TLDR: “The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data.”
So not really an issue.
juliangmp · 5h ago
But website say I need to change my password?!?
0x073 · 5h ago
"You do not need to change your passwords or phone numbers as a result of this event."
AStonesThrow · 5h ago
Hmm, so the leak did include valid mobile phone numbers of that many Steam subscribers. I suppose that could be valuable intel to someone, down the line.
One of my friends was known to quip that Steam had better security than most banks, even in the early days. And it's true that Steam accounts host data and purchases that are quite valuable to the customers, as well as highly attractive to thieves, so customers do well to protect their accounts to the fullest extent.
A long time ago I was the holder of a Steam account, and I was once notified in email that someone had successfully entered both my username and password, since the password was trivial and/or reused from some other account I had. Since the account was still protected by MFA, I chose to take no action at all. But I believe that the perpetrator had some sort of Russian connection, IPv4 geolocation or something. But it was clearly an instance of: https://m.xkcd.com/2176/
ranguna · 4h ago
Tldr: some sms messages sent from steam to users were leaked. Only the messages and phone numbers those messages were sent to were leaked. As of now, steam believes that their internal systems were not breached, but they are still investigating.
Switching from sms mfa to their in app mfa will protect you against this type of leak in the future.
rvz · 6h ago
Oh dear. Will be looking forward to the postmortem.
Statement from Valve
So not really an issue.
One of my friends was known to quip that Steam had better security than most banks, even in the early days. And it's true that Steam accounts host data and purchases that are quite valuable to the customers, as well as highly attractive to thieves, so customers do well to protect their accounts to the fullest extent.
A long time ago I was the holder of a Steam account, and I was once notified in email that someone had successfully entered both my username and password, since the password was trivial and/or reused from some other account I had. Since the account was still protected by MFA, I chose to take no action at all. But I believe that the perpetrator had some sort of Russian connection, IPv4 geolocation or something. But it was clearly an instance of: https://m.xkcd.com/2176/
Switching from sms mfa to their in app mfa will protect you against this type of leak in the future.