Twilio has publicly refuted claims of a data breach after a threat actor named Machine1337 (also recognized as EnergyWeaponsUser) allegedly asserted possession of over 89 million records tied to Steam users, including one-time access codes.
The individual made these claims while offering to sell the purported data for $5,000. Initial analysis of the leaked files, which reportedly contain around 3,000 records, revealed historic SMS text messages that include one-time passcodes for Steam, along with recipients’ phone numbers.
Owned by Valve Corporation, Steam is the largest digital distribution platform for PC games and boasts over 120 million monthly active users. However, Valve has yet to respond to inquiries regarding these claims.
MellowOnline1, an independent games journalist and creator of the SteamSentinels community group that combats fraud and abuse in the Steam environment, suggested that this incident may relate to a supply-chain compromise involving Twilio. They pointed out technical evidence in the leaked records indicative of real-time log entries from Twilio’s backend systems, suggesting either a compromised admin account or misuse of API keys may have occurred.
Twilio, a cloud communications company providing APIs for SMS, voice calls, and two-factor authentication messages—heavily utilized by platforms like Steam—has acknowledged the alleged incident and confirmed an ongoing investigation. A spokesperson emphasized the importance of this issue, stating, “Twilio takes these threats very seriously and is reviewing the alleged incident. We will provide more information as it becomes available.”
In a subsequent statement, Twilio clarified that its systems had not been compromised. “There is no evidence to suggest that Twilio was breached. We have reviewed a sampling of the data found online and see no indication that this data was obtained from Twilio,” the spokesperson confirmed.
Experts suggest that the origin of the leaked data may stem from a third-party SMS provider responsible for relaying one-time access codes between Twilio and Steam users. Some of the messages included are indeed confirmation codes for accessing Steam accounts or linking phone numbers to accounts. However, BleepingComputer was unable to definitively determine the source of the data or validate the threat actor’s assertions.
Notably, portions of the leaked data appear to be recent, with delivery dates traced back to early March. Twilio’s Verify API, utilized for two-factor authentication across various channels—including SMS, WhatsApp, and voice—is particularly relevant in this situation, hinting at potential areas of vulnerability.
As a precautionary measure, Steam users are advised to enable the Steam Guard Mobile Authenticator for enhanced security and to remain vigilant for any unauthorized login attempts on their accounts.
This incident underscores the crucial importance of robust security practices in the gaming and tech ecosystems, highlighting the ongoing challenges that platforms face in protecting user data and maintaining trust amidst rising cybersecurity threats.