Were Steam user records leaked? Here's what you need to know

Claims of a data breach at popular gaming platform Steam, resulting in more than 89 million user records being offered up for sale on the dark web, have been circulating since Saturday.

But Valve, the company that owns Steam, says the platform's systems have not been breached.

It all started with a LinkedIn post on May 10 by Underdark.ai, which describes itself as a company offering "cyber threat intelligence services." The post alleged that a "threat actor" called Machine1337 posted on a dark web forum saying they had breached Steam systems, offering up more than 89 million user records for the price of $5,000 US. 

In an emailed statement to CBC News, Valve spokesperson Kaci Aitchison Boyle said the company was "made aware" of reports that text messages to Steam users had been leaked. She said after an examination of the leak sample, Valve was able to confirm the leak was not a result of a breach of Steam systems. 

"The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to," the statement said. 

In the statement, Aitchison Boyle said Valve is still looking into the source of the leak, adding it's complicated by SMS messages being "unencrypted in transit" and "routed through multiple providers" before it gets to a user's phone. 

"The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data," Valve's statement said. "Whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages."

Texts can't be used to breach account security: Valve

In an update to its original LinkedIn post, Underdark.ai claimed it was able to confirm through a sample of the dataset provided by the data seller that the leaked data contained "real-time 2FA SMS logs routed via Twilio."

Twilio, a platform used by businesses to engage with their customers through text, email, chat and video, said in an emailed statement to CBC that it was able to confirm that the leaked data did not come from them. 

"There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online, and see no indication that this data was obtained from Twilio," the statement said. 

Valve's statement said users don't need to change their passwords or phone numbers, but reminded users to be suspicious of any account security messages they didn't explicitly request.

Valve added that Steam users should regularly check their account security and to set up Steam Mobile Authenticator to be sent secure messages about their account safety.