If you’re like me and have been buying the best PC games on Steam digitally for the past 20 years, you might want to change your password, as a hacker is currently selling millions of account details on the dark web.
A hacker, who goes by the handles Machine1337 and EnergyWeapon user online, recently made a post on a dark web forum in an attempt to sell over 89 million Steam user records. All of this leaked data, including one-time access codes, can be had for the low price of just $5,000.
After examining the leaked files, which there are 3,000 records, BleepingComputer found historic SMS messages with one-time passcodes and phone numbers for accounts on the digital distribution platform. In a post on X, independent games journalist Mellow_Online1 provided further details explaining that it’s likely that Steam itself didn’t suffer a data breach and instead, an external service used by Valve for the platform was targeted.
Here’s everything you need to know about these stolen account details, along with some steps you can take to protect your own Steam account from hackers.
Leaked one-time codes
With over 120 million monthly active users, Steam is the world’s largest digital distribution platform for PC games, and given that it has been selling them for 20 years now, chances are that most PC gamers have a fairly large game library associated with their accounts.
By analyzing the samples of the stolen data, Mellow_Online 1 believes that the one-time access codes come from Twilio and that an admin account may have been compromised or that the service’s API keys are being abused. However, when BleepingComputer reached out to Twilio, a company spokesperson explained that it is investigating the situation, though so far, it has found no evidence that its services were breached.
Another possible explanation for the leak is that these one-time codes could come from a mobile carrier. However, at this time, BleepingComputer has not been able to determine if this is the case or which provider might have been hacked.
This leak, and all of this Steam account data being sold on the dark web, is concerning. Especially given that some of the data is relatively new, with leaked one-time passcodes dating back to March of this year.
How to keep your Steam account safe from hackers
If you’re worried about your Steam account being hacked and losing access to the games you’ve purchased on the platform, the first and most important thing you should do is to enable Steam Guard.
For those unfamiliar with this security feature, it works just like two-factor authentication (2FA) on other sites to help prevent unauthorized access to your account. Setting it up is relatively easy, too and once that’s done, it acts as an extra layer of security for your Steam account.
To set up Steam Guard, you first need to verify your email address by going to Settings and then Verify Email Address. Following the prompts within Steam will lead to a confirmation email being sent to your inbox. Once you’ve verified your email, you will need to restart Steam twice, after which time, Steam Guard will automatically enable itself.
If it doesn’t, though, you can manually enable it by going to Steam, Settings, Account and then clicking on Manage Steam Guard Account Security. Within this menu, you will want to toggle on the option to “Protect my account with Steam Guard” and then click next.
It’s worth noting that if you already have Steam Guard enabled, your account is likely safe. If not, you’re going to want to reset your password. Given how much you’ve likely spent on Steam games over the years, you’re going to want to pick a strong and complex password to protect your account. You can also use one of the best password managers to do this for you if you have trouble coming up with passwords on your own.
To keep your gaming PC and other accounts safe from hackers, you should also consider using one of the best antivirus software suites if you aren’t doing so already.
As a big Steam user, I’ll keep a close eye on this story and update this piece if there’s any news regarding these account details being sold on the dark web.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
