Skip Navigation
Steam @lemmy.ml
abobla @lemm.ee

Hacker advertises alleged database of 89 million Steam 2FA codes

www.techradar.com

Hacker advertises alleged database of 89 million Steam 2FA codes, source of leak unknown

cross-posted from: https://lemm.ee/post/63936969

Steam 2FA codes allegedly got leaked. If you use 2FA with your phone number, turn it off NOW and secure your account.

2 comments

  • Valve literally told the guy who spread the news on Twitter that they do not use Twillo as a SMS 2FA provider at all: https://twitter.com/MellowOnline1/status/1922458687316074640

    Good on TechRadar for actually bothering to mention BleepingComputer's article about it, but they still didn't mention where the news originated from.

    It all began in this LinkedIn post, which wrongfully claimed that the "leak" was coming from Twillo (Also funny is that this is an AI company): https://www.linkedin.com/posts/underdark-ai_cybersecurity-databreach-steam-activity-7327022917370703872-JqN3/

    Then the Twitter guy got involved in it, then the "news" sites ran off with what the guy on Twitter said.

    Lemme just quote this insightful comment in Steam subreddit as well: https://www.reddit.com/r/Steam/comments/1kmeoqo/steam_doesnt_use_twillo_no_need_to_change/ms9n1xx/

    To clarify why changing your passwords is basically pointless

    1. Steam does not use Twillo for its MFA implementation. Twillo doesnt store the keys for the MFA implementation.
    2. Twillo doesn't store passwords, meaning even if you assume Twillo was breached, it has no passwords to leak.
    3. Twillo only has a centralized MFA app similar to Google Authenticator. Again this does NOT STORE PASSWORDS
    4. If Twillo was compromised, the only possible vector would be an SMS hijacking attack, and that's IF Steam uses Twillo as its SMS intermediary
    5. If we assume #4 then, which is a stretch, CHANGING YOUR PASSWORD IS POINTLESS. Its attacking the SMS network. You can change your password every other minute. The attacker can simply generate and SMS code and take over your account that way. Your password is pointless in this scenario
    6. If you are 'paranoid' and want to do something 'actually useful' remove your phone number from your account, which still again makes a LOT of assumptions above everything tl;dr changing your password is pointless, remove your phone number if you are 'paranoid'

    Change your passwords if you want to, but there is no need to panic.

    Btw, selling 89 MILLION Steam accounts' data for just 5000$? Really???