Valve Confirms: No Steam User Data Breach

Valve has officially refuted recent reports claiming that its Steam platform experienced a "major" data breach, confirming there was "NOT a breach" of any Steam systems.

Despite growing concern among users over claims that more than 89 million user records were exposed, Valve's internal investigation concluded that the incident involved a leak of "older text messages" containing one-time verification codes. Importantly, these SMS messages did not include any personal or sensitive account information.

In a statement published directly on Steam, Valve clarified: "After analyzing the leaked data sample, we have determined that no customer data has been compromised. The leak consisted of outdated text messages that included one-time codes valid only for 15-minute intervals, along with the phone numbers they were sent to. Notably, the leaked data did not link those phone numbers to any Steam account, nor did it include passwords, payment details, or other personal information."

The company emphasized that these expired messages pose no threat to account security. "Old text messages cannot be used to breach your Steam account. Additionally, any attempt to change your Steam email or password using SMS verification will trigger a confirmation sent to your email and/or through Steam’s secure messaging system," Valve stated.

While no breach occurred, Valve used the incident as a reminder for users to enhance their account security by enabling the Steam Mobile Authenticator. The company noted that this remains "the best way to receive secure notifications about your account and its safety."

Given the increasing frequency of data breaches across the tech and gaming industries—and with over 89 million Steam users worldwide—it's understandable that users were concerned. One of the most notable breaches in gaming history occurred in 2011, when the PlayStation 3 and PlayStation Portable networks were taken offline for nearly a month, resulting in the compromise of 77 million accounts.

Data security risks extend beyond user accounts. In October of last year, Pokémon developer Game Freak confirmed a major cyberattack that exposed internal data, including information about current and former employees and details about its development pipeline. A year earlier, in 2023, Sony disclosed two separate breaches that compromised data belonging to nearly 7,000 current and former employees. Then, in December 2023, hackers infiltrated Insomniac Games, the studio behind Marvel’s Spider-Man series, gaining access to confidential company information.