Its hard to understand their claim that their users don’t need to change their passwords.
Valve has responded to reports that Steam suffered a data breach.
Yesterday, we reported on hacker Machine1337 claiming that they pulled off a fresh leak, with information acquired including two-factor SMS logs, message contents, metadata, and delivery status.
Valve shared this announcement in response on their site:
You may have seen reports of leaks of older text messages that had previously been sent to Steam customers. We have examined the leak sample and have determined this was NOT a breach of Steam systems.
We’re still digging into the source of the leak, which is compounded by the fact that any SMS messages are unencrypted in transit, and routed through multiple providers on the way to your phone.
The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.
You do not need to change your passwords or phone numbers as a result of this event. It is a good reminder to treat any account security messages that you have not explicitly requested as suspicious. We recommend regularly checking your Steam account security at any time at
https://store.steampowered.com/account/authorizeddevices
We also recommend setting up the Steam Mobile Authenticator if you haven’t already, as it gives us the best way to send secure messages about your account and your account’s safety.
While Valve denies that there was a data breach, their statement hints that they believe the leak is real. They confirm that Steam users’ phone numbers, that are an option for Steam 2 form factor authentication, were part of the information that was acquired in the leak.
Because of this, we regard their claim that it isn’t necessary to change passwords or phone numbers with skepticism. Even if they feel there’s no real security issues connected to these data, they probably should not have discouraged their users from choosing to take security measures. At the very least, this could have been phrased better.
The investigation may yield different results later, but for now, Steam is reassuring users that they don’t have to worry about their passwords, payment information, and personal information being compromised. We hope Steam can conclude their investigation and close the window on any potential of data or security breaches as soon as possible.
