Twilio has denied any breach after a threat actor claimed to possess over 89 million Steam user records containing one-time access codes. The incident may involve a supply-chain compromise, possibly through a leaked or abused API key or admin account related to Twilioβs SMS services.
Affected: Steam, Twilio, potentially other users of SMS-based 2FA services.
Affected: Steam, Twilio, potentially other users of SMS-based 2FA services.
Keypoints
- Threat actor claiming to hold over 89 million Steam user records offering to sell the data for $5,000.
- Leaked files contain 3,000 records with historical SMS codes and phone numbers linked to Steam accounts.
- Steam has not confirmed or responded to the breach allegations; Valve remains silent on the issue.
- Evidence suggests the breach may involve a supply-chain attack on Twilio, possibly through compromised API keys or admin accounts.
- Twilio states their systems have not been breached and is investigating the claims.
- Some of the leaked data appears to originate from an SMS provider that handles one-time codes, possibly indicating a leak from intermediary services.
- Users are advised to enable additional security measures such as Steam Guard Mobile Authenticator and monitor account activity.