked records, noted that some of the messages appeared to be from as recently as March, suggesting the leak may not be entirely outdated. Nonetheless, Valve emphasized there is no need for users to panic or take immediate action such as changing passwords or phone numbers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
