The video game distribution service’s owners, Valve, went as far as to say it doesn’t see the need for users to change their passwords.
Valve, the multibillion-dollar game developer and publisher, denied claims that any of its systems were breached, after attackers posted an ad for supposedly 89 million records taken from the popular Steam service.
“We have examined the leak sample and have determined this was NOT a breach of Steam systems. We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone,” the company said in a statement shared with Cybernews.
The most important part is that, according to Steam, the alleged data leak consists of one-time codes that are valid for a 15-minute period. Or, in other words, the supposed leak of tens of millions of Steam customer data is worthless.
“Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages,” Steam explained.
“From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event,”
Valve said.
Moreover, Valve added that leaked data does not associate phone numbers with specific Steam accounts, password data, payment data, or any other personal information. In essence, Valve believes the leaked data is just a bunch of useless, expired codes.
“From a Steam perspective, customers do not need to change their passwords or phone numbers as a result of this event,” the company said.
However, Valve reminded users to treat any account security messages as suspicious and set up Steam Mobile Authenticator.
Empty “Steam data breach” claims
Earlier this week, a well-known threat actor posted an ad on a popular data leak forum, supposedly selling 89 million records obtained via a data breach at Steam. Cybernews researchers investigated the data sample, confirming it only included phone numbers and one-time codes, with no passwords, email addresses, or any other details typically included in similar data leaks.
If phone numbers were associated with Steam account numbers, attackers could leverage the information to target users by convincing phishing attacks, impersonating a legitimate service. However, phone numbers alone hardly allow such attacks.
Another cause for concern is so-called session hijacking, where malicious actors take over two-factor authentication codes mid transit and use them to breach accounts. Yet, the lack of additional details in the leak severely hampers attackers’ ability to do so.
Interestingly, Cybernews researchers noted that the same attacker who posted the details from the supposed Steam breach flooded the data leak forum with a bunch of similar databases minutes from each other, with alleged SMS contents and phone numbers in all of them.
“One of the first posts before this streak is advertising a service providing phone numbers by country or niche with real-time validity checking. So this is either a bulk SMS sending provider data breach, or a complete fake,” the team said.
Reportedly, at least some of the data in the supposed Steam leak is relatively new, with SMS messages dated in March of this year. However, one-time passcodes are useless minutes after being distributed to their intended recipient.
Your email address will not be published. Required fields are markedmarked