Twilio denies breach following leak of alleged Steam 2FA codes

Twilio has denied in a statement for BleepingComputer that it was breached after a threat actor claimed to be holding over 89 million Steam user records with one-time access codes.

The threat actor, using the alias Machine1337 (also known as EnergyWeaponsUser), advertised a trove of data allegedly pulled from Steam, offering to sell it for $5,000.

When examining the leaked files, which contained 3,000 records, BleepingComputer found historic SMS text messages with one-time passcodes for Steam, including the recipient's phone number.

Owned by Valve Corporation, Steam is the world's largest digital distribution platform for PC games, with over 120 million monthly active users.

Valve did not respond to our requests for a comment on the threat actor's claims.

Independent games journalist MellolwOnline1, who is also the creator of the SteamSentinels community group that monitors abuse and fraud in the Steam ecosystem, suggests that the incident is a supply-chain compromise involving Twilio.

MellowOnline1 pointed to technical evidence in the leaked data that indicates real-time SMS log entries from Twilio's backend systems, hypothesizing a compromised admin account or abuse of API keys.

Twilio is a cloud communications company that provides APIs for sending SMS, voice calls, and 2FA messages, widely used by apps like Steam for user authentication.

When asked by BleepingComputer about their possible involvement in the alleged Steam breach, a Twilio spokesperson acknowledged the situation and confirmed they're investigating.

Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available," a company spokesperson told BleepingComputer.

Twilio later followed up with a statement clarifying that the company's systems had not been breached.

Looking at the data, one possible explanation for its origin is a leak from an SMS provider that intermediates the communication of one-time access codes between Twilio and Steam users.

Some of the messages delivered are clearly confirmation codes for accessing a Steam account or for associating a phone number with one.

However, BleepingComputer could not determine if the data comes from an SMS provider or who it might be. Additionally, we could not verify the threat actor's claims.

It is worth mentioning that some of the data is relatively new, as we found many of the delivery dates were from the beginning of March.

Twilio provides a two-factor authentication (2FA) product called Verify API that customers, game providers among them, can implement with various communication channels (SMS, WhatsApp, voice, email, passkeys, silent device approval, push, or time-based one-time passwords).

Out of abundance of caution, Steam users are recommended to enable Steam Guard Mobile Authenticator for additional security and monitor account activity for unauthorized login attempts.

Update 5/15 - Steam has issued a statement in regards to the alleged breach, denying their systems were compromised. 

The gaming platform clarified that the leaked set appears to contain SMS with one-time codes that are valid for 15 minutes, and hence are no longer exploitable.

Steam assured users their accounts are safe, stating they need to take no action in response to the incident.