An alleged data leak involving 89 million Steam accounts has triggered a wave of concern among gamers.

The breach first came to light via cybersecurity firm Underdark, which reported that a dark web vendor going by the alias Machine1337 had listed a database for sale at $5,000.

The listing claimed to include phone numbers, one-time SMS authentication codes, and account metadata — potentially usable in phishing or social engineering attacks.

However, Valve responded swiftly, stating the leaked data comprised obsolete SMS codes sent via an external communications provider and not through its own systems.

“We have examined the leak sample and have determined this was NOT a breach of Steam systems,” Valve said in a public statement.

At the time of reporting, over 30 million users were concurrently online on Steam, underlining the scale of potential impact. While no passwords, payment data or account credentials were accessed, security experts have urged caution.

The root of the leak appears to be an external SMS provider previously used to deliver two-factor authentication codes.

Those codes, now expired, were likely scraped or acquired through third-party vulnerabilities rather than a direct breach of Steam.

Despite Valve’s assurance, cybersecurity researchers warn that even outdated information could be used in targeted phishing campaigns.

They advise all Steam users to:

• Change their passwords to strong, unique ones

• Replace SMS-based 2FA with Steam Mobile Authenticator

• Review login history and account activity for suspicious behaviour

• Stay alert to phishing attempts mimicking Steam Support

Users are also urged to ignore unsolicited SMS one-time passwords and avoid clicking on suspicious links, particularly in emails referencing game offers or security warnings.

While Valve appears to have dodged a direct compromise, the incident highlights ongoing risks tied to third-party security lapses — and the need for users to stay vigilant.